Il Sole 24 Ore S.p.a. – €40,000 Fine (Italy, 2022)

The controller was a daily newspaper. The data subjects were a homosexual couple and their adopted child. The controller published an article covering a court case relating to the data subjects, mistakenly attaching documents that contained the data subjects' personal data. The data subjects requested that the data be deleted, and the controller complied a day later. Before the article was removed from the controller's website, it received nineteen unique visitors. The controller did not respond to further data access requests regarding the identities of the recipients of the personal data, arguing that its prompt removal of the article made any further response unnecessary. The Italian DPA (Garante per la protezione dei dati personali - GDPD) found that the controller had violated Article 5 and Article 9 GDPR; it fined the controller €40,000, balancing, among other things, the sensitive nature of the data disclosed (sexual orientation, data relating to the adoption of a minor) and the negligent nature of the infringement against the controller's journalistic purpose and prompt measures to eliminate the consequences of the breach. The GDPD also issued a warning for failure to respond to the data subjects' requests for access, inviting the controller to implement additional measures to guarantee the effective exercise of future data subjects' rights under Article 12 GDPR.