Società Ospedale San Raffaele srl – €70,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Società Ospedale San Raffaele srl was fined for a similar issue where they revealed patients' email addresses in newsletters. The hospital argued that the breach was minor, but the DPA disagreed, stating that email addresses are personal data. This ruling stresses the need for strict data security measures in healthcare settings.
What happened
Società Ospedale San Raffaele srl exposed email addresses of patients by using an open distribution list for newsletters.
Who was affected
Patients and caregivers whose email addresses were visible to all recipients of the newsletters.
What the authority found
The Italian DPA found that the hospital failed to protect personal data, violating data protection rules regarding confidentiality and security.
Why this matters
This case reinforces the necessity for healthcare providers to adopt robust data protection practices. Organizations must ensure that all communications safeguard personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is Società Ospedale San Raffaele srl (a hospital). The data subjects are the patients of the hospital. The controller notified the DPA of two data breaches. The email addresses of (1) 499 recipients of a newsletter from the Neurology Operative Unit and (2) 90 recipients of a newsletter from the Transplant and Metabolic-Bariatric Surgery unit in the CC instead of the BCC. This exposed the email addresses of all recipients to each other. The controller stated that because of the limited scope of the violation, there is no concrete risk for the rights and freedoms of the data subjects. It further argued 193 email addresses did not contain references to any names, so they were not personal data. The controller also stated that it happened due to a human error. The controller adopted new technical and organisational measures to ensure data security. This included additional training, possible disciplinary sanctions against the person responsible and/or their superior and the establishment of a working group supervised by the DPO to implement these measures. Regarding the controllers argument that the scope of the violations is limited, the DPA noted that (1) an email address in itself is personal data, even without references to names. Moreover, (2) it included health data (Article 4(15) GDPR) as the newsletters were send to patients of the respected medical facilities, thus revealing possible information about their health. The DPA noted that the processing of health data can have significant risks for the fundamental rights and freedoms of data subjects. There was no legal basis for the processing activities. The DPA therefore held that the controller violated Article 5(f) (principles of integrity and confidentiality) and Article 9 by communicating personal data, including health data to third parties without a legal basis. The DPA fined the controller € 70,000. When deciding the fine, the DPA took the unintentional nature of the breach, the addi
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Società Ospedale San Raffaele srl in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
28 April 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€70,000
GDPRhub ID
gdprhub-5024About this data
Cite as: Cookie Fines. Società Ospedale San Raffaele srl - Italy (2022). Retrieved from cookiefines.eu
Last updated: