XX (data subject) – Complaint Upheld (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A complaint was upheld by the Italian DPA regarding the publication of personal data about a person and their son on a municipal website. Although the data was eventually removed, the case shows the challenges of balancing transparency and privacy. It serves as a reminder for organizations to be cautious when sharing sensitive information, especially about minors.
What happened
The Italian DPA upheld a complaint about personal data concerning a person and their son being published online without proper consent.
Who was affected
The person who filed the complaint and their minor son were affected by the publication of sensitive information.
What the authority found
The DPA noted that the municipality had removed the contested data but still found issues with how personal information was handled.
Why this matters
This ruling highlights the need for organizations to ensure that personal data, especially about minors, is protected and not disclosed without consent. It encourages better practices in data management.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
The Italian DPA received a complaint from the data subject concerning the dissemination of personal data concerning him and his son as well as information on his son’s injuries following a fall inside his school. These pieces of information were published in a Council resolution on the municipality of Brindisi’s website. The data subject had already requested the controller to remove any data from its website which could directly trace back to his minor son’s identity and pathology and republish it in compliance with the rules in force. The controller directly acted upon this request and deleted the resolution from its Municipal Notice Board. However, information on the legal proceedings including names and the circumstance of the existence of these legal proceedings could still be found in the subject of the resolution on the controller’s website. 2 years later there was no contest from the data subject to the controller, however the data subject lodged a complaint with the Italian DPA. The Italian DPA considered the fact that the controller had already removed the full text of the contested resolution from the web as requested by the data subject and that it kept the contested personal data included in the subject of the resolution only by mere mistake. Moreover, the controller asked to take into consideration the objective difficulty of sometimes balancing transparency and the protection of personal data. It pointed out the existence of a need, for the purposes of transparency of administrative action, to leave public the subject of the resolution with the names of the parties in clear; as well as the large number of acts to be published online. The Italian DPA held that the need for transparency could be achieved without disseminating online the personal data of the parties involved in the proceedings and therefore held that the controller breached Article 5(1)(c) in that it was inconsistent with the principle of data minimisation since the data were not li
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for XX (data subject) in IT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. XX (data subject) - Italy (2022). Retrieved from cookiefines.eu
Last updated: