Policlinico Casilino di Roma (the controller) – €30,000 Fine (Italy, 2022)
Policlinico Casilino di Roma was fined for requiring patients to show a Covid pass to access its outpatient clinic. The Italian data protection authority found this requirement did not have a proper legal basis. This case highlights the importance of having clear rules when it comes to health-related data access.
What happened
Policlinico Casilino di Roma required patients to present a Covid pass to access outpatient services.
Who was affected
Patients seeking outpatient services at Policlinico Casilino di Roma were affected by this requirement.
What the authority found
The authority ruled that the requirement for a Covid pass lacked a valid legal basis under data protection rules.
Why this matters
This ruling emphasizes that healthcare providers must ensure their data access policies comply with legal requirements. It serves as a reminder for all businesses to review their practices regarding user consent.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Italian DPA received a report from a data subject stating that the Policlinico Casilino di Roma (the controller) exclusively permitted Covid pass holders to access its outpatient clinic. Following this, the DPA started an investigation into the matter. It noted that this indication was also reported on the controller's website and thus requested additional information from the controller. The controller submitted that it carried out real-time measurement of body temperature and required the voluntary presentation of the patients' Covid Certification, resulting from a negative swab result (done in the previous 48 hours), to safeguard public health and safety within the hospital. However, even if the patient did not have a Covid pass, the healthcare service would still be provided in compliance with prescribed protocols. The legal basis for the processing was to be found in the (verbal) consent of the person concerned given by voluntarily exhibiting the Covid certification. The healthcare service had to ensure that such a process was communicated by web communication, posters in the structure, and/or by the operator indicating it during the service booking. The DPA noted that the requirement that all patients going to the controller's outpatient clinics be in possession of a Covid pass lacked a proper legal basis, given that such a restriction was not provided for by the sectoral rules. Indeed, the sectoral rules did not provide for Covid certification to be required for health needs, for which access is always permitted for the procurement of drugs and medical devices and, in any event, for any purpose of medical treatment. Moreover, the DPA pointed out that possession of the Covid certificate did not prove immunity to the virus and therefore pointed out the disproportionality of the measure adopted by the controller according to which staff were provided with specific personal protective equipment only if in contact with data subjects who did not have Covid c
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Policlinico Casilino di Roma (the controller) in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
20 October 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€30,000
GDPRhub ID
gdprhub-5491About this data
Cite as: Cookie Fines. Policlinico Casilino di Roma (the controller) - Italy (2022). Retrieved from cookiefines.eu
Last updated: