Policlinico Casilino di Roma (the controller) – €30,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Policlinico Casilino di Roma was fined for requiring patients to show Covid passes to access its outpatient clinic. This is significant because it shows that healthcare providers must have a valid legal basis for their data collection practices, especially during health crises.
What happened
Policlinico Casilino required patients to present Covid passes for outpatient services without a proper legal basis.
Who was affected
Patients seeking outpatient services at Policlinico Casilino.
What the authority found
The Italian DPA ruled that Policlinico Casilino lacked a valid legal basis for requiring Covid certification from patients, violating GDPR rules.
Why this matters
This ruling emphasizes that healthcare providers must ensure their data collection practices comply with legal standards. It encourages all businesses to review their data requirements to avoid similar violations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Italian DPA received a report from a data subject stating that the Policlinico Casilino di Roma (the controller) exclusively permitted Covid pass holders to access its outpatient clinic. Following this, the DPA started an investigation into the matter. It noted that this indication was also reported on the controller's website and thus requested additional information from the controller. The controller submitted that it carried out real-time measurement of body temperature and required the voluntary presentation of the patients' Covid Certification, resulting from a negative swab result (done in the previous 48 hours), to safeguard public health and safety within the hospital. However, even if the patient did not have a Covid pass, the healthcare service would still be provided in compliance with prescribed protocols. The legal basis for the processing was to be found in the (verbal) consent of the person concerned given by voluntarily exhibiting the Covid certification. The healthcare service had to ensure that such a process was communicated by web communication, posters in the structure, and/or by the operator indicating it during the service booking. The DPA noted that the requirement that all patients going to the controller's outpatient clinics be in possession of a Covid pass lacked a proper legal basis, given that such a restriction was not provided for by the sectoral rules. Indeed, the sectoral rules did not provide for Covid certification to be required for health needs, for which access is always permitted for the procurement of drugs and medical devices and, in any event, for any purpose of medical treatment. Moreover, the DPA pointed out that possession of the Covid certificate did not prove immunity to the virus and therefore pointed out the disproportionality of the measure adopted by the controller according to which staff were provided with specific personal protective equipment only if in contact with data subjects who did not have Covid c
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Policlinico Casilino di Roma (the controller) in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
20 October 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€30,000
GDPRhub ID
gdprhub-5491About this data
Cite as: Cookie Fines. Policlinico Casilino di Roma (the controller) - Italy (2022). Retrieved from cookiefines.eu
Last updated: