XX (the data subject) – €5,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Fondazione Teatro Regio di Torino was fined EUR 5,000 for publishing personal information about a former employee without proper justification. This incident shows the importance of respecting individuals' privacy in public communications.
What happened
Fondazione Teatro Regio di Torino published sensitive decisions about a former employee's illness and responsibilities without proper consent.
Who was affected
The former employee, whose personal information was published, was affected by this breach of privacy.
What the authority found
The Italian data protection authority found that the organization failed to comply with data protection rules regarding the publication of personal information.
Why this matters
This ruling serves as a warning for organizations to be cautious when sharing personal information publicly. Businesses must ensure they have a valid reason to disclose such data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
Fondazione Teatro Regio di Torino (the controller) is a non-profit opera organisation which was also involved in public procurement procedures. A former employee (the data subject), was in charge of two tender procedures. However, due to illness she could no longer be part of these biddings. In relation to this, the controller published on its website several decisions containing personal data of the data subject. These decisions addressed the replacement of the data subject from the responsibilities assigned to her in the tender procedures due to sickness. They also contained the data subject's illness certificate as well as information relating to the transfer of powers and functions following her suspension. On 15 November 2021, the data subject filed a complaint with the Italian DPA, which started an investigation on the case. In its defence, the controller argued that it had to fulfill its transparency obligations and thus had to publish infromation about the replacement of the person in charge of the tender procedure. Moreover, as soon as it received the notification from the DPA, the controller took care to remove the data that were the subject of the complaint, which were no longer visible on the website as of 21 February 2022. Additionally, no employee had ever raised an issue of a personal data breach against the controller prior to this case. Allegedly, the incident was caused by a material error of an employee who carried out the publication in full, not realising that among the various documents in his hands, some contained health data, which should not be published. Finally, the controller argued that the damage suffered by the data subject was minor because documents containing her personal data were published in a section of the controller's website that was not immediately accessible to the "average" user. The Italian DPA held that the controller, although subject to transparency obligations, published on its website data relating to health, the
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (1)
Other enforcement actions involving XX (the data subject) in IT
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
20 October 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€5,000
GDPRhub ID
gdprhub-5508About this data
Cite as: Cookie Fines. XX (the data subject) - Italy (2022). Retrieved from cookiefines.eu
Last updated: