Regione di Veneto (the Controller) – €100,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Veneto Region was fined €100,000 for improperly sharing the personal details of unvaccinated healthcare workers. They sent sensitive information to employers without adequate consent. This ruling stresses the need for organizations to handle personal data carefully, especially during public health initiatives.
What happened
The Veneto Region shared personal data of unvaccinated healthcare workers with employers without proper consent.
Who was affected
Healthcare workers in the Veneto Region whose vaccination status was shared without their consent.
What the authority found
The Italian authority ruled that the Veneto Region violated GDPR by not obtaining consent before sharing personal data.
Why this matters
This case shows the importance of obtaining consent when handling sensitive personal information. Organizations should ensure they have clear consent processes in place when sharing data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Following the entry into force of the [https://www.gazzettaufficiale.it/eli/id/2021/04/01/21G00056/sg Legislative Decree No. 44/2021], the Veneto Region (the controller) transmitted the lists of health care workers who were not vaccinated on the date of 15 April 2021 (data subjects), to the competent doctor of each employer through a password-protected list, to persuade them, in good faith, to adhere to the vaccination as set out in the legislative decree No. 44/2021. The competent doctor would receive personal details of the data subjects, such as their tax code, surname, first name, date of birth and gender. Moreover, the employers were asked to provide the contact details of each competent doctor, then a vaccination invitation model was sent, with a request for rapid transmission to the data subjects concerned. Based on dozens of complaints and reports from data subjects (mostly medical and nursing staff employed in healthcare facilities in the Veneto Region) and on the basis of questions raised by competent doctors working at regional healthcare facilities, the Italian DPA launched a preliminary investigation into the processing operations carried out by the controller during the implementation of the Legislative Decree No. 44/2021. The controller ascertained that the verifications that it carried out were transmitted to the figure expressly appointed to deal with the health aspects of the workers, (i.e., the competent doctor). The competent doctor would then transmit this information to the local health authority pursuant to Legislative Decree 44/2021. Moreover, the controller allegedly ensured that the transmission of the lists of data subjects to the competent doctors was carried out to perform a task in the public interest and for the exercise of public powers vested in the controller. The controller reaffirmed the difficult period during which it had to act and the fact that [https://www.gazzettaufficiale.it/eli/id/2021/04/01/21G00056/sg Article 4 of the Le
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Regione di Veneto (the Controller) in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
6 October 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€100,000
GDPRhub ID
gdprhub-5555About this data
Cite as: Cookie Fines. Regione di Veneto (the Controller) - Italy (2022). Retrieved from cookiefines.eu
Last updated: