Regione di Veneto (the Controller) – €100,000 Fine (Italy, 2022)
The Veneto Region in Italy was fined EUR 100,000 for sharing lists of unvaccinated healthcare workers without proper consent. This action raised concerns about privacy and data handling. Small businesses should be cautious about how they share sensitive information to avoid similar penalties.
What happened
The Veneto Region transmitted personal details of unvaccinated healthcare workers to employers without obtaining proper consent.
Who was affected
Healthcare workers in the Veneto Region whose vaccination status was shared were affected.
What the authority found
The authority ruled that the Veneto Region violated GDPR by processing personal data without valid consent.
Why this matters
This ruling emphasizes the need for clear consent when handling sensitive personal data. Businesses must ensure they have proper permissions before sharing any personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Following the entry into force of the [https://www.gazzettaufficiale.it/eli/id/2021/04/01/21G00056/sg Legislative Decree No. 44/2021], the Veneto Region (the controller) transmitted the lists of health care workers who were not vaccinated on the date of 15 April 2021 (data subjects), to the competent doctor of each employer through a password-protected list, to persuade them, in good faith, to adhere to the vaccination as set out in the legislative decree No. 44/2021. The competent doctor would receive personal details of the data subjects, such as their tax code, surname, first name, date of birth and gender. Moreover, the employers were asked to provide the contact details of each competent doctor, then a vaccination invitation model was sent, with a request for rapid transmission to the data subjects concerned. Based on dozens of complaints and reports from data subjects (mostly medical and nursing staff employed in healthcare facilities in the Veneto Region) and on the basis of questions raised by competent doctors working at regional healthcare facilities, the Italian DPA launched a preliminary investigation into the processing operations carried out by the controller during the implementation of the Legislative Decree No. 44/2021. The controller ascertained that the verifications that it carried out were transmitted to the figure expressly appointed to deal with the health aspects of the workers, (i.e., the competent doctor). The competent doctor would then transmit this information to the local health authority pursuant to Legislative Decree 44/2021. Moreover, the controller allegedly ensured that the transmission of the lists of data subjects to the competent doctors was carried out to perform a task in the public interest and for the exercise of public powers vested in the controller. The controller reaffirmed the difficult period during which it had to act and the fact that [https://www.gazzettaufficiale.it/eli/id/2021/04/01/21G00056/sg Article 4 of the Le
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Regione di Veneto (the Controller) in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
6 October 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€100,000
GDPRhub ID
gdprhub-5555About this data
Cite as: Cookie Fines. Regione di Veneto (the Controller) - Italy (2022). Retrieved from cookiefines.eu
Last updated: