Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller) – €6,000 Fine (Italy, 2022)

€6,000Garante per la protezione dei dati personali1 December 2022Italy
final
ePrivacy
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A.R.N.A.S. Civico, a hospital in Italy, was fined for publishing personal health information about a nurse on its website without consent. This matters because it highlights the importance of protecting sensitive personal data, especially in healthcare settings. Businesses must ensure they have permission before sharing any personal information online.

What happened

A.R.N.A.S. Civico published documents containing a nurse's personal health data on its website without consent.

Who was affected

The nurse whose personal health information was published online without her consent.

What the authority found

The Italian DPA ruled that A.R.N.A.S. Civico violated data protection rules by sharing personal data without valid consent.

Why this matters

This case emphasizes that healthcare providers must prioritize patient privacy and obtain consent before disclosing any personal information. It serves as a reminder for all businesses to review their data sharing practices.

GDPR Articles Cited

AI-verified

Art. 33(GDPR)
Art. 5(1)(a) GDPR
Art. 6(1) GDPR
Art. 9(1) GDPR
View original scraped data
Art. 5(GDPR)
Art. 6(GDPR)
Art. 9(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 2-ter Codice Privacy
Art. 2-septies Codice Privacy

Entities Involved

Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller)
XX (the data subject)
Source verified 6 April 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller) actions
Full Legal Summary
Detailed

A nurse (the data subject) filed a complaint with the Italian DPA against the hospital (the controller) where they worked due to the publication on the controller's institutional website of two measures (following the data subject's request for retirement) which contained personal data of the data subject, including health data. More specifically, the controller published on its institutional website, and indexed on search engines, measures that contained the data subject’s state of invalidity, as well as detailed information relating to the employment relationship (such as the request for retirement). However, there was an error in the calculation of the period of actual service of the data subject that needed to be rectified. The controller forwarded to the DPA the notification of the violation pursuant to Article 33 GDPR ascertaining its willingness to cooperate with the supervisory authority. Following that, the controller removed the measure after 6 days from publication. Moreover, as soon as the controller learnt from the DPA’s notification that the measure was still being indexed on the Internet, it immediately solved the problem by deactivating the indexation of the attachments by search engines. Additionally, the controller indicated that it started taking actions in line with the soon-to-be-approved Privacy Code of Conduct in Healthcare and had a solid intention to adopt it once authorised in accordance with Article 40 GDPR. Finally, it emphasised that the breach resulted from the intention to detail the justifications for the amendment of one of the 2 previously published provisions where that rectification was necessary to acknowledge the period of actual service. The Italian DPA claimed that the controller did not prove the existence of any specific regulatory provision allowing the publication of the measures which were subject to the complaint, nor did it consider sufficient the mere reference to the rules concerning the publicity of acts (such as A

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller) in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

1 December 2022

Authority

Garante per la protezione dei dati personali

Fine Amount

€6,000

GDPRhub ID

gdprhub-5589

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller) - Italy (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: