Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller) – €6,000 Fine (Italy, 2022)
Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico was fined €6,000 for mistakenly publishing a nurse's personal data on its website. The hospital acted quickly to remove the information after being notified. This case shows how important it is for organizations to handle personal data carefully and to respond promptly to any breaches.
What happened
A.R.N.A.S. Civico published a nurse's personal data, including health information, on its website without proper safeguards.
Who was affected
A nurse whose personal and health data was published online without appropriate measures.
What the authority found
The Italian DPA found that A.R.N.A.S. Civico violated GDPR by failing to protect personal data and not ensuring proper indexing controls.
Why this matters
This case highlights the importance of data protection measures and the need for organizations to act swiftly to rectify breaches. It serves as a reminder for businesses to implement strong data governance practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
A nurse (the data subject) filed a complaint with the Italian DPA against the hospital (the controller) where they worked due to the publication on the controller's institutional website of two measures (following the data subject's request for retirement) which contained personal data of the data subject, including health data. More specifically, the controller published on its institutional website, and indexed on search engines, measures that contained the data subject’s state of invalidity, as well as detailed information relating to the employment relationship (such as the request for retirement). However, there was an error in the calculation of the period of actual service of the data subject that needed to be rectified. The controller forwarded to the DPA the notification of the violation pursuant to Article 33 GDPR ascertaining its willingness to cooperate with the supervisory authority. Following that, the controller removed the measure after 6 days from publication. Moreover, as soon as the controller learnt from the DPA’s notification that the measure was still being indexed on the Internet, it immediately solved the problem by deactivating the indexation of the attachments by search engines. Additionally, the controller indicated that it started taking actions in line with the soon-to-be-approved Privacy Code of Conduct in Healthcare and had a solid intention to adopt it once authorised in accordance with Article 40 GDPR. Finally, it emphasised that the breach resulted from the intention to detail the justifications for the amendment of one of the 2 previously published provisions where that rectification was necessary to acknowledge the period of actual service. The Italian DPA claimed that the controller did not prove the existence of any specific regulatory provision allowing the publication of the measures which were subject to the complaint, nor did it consider sufficient the mere reference to the rules concerning the publicity of acts (such as A
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller) in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
1 December 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€6,000
GDPRhub ID
gdprhub-5589About this data
Cite as: Cookie Fines. Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller) - Italy (2022). Retrieved from cookiefines.eu
Last updated: