Conservatorio Santa Cecilia di Roma – €6,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Conservatorio Santa Cecilia di Roma was fined after a principal accessed a student's private statements from a video recording without proper authority. The authority ruled that the principal's actions were not legally justified, emphasizing that privacy rights must be respected. This case serves as a warning for educational institutions about handling sensitive information.
What happened
The principal accessed a student's statements from a video recording found on a misplaced USB drive without proper legal grounds.
Who was affected
The student whose statements were recorded and later used in disciplinary proceedings was affected.
What the authority found
The authority decided that the principal had no legal basis for accessing the student's data, violating privacy rights.
Why this matters
This case highlights the need for educational institutions to handle student data carefully and respect privacy rights, especially when dealing with sensitive information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
At the St Cecilia Conservatory of Music in Rome (the controller), a student association held an assembly through the Zoom platform. An unknown person saved a video recording of the assembly on a USB drive and left the drive on the premises, where it was found and viewed by the Conservatory's Principal. The Principal held that one of the Conservatory's students (the data subject) offended the school's reputation during the assembly. For this reason, the Conservatory initiated disciplinary proceedings against the student, and appointed a sworn expert who transcribed the student's statements on the video recording. The data subject subsequently filed a complaint with the Italian DPA. In its defense, the controller observed that principals have disciplinary powers over students under Italian law and may investigate student misconduct outside of school. For this reason, the controller claimed that it processed the data subject's data on the legal basis of the exercise of official authority (Article 6(1)(e) GDPR). The controller also argued that students had no expectation of privacy during the assembly because links to the Zoom session were publicly available on social media. The DPA held that the principal had no authority to access personal data which was randomly discovered on a misplaced USB drive. For this reason, the DPA held that the original collection of the data lacked a legal basis. As a consequence, the DPA found that all further processing of the data during the disciplinary proceedings (including their disclosure to the sworn expert) also lacked a legal basis, and violated the purpose limitation principle. The DPA also clarified that the public and open character of the student assembly was not relevant, as the means through which it was collected in this case (random discovery of a misplaced object) cannot be constitute a sifficient reason to legitimise the processing of personal data. For these reasons, the DPA held that the controller violated Articles
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Conservatorio Santa Cecilia di Roma in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 November 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€6,000
GDPRhub ID
gdprhub-5656About this data
Cite as: Cookie Fines. Conservatorio Santa Cecilia di Roma - Italy (2022). Retrieved from cookiefines.eu
Last updated: