Ordine degli avvocati di Ancona – €20,000 Fine (Italy, 2023)
The Ancona Bar Association was fined €20,000 for improperly handling personal data during the registration of lawyers in a legal aid system. The Italian data protection authority found that the association stored sensitive information in cookies without proper consent. This case stresses the need for organizations to follow strict data protection rules when handling personal information.
What happened
The Italian DPA fined the Ancona Bar Association for storing sensitive lawyer credentials in cookies without proper consent.
Who was affected
Lawyers registered in the Ancona Bar Association's free legal aid system whose personal data was mishandled.
What the authority found
The authority found that the Bar Association violated GDPR by not obtaining valid consent for the use of cookies to store sensitive information.
Why this matters
This ruling serves as a critical reminder for organizations to ensure they have proper consent mechanisms in place when handling personal data, especially in sensitive contexts.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject, a lawyer, registered in the 'free legal aid system' offered by the controller, the Ancona Bar Association. This system was intended to register lawyers and enable them to submit requests for legal assistance paid by the State in favor of their clients. During the registration process, the data subject was required to fill in a form with various personal data, including the username and password to access their certified email. These credentials were used to authenticate the registered lawyers each time they submitted a request for free legal aid. Once the credentials were collected through the form, they were encrypted and stored in a cookie installed on the data subject's browser. Each time a request was submitted on the controller's website, the credentials were decrypted by the system and used to access the data subject/lawyer's certified email. Then, the system would send the request from the data subject's account to the controller. The data subject disagreed with the procedure adopted by the controller and filed a complaint with the Italian DPA, claiming that it violated the GDPR as there was no other way to submit the requests. In defense, the controller claimed that Presidential Decree 115/02 establishes that the application for legal aid must be presented to the Council of the Bar Association with territorial jurisdiction to assess it and that the data subjects were asked to consent to the processing of their data. According to the controller, the purpose of the online form was only to facilitate the process and to provide a faster assessment of the request, but data subjects had the alternative of submitting paper applications by mail. Therefore, it argued that the data processing was based both on Article 6 (1)(a) and (e), since the credentials were necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As for the use of certified email credentials,
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Ordine degli avvocati di Ancona in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
13 April 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-6030About this data
Cite as: Cookie Fines. Ordine degli avvocati di Ancona - Italy (2023). Retrieved from cookiefines.eu
Last updated: