Ordine degli avvocati di Ancona – €20,000 Fine (Italy, 2023)
The Ancona Bar Association was fined €20,000 for improperly collecting and processing personal data from lawyers. This case is significant because it shows that even legal organizations must follow data protection rules.
What happened
The Ancona Bar Association collected personal data from lawyers without proper consent during the registration process.
Who was affected
Lawyers who registered in the free legal aid system and had their personal data improperly processed.
What the authority found
The Italian DPA found that the Ancona Bar Association violated GDPR by not providing a valid legal basis for processing personal data.
Why this matters
This case serves as a reminder that all organizations, including legal ones, must comply with data protection laws to avoid penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject, a lawyer, registered in the 'free legal aid system' offered by the controller, the Ancona Bar Association. This system was intended to register lawyers and enable them to submit requests for legal assistance paid by the State in favor of their clients. During the registration process, the data subject was required to fill in a form with various personal data, including the username and password to access their certified email. These credentials were used to authenticate the registered lawyers each time they submitted a request for free legal aid. Once the credentials were collected through the form, they were encrypted and stored in a cookie installed on the data subject's browser. Each time a request was submitted on the controller's website, the credentials were decrypted by the system and used to access the data subject/lawyer's certified email. Then, the system would send the request from the data subject's account to the controller. The data subject disagreed with the procedure adopted by the controller and filed a complaint with the Italian DPA, claiming that it violated the GDPR as there was no other way to submit the requests. In defense, the controller claimed that Presidential Decree 115/02 establishes that the application for legal aid must be presented to the Council of the Bar Association with territorial jurisdiction to assess it and that the data subjects were asked to consent to the processing of their data. According to the controller, the purpose of the online form was only to facilitate the process and to provide a faster assessment of the request, but data subjects had the alternative of submitting paper applications by mail. Therefore, it argued that the data processing was based both on Article 6 (1)(a) and (e), since the credentials were necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As for the use of certified email credentials,
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Ordine degli avvocati di Ancona in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
13 April 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-6030About this data
Cite as: Cookie Fines. Ordine degli avvocati di Ancona - Italy (2023). Retrieved from cookiefines.eu
Last updated: