Citynews S.p.A. – €15,000 Fine (Italy, 2023)

“Palermo Today”, an online newspaper, published an article about the arrest of the data subject, a well-known mafia boss who had been a fugitive for 30 years. Among the circumstances of the arrest, the article also revealed information about the state of health of the data subject and included a complete copy of his laboratory records. On 18 January 2023, the DPA adopted a temporary measure against the controller, Citynews S.p.A. (the owner of the newspaper), limiting the further dissemination of the data subject’s health data. The controller complied with the above measures, modifying the article, deleting the data subject’s health records and requesting Google to deindex the information. It pointed out that the journalistic content had no intention of harming the dignity of the data subject and claimed that the information had been expressly deemed unpublishable, but the Director responsible, in an autonomous decision, considered it was of public interest and decided to publish it. The DPA considered both Article 137 of the Italian Data Protection Code and Article 9 GDPR and recalled that sensitive data can be processed even without the consent of the data subject, provided that the processing complies with the principle of essentiality of information and the facts are of public interest. Similarly, Article 10 of the Code of Journalistic Ethics prescribes that the publication is permitted in the context of pursuing the essentiality of information, provided that journalists respect human dignity and privacy, especially in cases of serious or terminal illness. For this reason, journalists should refrain from publishing analytical data of strictly clinical interest. The DPA also considered Article 5 GDPR, in particular, the principles of lawfulness and data minimization. Based on the above, the DPA concluded that the processing violated Article 5(1)(a) and (c) as well as Article 9 GDPR, prohibiting the controller to further process the data indicated and issui