Lombardy Region – €20,000 Fine (Italy, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Lombardy Region was fined €20,000 for publishing personal data of about 732 workers on its website. This included sensitive information like health details and employment history. It serves as a reminder that even public institutions must handle personal data responsibly and ensure privacy.
What happened
The Lombardy Region published personal data of approximately 732 workers on its institutional website without proper justification.
Who was affected
Workers whose personal information, including health and employment details, was publicly disclosed.
What the authority found
The Italian DPA found that the Lombardy Region violated data protection rules by failing to protect personal data and ensure its lawful processing.
Why this matters
This case underscores the importance of safeguarding personal information, even for public entities. Organizations should implement strict data handling policies to avoid similar violations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Lombardy Region, acting as the data controller, published personal data of approximately 732 workers on its institutional website. The data included details related to the employment relationship, legal proceedings, remuneration, length of service, qualifications, and, notably, information about a worker's health. The publication of this information was then brought to the attention of the Italian DPA by two Trade Union Associations. In response to this, the DPA requested the controller to provide clarifications. To which the controller explained that the publication occurred in the context of fulfilling transparency obligations under [https://def.finanze.it/DocTribFrontend/getAttoNormativoDetail.do?ACTION=getSommario&id=%257BFBD758F1-FC33-4DA4-89A2-4721CC605EAE%257D#:~:text=33%2520%252D,da%2520parte%2520delle%2520pubbliche%2520amministrazioni. Article 22 of Legislative Decree 33/2013]. The controller also contended that it did not process the data received from the relevant employees as their employer. Instead, it did so solely to fulfil its obligations to publish data related to transactions between legal entities. In that regard, it did not act as an employer, it could not be attributed the responsibility to guarantee the principles of data minimisation, data accuracy and transparency. The controller further emphasised that the publication took place during a pandemic emergency, affecting its capacity. Thus, the controller stated that its liability in the dissemination of the data in question could be considered mere negligence in a sporadic episode occurring in an exceptional situation. The Italian DPA declared the processing illegal. Firstly, the DPA reminded that data processing by a public entity may be carried out only if necessary for compliance with a legal obligation or for a task to be carried out in the public interest, pursuant to Article 6(1)(c) and (e) GDPR. It further noted that pursuant to Article 9(2) GDPR, the controller correctly process
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Lombardy Region in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
26 October 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-6583About this data
Cite as: Cookie Fines. Lombardy Region - Italy (2023). Retrieved from cookiefines.eu
Last updated: