Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino – Violation Found (Italy, 2023)
Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino was found to have violated privacy rules by processing personal data without consent for medical studies. This case shows the importance of following legal procedures when handling sensitive data.
What happened
The hospital processed personal data for medical research without obtaining consent due to practical difficulties.
Who was affected
Patients whose personal data was used in the medical research studies.
What the authority found
The Italian DPA found that the hospital did not comply with consent requirements when processing personal data for research.
Why this matters
This ruling emphasizes the need for healthcare institutions to adhere to privacy laws when conducting research. Organizations should ensure they have proper consent mechanisms in place.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Prior to conducting two medical research studies, the University Hospital Città della Salute e della Scienza di Torino (the controller) consulted the Italian DPA in accordance with Article 36 GDPR. The first study, "Head and neck tumours: relapses and second tumours," is a retrospective analysis focusing on 400 deceased or uncontactable patients, for which the request for prior consultation was deemed necessary. The hospital sought a favourable opinion from the DPA, in accordance with the GDPR and [https://www.garanteprivacy.it/codice Article 110 of the Italian Privacy Code], for processing personal data without obtaining consent due to practical difficulties in contacting patients. The study spanned seven years, involving pseudonymised data storage in accordance with the principles of data minimisation and storage limitation. The second study, "Use of coronagraphy and right heart catheterisation in the pre-liver transplant cardiological work-up," is a multi-centre, observational, retrospective study analysing liver transplant candidates. In this study, the hospital also sought a favourable opinion for processing personal data without consent, emphasising the challenges posed by the high mortality incidence of the patients. This study utilised as a legal basis Article 9(2)(a) GDPR for the processing of personal data of the living patients, meanwhile it requested, similarly to the first study, the prior consultation of the DPA pursuant to [https://www.garanteprivacy.it/codice Article 110 of the Italian Privacy Code] for those who are deceased. Moreover, in relation to the data processing of deceased patients, the study foresaw transparency measures for the family members of the deceased, such as information published on its website and those of participating centres, aligning with Article 14 GDPR. Following the information provided, for the first study, the DPA acknowledged the hospital's correct identification of legal bases for the data processing, including tho
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Decision Date
26 October 2023
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-7417About this data
Cite as: Cookie Fines. Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino - Italy (2023). Retrieved from cookiefines.eu
Last updated: