Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino – Violation Found (Italy, 2023)

Violation Found
Garante per la protezione dei dati personali26 October 2023Italy
final
ePrivacy
Violation Found

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino faced scrutiny for using personal data in medical research without proper consent. The Italian data protection authority found that the hospital did not follow the rules about obtaining consent for using sensitive information. This case serves as a reminder for healthcare providers to prioritize patient consent in research.

What happened

The hospital conducted medical research using personal data without obtaining consent from the patients involved.

Who was affected

Patients whose personal data was used in the medical studies were affected.

What the authority found

The authority found that the hospital violated data protection rules by not obtaining proper consent for processing personal data.

Why this matters

This ruling emphasizes the need for healthcare organizations to obtain explicit consent from patients before using their data for research. It highlights the importance of transparency and respect for patient privacy.

GDPR Articles Cited

AI-verified

Art. 14(GDPR)
Art. 35(GDPR)
Art. 36(GDPR)
Art. 5(1)(a) GDPR
Art. 9(1) GDPR
Art. 9(2)(a) GDPR
Art. 9(2)(j) GDPR
Art. 14(5)(b) GDPR
Art. 89(1) GDPR
View original scraped data
Art. 5(GDPR)
Art. 6(GDPR)
Art. 9(1) GDPR
Art. 9(2)(j) GDPR
Art. 9(4) GDPR
Art. 14(GDPR)
Art. 35(GDPR)
Art. 36(GDPR)
Art. 89(1) GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 110 Codice Privacy
Source verified 9 April 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino actions
Full Legal Summary
Detailed

Prior to conducting two medical research studies, the University Hospital Città della Salute e della Scienza di Torino (the controller) consulted the Italian DPA in accordance with Article 36 GDPR. The first study, "Head and neck tumours: relapses and second tumours," is a retrospective analysis focusing on 400 deceased or uncontactable patients, for which the request for prior consultation was deemed necessary. The hospital sought a favourable opinion from the DPA, in accordance with the GDPR and [https://www.garanteprivacy.it/codice Article 110 of the Italian Privacy Code], for processing personal data without obtaining consent due to practical difficulties in contacting patients. The study spanned seven years, involving pseudonymised data storage in accordance with the principles of data minimisation and storage limitation. The second study, "Use of coronagraphy and right heart catheterisation in the pre-liver transplant cardiological work-up," is a multi-centre, observational, retrospective study analysing liver transplant candidates. In this study, the hospital also sought a favourable opinion for processing personal data without consent, emphasising the challenges posed by the high mortality incidence of the patients. This study utilised as a legal basis Article 9(2)(a) GDPR for the processing of personal data of the living patients, meanwhile it requested, similarly to the first study, the prior consultation of the DPA pursuant to [https://www.garanteprivacy.it/codice Article 110 of the Italian Privacy Code] for those who are deceased. Moreover, in relation to the data processing of deceased patients, the study foresaw transparency measures for the family members of the deceased, such as information published on its website and those of participating centres, aligning with Article 14 GDPR. Following the information provided, for the first study, the DPA acknowledged the hospital's correct identification of legal bases for the data processing, including tho

Outcome

Violation Found

The DPA found a violation but did not impose a fine.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Decision Date

26 October 2023

Authority

Garante per la protezione dei dati personali

GDPRhub ID

gdprhub-7417

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino - Italy (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: