Istituto nazionale della previdenza sociale – €20,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Istituto Nazionale della Previdenza Sociale (INPS) was fined for publishing personal data of candidates in a public competition without proper legal grounds. This ruling matters because it shows that organizations must handle personal data carefully and respect privacy. Public institutions should ensure they have the right to share personal information before doing so.
What happened
INPS published personal data of over 5000 candidates online without a valid legal basis.
Who was affected
Candidates who participated in the public competition and had their personal data published online.
What the authority found
The authority found that INPS did not have a proper legal basis for publishing the candidates' personal data.
Why this matters
This ruling highlights the need for public organizations to comply with data protection rules, reminding them to verify their legal grounds for data sharing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The National Social Security Institute of Italy (Istituto Nazionale della Previdenza Sociale – INPS) intended to hire public servants through a public competition. For the purposes of this competition, it published on its website the rankings of the candidates, both the one that successfully passed the competition and also the excluded one. This ranking showed the name and surname of more than 5000 candidates and their score. Moreover, also other documents were published online, such as the schedule of the oral test. One of the participants filed a complaint with the DPA. He argued that the controller had published his personal data on the website without an adequate legal basis. Following the DPA’s request, the controller removed those documents from its website. The controller presented several arguments to support the lawfulness of its processing. Firstly, it pointed out that the publication of the list of the candidates who had been successfully admitted to the oral stage of the competition was a legal obligation, as the call for competition provided for it. Secondly, it highlighted the fact that the applicants had given their consent for the processing of personal data while filling in the application form. Moreover, the controller stressed the fact that, according to [https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2003-07-29&atto.codiceRedazionale=003G0218&atto.articolo.numero=2&atto.articolo.sottoArticolo=3&atto.articolo.sottoArticolo1=0&qId=&tabID=0.767966568760458&title=lbl.dettaglioAtto Article 2-ter of the Italian Data Protection Code], the legal basis for the processing can be found not only on a legislative act, but also on an administrative act of general applicability, such as a call for competition. Additionally, it argued that it had a legitimate interest in this processing as per Article 6(1)(f) GDPR. Firstly, the DPA observed that the relevant legal basis for the processing of personal data by a public author
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Istituto nazionale della previdenza sociale in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
11 April 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-8012About this data
Cite as: Cookie Fines. Istituto nazionale della previdenza sociale - Italy (2024). Retrieved from cookiefines.eu
Last updated: