Istituto nazionale della previdenza sociale – €20,000 Fine (Italy, 2024)
The National Social Security Institute of Italy (INPS) was fined for posting the names and scores of over 5,000 job candidates online without proper consent. This matters because it emphasizes the importance of protecting personal information in public job processes.
What happened
INPS published rankings of job candidates, including personal details, on its website without adequate legal justification.
Who was affected
More than 5,000 job candidates whose names and scores were publicly displayed by INPS.
What the authority found
The authority ruled that INPS lacked a valid legal basis for processing the candidates' personal data, violating GDPR requirements.
Why this matters
This ruling stresses that organizations must handle personal data carefully, especially in competitive processes. It encourages companies to ensure they have proper consent before sharing sensitive information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The National Social Security Institute of Italy (Istituto Nazionale della Previdenza Sociale – INPS) intended to hire public servants through a public competition. For the purposes of this competition, it published on its website the rankings of the candidates, both the one that successfully passed the competition and also the excluded one. This ranking showed the name and surname of more than 5000 candidates and their score. Moreover, also other documents were published online, such as the schedule of the oral test. One of the participants filed a complaint with the DPA. He argued that the controller had published his personal data on the website without an adequate legal basis. Following the DPA’s request, the controller removed those documents from its website. The controller presented several arguments to support the lawfulness of its processing. Firstly, it pointed out that the publication of the list of the candidates who had been successfully admitted to the oral stage of the competition was a legal obligation, as the call for competition provided for it. Secondly, it highlighted the fact that the applicants had given their consent for the processing of personal data while filling in the application form. Moreover, the controller stressed the fact that, according to [https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2003-07-29&atto.codiceRedazionale=003G0218&atto.articolo.numero=2&atto.articolo.sottoArticolo=3&atto.articolo.sottoArticolo1=0&qId=&tabID=0.767966568760458&title=lbl.dettaglioAtto Article 2-ter of the Italian Data Protection Code], the legal basis for the processing can be found not only on a legislative act, but also on an administrative act of general applicability, such as a call for competition. Additionally, it argued that it had a legitimate interest in this processing as per Article 6(1)(f) GDPR. Firstly, the DPA observed that the relevant legal basis for the processing of personal data by a public author
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Istituto nazionale della previdenza sociale in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
11 April 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-8012About this data
Cite as: Cookie Fines. Istituto nazionale della previdenza sociale - Italy (2024). Retrieved from cookiefines.eu
Last updated: