Azienda Ospedaliera Complesso Ospedaliero San Giovanni – Addolorata – Complaint Upheld (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A hospital in Italy was involved in a case where a doctor’s health data was shared inappropriately via email. The data protection authority found that the hospital's actions were justified since the data was shared within the organization for necessary purposes. This case highlights the importance of understanding when sharing sensitive information is permissible.
What happened
A doctor’s health information was forwarded by their manager to a higher authority within the hospital without proper consent.
Who was affected
The doctor whose health information was shared was affected by this incident.
What the authority found
The data protection authority ruled that the hospital's sharing of the doctor’s health data was lawful under specific conditions.
Why this matters
This case underscores the need for organizations to understand the legal grounds for sharing sensitive data internally. It serves as a reminder for businesses to train staff on data protection compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject is a doctor working for the controller, a hospital. The data subject sent an email to her manager containing personal data about her health in order to justify her absence from work. After that, the manager replied to her and added as a recipient the director general of the hospital. The data subject filed a complaint with the DPA. She argued that forwarding the email to the director general was unlawful under the GDPR. The controller argued that the data subject herself sent an email to her manager containing health data; moreover, it stressed that this data was never disclosed to a third party, but only to a person who was the head of the organisational structure of the controller and needed to know that information to arrange a replacement for the data subject. Furthermore, the controller argued that the email did not contain any data relating to health, since the data subject only stated her symptoms and not an official diagnosis. First, the DPA recalled that, according to Article 6(1)(c) and 6(1)(e) GDPR, public authorities can process personal data if it is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Moreover, the DPA pointed out that an employer can process sensitive data if the processing is necessary for the management of the employment relationship and to fulfill specific obligations or tasks arising from the applicable law, pursuant to Article 9(2)(b) GDPR. Secondly, the DPA held that the information contained in the email was data relating the data subject’s health and, therefore, fell into the scope of Article 9(1) GDPR. The DPA recalled that – according to consistent case law of the CJEU (see C-184/20, Vyriausioji tarnybinės etikos komisija, para. 125; [https://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=en&mode=lst&dir=&occ
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda Ospedaliera Complesso Ospedaliero San Giovanni – Addolorata in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Azienda Ospedaliera Complesso Ospedaliero San Giovanni – Addolorata - Italy (2024). Retrieved from cookiefines.eu
Last updated: