Azienda Sanitaria Locale TO4 – €8,400 Fine (Italy, 2024)

The controller, a health authority, sent an email to 45 data subjects containing instructions on how to get medications used to cure multiple sclerosis. The person sending the email put the email addresses of the recipients in the “cc” field instead of choosing the “bcc” one. This resulted in the email addresses of the data subject being disclosed to each other. After receiving a report by one of the data subject, the controller made a data breach notification to the DPA according to Article 33(1) GDPR. The controller argued that the data breach happened due to a human mistake and that it had repeatedly instructed its employees to use the “bcc” field when sending emails to multiple people. Moreover, the controller pointed out that the number of data subjects concerned was quite low and that the breach lasted for a short period of time. First, the DPA noted that an email address is personal data even in the case it is not composed by the name and the surname of the data subject, since it however allows to identify a natural person. Secondly, the DPA pointed out that data relating to the administration of a medication is data concerning health under Article 9(1) GDPR, which need a higher protection since its processing implies a higher risk for the freedom and rights of the data subjects. Thirdly, the DPA noted that using the “cc” field resulted in the unlawful disclosure of the names and health data of 45 patients. Therefore, the DPA found a violation of Article 5(1)(f) and 9 GDPR and issued a file of €8,400.