Azienda Unità Sanitaria Locale della Romagna – €24,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Azienda Unità Sanitaria Locale della Romagna shared a person's HIV status with their employer without permission. This breach of privacy is serious because it shows how sensitive health information can be mishandled. The company was fined €24,000 for not protecting personal data properly.
What happened
Azienda Unità Sanitaria Locale della Romagna shared a health certificate containing a person's HIV diagnosis with their son-in-law's employer without consent.
Who was affected
The person whose health information was shared, who applied for disabled status due to being HIV positive.
What the authority found
The authority ruled that the company violated GDPR rules by processing sensitive health data without a valid legal basis.
Why this matters
This case highlights the importance of handling sensitive health information carefully. Companies should ensure they have proper consent before sharing any personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject submitted an application to the local health authority in order to acquire the status of a disabled person as she is HIV positive. After acquiring this status, according to Italian national law, a family member of the person is entitled to take some days off from their job to take care of the disabled person. Therefore, the son-in-law of the data subject, who worked for the Ministry of Justice in a jail, applied for these days off to his employer. After that, the employer directly contacted the health authority (controller) in order to confirm that the data subject had obtained the status of a disabled person. The controller sent the Ministry of Justice the whole certificate regarding the disabled status of the data subject, including the part containing the HIV-diagnosis. The data subject filed a complaint with the DPA, arguing that transferring the whole certificate to her son-in-law’s employer was unlawful. The controller argued that this transfer happened due to human error during a time in which a lot of employees were not working due to a Covid infection. First of all, the DPA noted that, according to Article 9(1) GDPR, processing personal data concerning health is in principle forbidden. The DPA noted that Article 9(2)(h) GDPR introduces an exception to this prohibition when processing is necessary to provide healthcare. However, [https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2003-07-29&atto.codiceRedazionale=003G0218&atto.articolo.numero=75&atto.articolo.sottoArticolo=1&atto.articolo.sottoArticolo1=0&qId=&tabID=0.6057766027491261&title=lbl.dettaglioAtto Article 75 of the Italian Data Protection Code] sets further conditions with regard to the processing of data concerning health in accordance with Article 9(4) GDPR which gives the member state such an option. These further conditions can be contained in sectorial legislation, such as [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:1990-06-05
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda Unità Sanitaria Locale della Romagna in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
6 June 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€24,000
GDPRhub ID
gdprhub-8173About this data
Cite as: Cookie Fines. Azienda Unità Sanitaria Locale della Romagna - Italy (2024). Retrieved from cookiefines.eu
Last updated: