Azienda Unità Sanitaria Locale della Romagna – €24,000 Fine (Italy, 2024)
A health authority in Italy was fined for sharing a person's HIV status with their employer without permission. This matters because it shows that sharing sensitive health information must be done carefully and with consent.
What happened
Azienda Unità Sanitaria Locale della Romagna shared a person's health information with their employer without consent.
Who was affected
The person whose HIV status was disclosed and their family members were affected.
What the authority found
The Italian data protection authority found that the health authority violated rules by disclosing sensitive health data without a valid legal basis.
Why this matters
This case underscores the importance of protecting sensitive health information. Organizations must ensure they have explicit consent before sharing such data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject submitted an application to the local health authority in order to acquire the status of a disabled person as she is HIV positive. After acquiring this status, according to Italian national law, a family member of the person is entitled to take some days off from their job to take care of the disabled person. Therefore, the son-in-law of the data subject, who worked for the Ministry of Justice in a jail, applied for these days off to his employer. After that, the employer directly contacted the health authority (controller) in order to confirm that the data subject had obtained the status of a disabled person. The controller sent the Ministry of Justice the whole certificate regarding the disabled status of the data subject, including the part containing the HIV-diagnosis. The data subject filed a complaint with the DPA, arguing that transferring the whole certificate to her son-in-law’s employer was unlawful. The controller argued that this transfer happened due to human error during a time in which a lot of employees were not working due to a Covid infection. First of all, the DPA noted that, according to Article 9(1) GDPR, processing personal data concerning health is in principle forbidden. The DPA noted that Article 9(2)(h) GDPR introduces an exception to this prohibition when processing is necessary to provide healthcare. However, [https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2003-07-29&atto.codiceRedazionale=003G0218&atto.articolo.numero=75&atto.articolo.sottoArticolo=1&atto.articolo.sottoArticolo1=0&qId=&tabID=0.6057766027491261&title=lbl.dettaglioAtto Article 75 of the Italian Data Protection Code] sets further conditions with regard to the processing of data concerning health in accordance with Article 9(4) GDPR which gives the member state such an option. These further conditions can be contained in sectorial legislation, such as [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:1990-06-05
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda Unità Sanitaria Locale della Romagna in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
6 June 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€24,000
GDPRhub ID
gdprhub-8173About this data
Cite as: Cookie Fines. Azienda Unità Sanitaria Locale della Romagna - Italy (2024). Retrieved from cookiefines.eu
Last updated: