Comune di Nepi – €20,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Italian municipality of Nepi was fined for keeping a list of unsuccessful job applicants online longer than allowed. This case highlights the importance of data retention policies.
What happened
The Comune di Nepi published a list of job applicants that included personal information beyond the legally allowed time frame.
Who was affected
Individuals whose names were published online after they were no longer relevant to the job application process.
What the authority found
The Italian Data Protection Authority found that the municipality violated GDPR by failing to remove personal data after the retention period expired.
Why this matters
This case emphasizes the need for organizations to have clear data retention policies to ensure compliance with privacy laws and protect individuals' rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In 2015 the controller, a municipality, organised a public selection procedure to hire public servants. The data subject participated in this competition. The controller published on its website a list of candidates, both the ones whose application was successful and also the ones whose application was unsuccessful. The data subject, whose application was unsuccessful, asked the controller to remove her name from the website. The controller pointed out that its website is managed by an external company and that it had contact this company to have the name removed. Moreover, it argued that it had a legal obligation to publish this data, since [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2013-03-14;33~art19 Article 19(1) of the law governing access to information kept by the public administration] (d.lgs. 33/2013) foresees that the final rankings of this type of competition must be published online. However, [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2013-03-14;33~art8 Article 8(3) of the same law] sets a time limit of 5 years after the publication. After this time, the document should be removed from the website. On this point, the controller pointed out that it remained published even after this time limit because, in the meantime, it had changed the company providing the website management services. First, the DPA pointed out that the controller, a public administration, can normally process personal data if it can rely on the legal basis provided for by Article 6(1)(c) and (e) GDPR. The DPA noted that, on the one hand, it is true that national law sets an obligation to publish the rankings of a competition. On the other hand, this obligation concerns only the final ranking, i.e. the ranking containing the names of the hired applicants. Therefore, the controller was not obliged to publish this sort of ranking including also the unsuccessful applicants. In the case at hand, the controller published the n
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Comune di Nepi in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
20 June 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-8174About this data
Cite as: Cookie Fines. Comune di Nepi - Italy (2024). Retrieved from cookiefines.eu
Last updated: