Comune di Villasimius – €4,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Comune di Villasimius was fined 4,000 euros for not responding to a request from a job candidate to erase their personal data. The municipality published sensitive information on its website without proper consent. This case highlights the need for public authorities to handle personal data requests responsibly.
What happened
The municipality failed to erase personal data from its website after a candidate requested it.
Who was affected
A job candidate whose personal data was published online by the municipality was affected.
What the authority found
The authority ruled that the municipality did not comply with GDPR rules regarding data erasure requests.
Why this matters
This case shows that even public entities must adhere to data protection laws. Other organizations should ensure they have clear procedures for handling data erasure requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller, a municipality, organised a public selection procedure to hire the head of one of its units. The data subject took part in this procedure and shared personal data with the controller, such as her CV, her birth date and her graduation mark. The controller published on its website the minute of the board meeting evaluating the candidates. This document contained the abovementioned personal data. The data subject requested the controller to erase her personal data. However, the controller did not reply. Therefore, the data subject filed a complaint with the DPA. The controller pointed out that after the DPA’s notice it removed the document from the website. Moreover, it noted that the data subject sent the erasure request not to the DPO email address, but to the personal email of the general secretary of the municipality in a time when that role was vacant. Finally, the controller argued that it published the document in order to comply with its transparency obligations. First of all, the DPA pointed out that a public authority may only process personal data under Article 6(1)(c) or 6(1)(e) GDPR. In the case at hand, the controller argued that it was under a legal obligation to publish the evaluation of the data subject in order to comply with the transparency obligations set by national administrative law. However, the DPA noted that, while a previous version of the applicable law prescribed the publication of the document at hand, the one in force at the moment of the violation (e.g. [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2013-03-14;33~art19 Article 19(1) d.lgs. 33/2013]) sets an obligation to publish only the final ranking, i.e. only the name of the person which was successfully selected. Therefore, the DPA found a violation of Article 5(1)(a) and 6 GDPR. Finally, the DPA noted that the controller did not timely answer the data subject’s erasure request and did so only when the DPA initiated the proceeding. Ther
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Comune di Villasimius in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
4 July 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€4,000
GDPRhub ID
gdprhub-8265About this data
Cite as: Cookie Fines. Comune di Villasimius - Italy (2024). Retrieved from cookiefines.eu
Last updated: