dott. Giuseppe Rubino – €20,000 Fine (Italy, 2024)

The data subject, a patient, filed a complaint against her plastic surgeon, the controller. The controller published, without authorisation, photographs depicting her during an aesthetic surgery on Instagram. The images showed her recognizable face before (wearing a surgical cap) and after the procedure, with controller's logo displayed on his personal page. The data subject stated that she had not given any consent for the sharing of the photographs, which had been taken for internal use only. Informed by a friend about the publication, she took legal action to request the removal of the images and compensation for damages. In the context of this separate civil procedure, the controller explained that he requested the removal of all patient images from his social media profiles years earlier. He further clarified that the issue arose because the patient had signed consent forms with another colleague at the clinic, without specific authorization for the publication of the images. Although he did not admit any wrongdoing, the doctor resolved the separate legal through a settlement agreement, providing financial compensation. The DPA considered the violation committed by the controller to be of a high level of severity, given the particularly sensitive nature of the personal data involved (images of the face following an aesthetic procedure) and the processing carried out (unauthorized sharing). In light of these circumstances and in application of the principles of effectiveness, proportionality, and deterrence, the DPA imposed a financial penalty of €20,000 for violations of Articles 5 and 9 GDPR, as well as [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2003-06-30;196~art2septies Article 2-septies, paragraph 8, of the Privacy Code].