Società Molise Dati – €10,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Società Molise Dati was fined for not protecting sensitive health data properly. A user accessed other patients' medical records due to a security flaw. This case highlights the importance of strong data protection measures for companies handling personal health information.
What happened
Società Molise Dati failed to secure electronic health records, allowing unauthorized access to sensitive patient data.
Who was affected
Patients whose medical records were accessed without permission by a user with a patient-level account.
What the authority found
The authority found that Società Molise Dati did not implement adequate security measures to protect personal data, violating GDPR's security requirements.
Why this matters
This ruling emphasizes the need for companies to ensure robust security practices when handling sensitive data. Businesses should regularly review their data protection protocols to prevent unauthorized access.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Region of Molise (the data controller) used an information system to handle electronic health records. In order to develop and operate the system, the controller relied on a number of processors and sub-processors, including Società Molise Dati S.p.a. (the processor), a company entirely owned by the controller. In turn, the processor itself relied on several sub-processors, including Engineering Ingegneria Informatica S.p.a. (the sub-processor). Data processing agreements were in place between controllers, processors, and sub-processors. These agreements provided for certain security measures. In particular, the agreement between the controller and the processor provided for the limitation of account privileges on a need-to-know basis. A user logged into the records system with his patient-level account. He was then able to access files of other patients by changing the url address of the page. He accessed personal data such as personal details and addresses as well as medical records and other sensitive, health-related data. The user informed the controller of the vulnerability. With the assistance of the processor and sub-processor, the controller limited access privileges for patient-level accounts. Additionally, the software was assessed for similar vulnerabilities. The controller notified the Italian authority of the data breach. Based on system logs, the controller claimed that the data of seven people were accessed without authorization. The authority held that the processor violated Article 32 GDPR by failing to implement appropriate security measures. The authority fined the controller €10,000. The authority clarified that data controllers and processors are responsible for the security of the processing of personal data even when sub-processors are involved. The authority referenced EDPB Guidelines in this regardEDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), paragraphs 129 and 159 (avail
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Società Molise Dati in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
27 November 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€10,000
GDPRhub ID
gdprhub-8897About this data
Cite as: Cookie Fines. Società Molise Dati - Italy (2024). Retrieved from cookiefines.eu
Last updated: