Società Molise Dati – €10,000 Fine (Italy, 2024)

The Region of Molise (the data controller) used an information system to handle electronic health records. In order to develop and operate the system, the controller relied on a number of processors and sub-processors, including Società Molise Dati S.p.a. (the processor), a company entirely owned by the controller. In turn, the processor itself relied on several sub-processors, including Engineering Ingegneria Informatica S.p.a. (the sub-processor). Data processing agreements were in place between controllers, processors, and sub-processors. These agreements provided for certain security measures. In particular, the agreement between the controller and the processor provided for the limitation of account privileges on a need-to-know basis. A user logged into the records system with his patient-level account. He was then able to access files of other patients by changing the url address of the page. He accessed personal data such as personal details and addresses as well as medical records and other sensitive, health-related data. The user informed the controller of the vulnerability. With the assistance of the processor and sub-processor, the controller limited access privileges for patient-level accounts. Additionally, the software was assessed for similar vulnerabilities. The controller notified the Italian authority of the data breach. Based on system logs, the controller claimed that the data of seven people were accessed without authorization. The authority held that the processor violated Article 32 GDPR by failing to implement appropriate security measures. The authority fined the controller €10,000. The authority clarified that data controllers and processors are responsible for the security of the processing of personal data even when sub-processors are involved. The authority referenced EDPB Guidelines in this regardEDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), paragraphs 129 and 159 (avail