Comune di Brescia – €10,000 Fine (Italy, 2024)

The DPA started an ex officio investigation, after a large journalist investigation was published, against a municipality, the controller. The investigation concerned the practice of the municipal cemetery of burying “fetuses” and “stillborn children”. Each of the tombstones contains the same first name (which is a name traditionally assigned to stillborn children in Italian Catholic tradition), and different surnames, which correspond to the surname of the data subjects, who are the women who interrupted their pregnancy and the men who these women conceived the fetus with. The DPA found that, in the vast majority of cases, these data subjects did not know about the burial site and of the use of their surnames. Additionally, the preliminary investigation of the DPA revealed that, in the online portal of the cemetery, it was possible to find the precise location of each tombstone by typing in the name and surname thereon written. The data available through this online research was name, surname, date of birth and death, as well as the specification of their status of “fetuses” or “stillborn child”. Applicability of the GDPR and Violation of Article 6 GDPR and Article 9 GDPR The DPA starts by considering that, in respect to the burial of fetuses, Article 7 of the Mortuary Police Regulation differentiates three different cases: * “stillborn children”, who must be buried; * “products of interrupted pregnancies”, aged 20-28 weeks, who must be buried either at their parents’ request, or the health facility’s request; * “products of conception”, aged less than 20 weeks, who can be buried only at their parents’ request. The DPA considered that the subject of the investigation concerned the personal data disclosures that related to the products of interrupted pregnancies and products of conception, for which the relatives did not request burial nor indicated to put their data on the gravestone. The DPA found that the indication of the data subjects’ surnames, together w