Physician – €2,000 Fine (Italy, 2021)

€2,000Garante per la protezione dei dati personali29 September 2021Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

An Italian doctor was fined EUR 2,000 for sharing a patient's personal data with a marketing consultant without consent. The doctor recommended products during treatment, but the patient's data was used for marketing, which required explicit consent. This case emphasizes the need for clear consent when using personal data beyond medical purposes.

What happened

A physician shared a patient's personal data with a marketing consultant without obtaining consent.

Who was affected

A patient whose personal data was shared with a marketing consultant after a doctor's recommendation.

What the authority found

The Italian DPA ruled that the physician unlawfully processed personal data for marketing purposes without explicit consent, violating GDPR.

Why this matters

This ruling highlights the necessity for healthcare providers to obtain explicit consent when using patient data for non-medical purposes. It serves as a reminder to ensure data protection practices align with GDPR requirements.

GDPR Articles Cited

Art. 9 GDPR
Art. 5(1)(a) GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll Physician actions
Full Legal Summary
Detailed

The Italian DPA (Garante) has fined a physician EUR 2,000. A patient had complained to the DPA that the doctor had disclosed his personal data to third parties without authorization. The doctor had recommended medical products to the data subject as part of his treatment. A few days later, the data subject received a call from the marketing consultant behind the recommended products. The data subject pointed out that he had never given his consent to the disclosure of his data. The Garante states that no specific consent is required for the processing of personal data necessary for medical treatment. Here, however, the data was processed for the purpose of product promotion, and therefore explicit consent would have been required under Art. 9 GDPR. The physician thus processed the data unlawfully.

Related Enforcement Actions (2)

Other enforcement actions involving Physician in IT

Fine
Apr 2021· Garante per la protezione dei dati personali

The Italian DPA (Garante) has imposed a fine of EUR 5,000 on a physician. The controller had shown slides of a clinical case at a congress, which were...

€5K
Current
Sept 2021

Fine

€2K

Fine
Dec 2024· Garante per la protezione dei dati personali

The Italian DPA has imposed a fine of EUR 20,000 on a physician who had published images of a patient who had undergone cosmetic surgery on a social n...

€20K

Details

Fine Date

29 September 2021

Authority

Garante per la protezione dei dati personali

Fine Amount

€2,000

Enforcement Tracker ID

ETid-931

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Physician - Italy (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: