Cooperativa Quadrifoglio s.c. Onlus – €20,000 Fine (Italy, 2025)
Cooperativa Quadrifoglio was fined for mistakenly sending sensitive information about students in an email. This breach of privacy is significant because it involved personal health information, and it reminds organizations to be careful with data handling. Small businesses should ensure they protect sensitive information when communicating.
What happened
Cooperativa Quadrifoglio accidentally sent an email containing sensitive information about students.
Who was affected
Students who received support services from Cooperativa Quadrifoglio were affected by the data breach.
What the authority found
The Italian Data Protection Authority fined Cooperativa Quadrifoglio for failing to protect sensitive personal data.
Why this matters
This incident highlights the importance of data security and careful communication. Organizations must implement strict protocols to safeguard sensitive information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Cooperativa Quadrifoglio (the processor) was a social enterprise with a staff of about 3,000 people. The processor provided support and educational services to special need students (the data subjects) as a subcontractor of the municipality of Bologna (the controller). In order for the provider to provide its services, the controller shared information about the data subjects with the processor. The processor was unable to provide some of its services for one day due to a worker strike. The processor emailed the controller about the interruption of certain services. In turn, the controller forwarded the communication to numberous staff members and to 53 families of children who attended two schools within the municipalitySome of the information about the breach is not mentioned in the decision but can be found in the DPA's decision against the controller over the same breach, which includes a more exhaustive explanation of the facts. See [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10146543 Garante per la protezione dei dati personali, provv. 1014654]3.. Due to a human error, the processor attached unnecessary documents to the email, including a list of 61 data subjects who relied on the controller’s services. The list was not pseudonymized and included the data subjects' name and other information, such as detailed information about their health status and the accomodations they needed in school. The controller did not notice the attachment and forwarded it to the families along with the email. The DPA received a complaint related to the incident. Aside from the procedure with the DPA, the processor agreed to cover €2,000 in damages in favor of a data subjects' family, following an amicable settlement between the family and the controller. The DPA held that the documents contained sensitive data from the data subjects. Furthermore, the DPA held that including the data in the documentation was unnecessary for informing the controll
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Cooperativa Quadrifoglio s.c. Onlus in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
29 April 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-9428About this data
Cite as: Cookie Fines. Cooperativa Quadrifoglio s.c. Onlus - Italy (2025). Retrieved from cookiefines.eu
Last updated: