Cooperativa Quadrifoglio s.c. Onlus – €20,000 Fine (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Cooperativa Quadrifoglio was fined for accidentally sharing sensitive information about children with disabilities in an email. They included personal details without proper security measures. This incident shows how important it is to handle sensitive data carefully to prevent leaks.
What happened
Cooperativa Quadrifoglio mistakenly sent an email with personal information about children, including health details, to unauthorized recipients.
Who was affected
Children with disabilities whose sensitive information was unintentionally shared by Cooperativa Quadrifoglio.
What the authority found
The authority found that Cooperativa Quadrifoglio violated GDPR rules by not ensuring proper data security when handling sensitive information.
Why this matters
This ruling stresses the importance of careful data handling and security measures. Organizations should implement strict protocols to protect sensitive information from accidental exposure.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Cooperativa Quadrifoglio (the processor) was a social enterprise with a staff of about 3,000 people. The processor provided support and educational services to special need students (the data subjects) as a subcontractor of the municipality of Bologna (the controller). In order for the provider to provide its services, the controller shared information about the data subjects with the processor. The processor was unable to provide some of its services for one day due to a worker strike. The processor emailed the controller about the interruption of certain services. In turn, the controller forwarded the communication to numberous staff members and to 53 families of children who attended two schools within the municipalitySome of the information about the breach is not mentioned in the decision but can be found in the DPA's decision against the controller over the same breach, which includes a more exhaustive explanation of the facts. See [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10146543 Garante per la protezione dei dati personali, provv. 1014654]3.. Due to a human error, the processor attached unnecessary documents to the email, including a list of 61 data subjects who relied on the controller’s services. The list was not pseudonymized and included the data subjects' name and other information, such as detailed information about their health status and the accomodations they needed in school. The controller did not notice the attachment and forwarded it to the families along with the email. The DPA received a complaint related to the incident. Aside from the procedure with the DPA, the processor agreed to cover €2,000 in damages in favor of a data subjects' family, following an amicable settlement between the family and the controller. The DPA held that the documents contained sensitive data from the data subjects. Furthermore, the DPA held that including the data in the documentation was unnecessary for informing the controll
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Cooperativa Quadrifoglio s.c. Onlus in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
29 April 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-9428About this data
Cite as: Cookie Fines. Cooperativa Quadrifoglio s.c. Onlus - Italy (2025). Retrieved from cookiefines.eu
Last updated: