Data Subjects versus Comune di San Francesco al Campo (Municipality of San Francesco al Campo) – €1,200 Fine (Italy, 2025)
The Municipality of San Francesco al Campo published a document online that included personal details of ten individuals without properly redacting the information. This breach of privacy matters because it shows that even public entities must protect personal data and respect individuals' rights.
What happened
The Municipality published personal data of individuals involved in a legal case on its website without proper redaction.
Who was affected
Ten individuals whose personal details, including social security numbers, were improperly published online.
What the authority found
The authority ruled that the Municipality had no legal basis for publishing the personal data, violating GDPR's requirements for transparency and lawfulness.
Why this matters
This case highlights the importance of data protection for public entities. It serves as a reminder for all organizations to ensure that personal information is handled carefully and legally.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Municipality of San Francesco al Campo (the controller) published a city council resolution on its institutional website. The resolution concerned the controller's legal defence in an ongoing case before the administrative court. The resolution included five attachments. Due to improper redaction, some of these attachments included the personal details and social security numbers of ten individuals (the data subjects) who brought the legal action against the controller. The resolution was available on two different pages of the controller's website: the official notice board ("albo pretorio") and the "administrative transparency" page. The data subjects reached out to the controller and requested the removal of their data from its website. In response, the controller removed the data from the notice board but not from the "transparency" page. Following this partial removal, the data subjects filed a complaint. The controller removed the remaining data after the complaint was filed. In their complaint the data subjects claimed that the controller had no legal basis to publish personal data. The controller, on the other hand, claimed that it was under a legal obligation to publish the data in its "transparency" pageSpecifically, the controller referred to d. lgs. 267/2000 and 33/2013 as the sources of the (alleged) legal obligation to process data. (but conceded that it erroneously published personal data on the notice board). The DPA held that the controller had no legal basis for publishing the data both on the notice board and the "transparency" page of its website. Overall, the DPA found the following violations: * the controller violated Articles 5(1)(a), 6(1)(c)(e), 6(2), and 6(3) GDPR, as well as 2-ter (1) and (2) d. lgs. 196/2003 by unlawfully processing personal data; * the controller violated Article 5(1)(c) by failing to ensure the minimisation of personal data; * finally, and with regards to the publication of personal data on the notice board specif
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Data Subjects versus Comune di San Francesco al Campo (Municipality of San Francesco al Campo) in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
29 April 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€1,200
GDPRhub ID
gdprhub-9430About this data
Cite as: Cookie Fines. Data Subjects versus Comune di San Francesco al Campo (Municipality of San Francesco al Campo) - Italy (2025). Retrieved from cookiefines.eu
Last updated: