Data Subjects versus Comune di San Francesco al Campo (Municipality of San Francesco al Campo) – €1,200 Fine (Italy, 2025)

€1,200Garante per la protezione dei dati personali29 April 2025Italy
final
ePrivacy
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Municipality of San Francesco al Campo was fined for improperly publishing personal details of individuals involved in a legal case on its website. They failed to protect the privacy of these individuals by not redacting sensitive information. This case highlights the need for public entities to be cautious when sharing data online.

What happened

The Municipality published personal details, including social security numbers, of individuals in a legal case without proper redaction.

Who was affected

Individuals who were involved in a legal case against the Municipality and had their personal information published online.

What the authority found

The authority ruled that the Municipality had no legal basis for publishing the personal data, violating GDPR rules.

Why this matters

This case serves as a warning for public organizations to ensure that personal data is handled and shared responsibly. Transparency must not come at the cost of individual privacy.

GDPR Articles Cited

AI-verified

Art. 5(1)(a) GDPR
Art. 5(1)(c) GDPR
Art. 6(1)(c) GDPR
Art. 6(1)(e) GDPR
Art. 6(2) GDPR
Art. 6(3) GDPR
View original scraped data
Art. 5(1) GDPR
Art. 6(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

2-ter (1) d. lgs. 196/2003
2-ter (2) d. lgs. 196/2003
Art. 124(1) d. lgs. 267/2000
Source verified 8 April 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Data Subjects versus Comune di San Francesco al Campo (Municipality of San Francesco al Campo) actions
Full Legal Summary
Detailed

The Municipality of San Francesco al Campo (the controller) published a city council resolution on its institutional website. The resolution concerned the controller's legal defence in an ongoing case before the administrative court. The resolution included five attachments. Due to improper redaction, some of these attachments included the personal details and social security numbers of ten individuals (the data subjects) who brought the legal action against the controller. The resolution was available on two different pages of the controller's website: the official notice board ("albo pretorio") and the "administrative transparency" page. The data subjects reached out to the controller and requested the removal of their data from its website. In response, the controller removed the data from the notice board but not from the "transparency" page. Following this partial removal, the data subjects filed a complaint. The controller removed the remaining data after the complaint was filed. In their complaint the data subjects claimed that the controller had no legal basis to publish personal data. The controller, on the other hand, claimed that it was under a legal obligation to publish the data in its "transparency" pageSpecifically, the controller referred to d. lgs. 267/2000 and 33/2013 as the sources of the (alleged) legal obligation to process data. (but conceded that it erroneously published personal data on the notice board). The DPA held that the controller had no legal basis for publishing the data both on the notice board and the "transparency" page of its website. Overall, the DPA found the following violations: * the controller violated Articles 5(1)(a), 6(1)(c)(e), 6(2), and 6(3) GDPR, as well as 2-ter (1) and (2) d. lgs. 196/2003 by unlawfully processing personal data; * the controller violated Article 5(1)(c) by failing to ensure the minimisation of personal data; * finally, and with regards to the publication of personal data on the notice board specif

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Data Subjects versus Comune di San Francesco al Campo (Municipality of San Francesco al Campo) in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

29 April 2025

Authority

Garante per la protezione dei dati personali

Fine Amount

€1,200

GDPRhub ID

gdprhub-9430

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Data Subjects versus Comune di San Francesco al Campo (Municipality of San Francesco al Campo) - Italy (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: