A municipality – Complaint Upheld (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A municipality in Italy faced a complaint for unlawfully publishing a councilor's personal data on its website. The councilor argued that the publication was illegal after resigning from office. This case shows that even public entities must follow strict rules about personal data publication.
What happened
A town council published a councilor's personal data on its website without proper legal grounds after his resignation.
Who was affected
The town councilor whose personal data was published was affected.
What the authority found
The Italian Data Protection Authority ruled that the municipality unlawfully published the councilor's data, violating GDPR's requirements.
Why this matters
This case highlights the need for all organizations, including public entities, to understand and comply with data protection laws when handling personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A town council published personal data of a town councilor (the data subject) on its website. The data included the data subject’s CV and a declaration that no causes of incompatibility prevented his election as councilor. After resigning from office, the data subject filed a complaint, claiming that the publication of his personal data on the municipality’s website was illegal. The municipality was considered to be the controller for the purpose of the complaint. In its defense, the controller claimed that the publication of the data was lawful under the legal basis of 6(1)(c) GDPR (legal obligation). Specifically, the controller argued that national law (specifically, [https://www.gazzettaufficiale.it/eli/id/2013/04/19/13G00081/sg Article 20 d. lgs. 39/2013]) required it to publish the data subject’s information and to keep it available for three years despite his resignation from office. During the investigation, the DPA incidentally found that the controller had appointed a DPO but had not communicated their contact details to the DPA. The DPO upheld the complaint and issued a warning. = The DPA clarified that the provisions invoked by the controller, only required the publication of information about administrative officers, not political officers. In this regard, the DPA referred to the guidance from Italy’s anti-corruption authority. On these grounds, the DPA held that the controller unlawfully published the subject’s data. The DPA considered this a violation of Articles Article 5 GDPR and Article 6 GDPR, Article 2-ter of Italy’s data protection code, and two provisions of Italian administrative law (Articles 7-bis and 14 d. lgs. 33/2013). Additionally, the DPA found that the controller violated the principle of data minimisation (5(1)(c) GDPR) by processing data that were not necessary for the purpose of administrative transparency. = The DPA held that the controller violated Article 37(7) GDPR by failing to communicate the contact details of its DPO. Th
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for A municipality in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
23 June 2025
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-9478About this data
Cite as: Cookie Fines. A municipality - Italy (2025). Retrieved from cookiefines.eu
Last updated: