Dr. Montemurro – €5,000 Fine (Italy, 2026)

A patient (a data subject) filed a complaint with the Italian DPA after photographs of her rhinoseptoplasty procedure were published on a social media platform on the public profile of the doctor (the controller). The controller argued that the data subject had signed a consent form allowing use of images for scientific and educational purposes with a guarantee of anonymity, that the images were anonymized without name and with partial facial obscuring) and that the purpose was medical-scientific dissemination, not commercial. Also, after the complaint, the controller removed the images. The Italian Data Protection Authority (DPA) held that the controller unlawfully processed the data subject’s health data by publishing photos that were not effectively anonymized, in violation of Articles 5(1)(a), (b), and (c) GDPR and Article 9 GDPR. The consent obtained was invalid because it was based on the mistaken belief that the images were anonymous, and no specific consent was given for the dissemination of identifiable health data. The DPA emphasized that for scientific or educational publication, either full anonymization is required, or if anonymization is not possible, a specific, informed consent with pseudonymization must be obtained. The DPA imposed a €5,000 fine, ordered revision of consent forms and privacy notices, mandated ensuring anonymity (or obtaining proper consent), and clarified that consent for necessary medical treatment is not required.