Azienda sanitaria unica regionale Marche – €14,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Italy's data protection authority fined the Marche Regional Health Authority €14,000 for not securing Covid-19 test data properly. The health department's app used a predictable system for generating QR codes, risking unauthorized access to personal data. This case highlights the need for strong data security measures in health apps.
What happened
The Marche Regional Health Authority used an app that generated predictable QR codes, risking unauthorized access to personal data.
Who was affected
Individuals who were tested for Covid-19 and had their data stored in the health department's app.
What the authority found
The Italian authority found the health department did not use adequate security measures to protect personal data, violating GDPR's security requirements.
Why this matters
This decision emphasizes the importance of using secure methods for handling sensitive health data. Organizations should ensure their systems cannot be easily exploited to access personal information.
GDPR Articles Cited
The Italian DPA has imposed a fine of EUR 14,000 on Azienda sanitaria unica regionale Marche. The DPA launched an investigation against the health department following media reports of deficiencies in the system used to collect and manage Covid 19 screening data. The health department used an app that generated QR codes for people who were tested for Covid-19. The QR code was generated based on a progressive criterion rather than on a random basis. Thus, each person was assigned a number. Because of this, it would have been possible for unauthorized persons to change a digit and gain access to another person's profile and thus personal data. The DPA found that the health authority failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects.
Related Enforcement Actions (0)
No other enforcement actions found for Azienda sanitaria unica regionale Marche in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
13 January 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€14,000
Enforcement Tracker ID
ETid-1068
About this data
Cite as: Cookie Fines. Azienda sanitaria unica regionale Marche - Italy (2022). Retrieved from cookiefines.eu
Last updated: