GPDP – Court Ruling (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Italy ruled that a local health authority's processing of health data during a Covid-related analysis was lawful, overturning a previous fine. This decision is crucial because it clarifies the legal grounds for processing sensitive health data in emergencies. Organizations should understand the legal requirements for handling such data.
What happened
The court held that the local health authority's processing of health data for Covid risk analysis was lawful and did not require a Data Protection Impact Assessment (DPIA).
Who was affected
Individuals from vulnerable populations in the Friuli Venezia Giulia region whose health data was analyzed for Covid risk.
What the authority found
The court found that the local health authority acted lawfully in processing health data, contrary to the DPA's earlier findings.
Why this matters
This ruling sets a precedent for how health data can be processed during emergencies. Organizations should be aware of their legal obligations when handling sensitive data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller for the case is Azienda Sanitaria Friuli Centrale (ASUFC), a local health authority. In 2020 the local government of Friuli Venezia Giulia issued a resolution that required the controller to carry out a large-scale analysis of Covid-related health risks for the resident population of the region of Friuli (the data subjects). During this analysis, individuals from vulnerable populations (such as the elderly) were assigned a score representing their vulnerability to covid. The results were disclosed to medical practitioners for the purpose of preventive intervention- especially with regards to vaccination priority. The processing was based on health data, including information in the data subjects’ electronic health file. The local government gave precise instructions to the health authority, including the instruction to appoint specific processors. The DPA investigated the processing and held that it was unlawful. Additionally, the DPA held that the controller violated its transparency obligations and failed to carry out a DPIA. On these grounds, the DPA fined the controller €50,000. The decision was later annulled by the civil courtCivil courts are competent to review the DPA’s decisions (see Art. 152 d. lgs. 196/2003). This is an exception to the general rule that administrative decisions are reviewed by administrative courts. (Tribunale di Udine). Contrary to the DPA’s findings, the Court held that the processing was lawful and that a DPIA was not required under the GDPR. The GPDP challenged the civil court’s decision with Italy’s Supreme court (Cassazione). Contrary to the lower court’s findings, the Cassazione held that the controller unlawfully processed sensitive data. In this regard, the Court first noted that Italian law lists different purposes for the processing of health data within the electronic health file. Among those, only the purposes related to individual treatment (i.e.: “prevention, diagnosis, health care, and rehabilitation”) ar
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for GPDP in IT
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
6 March 2025
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-court-9365About this data
Cite as: Cookie Fines. GPDP - Italy (2025). Retrieved from cookiefines.eu
Last updated: