GPDP – Court Ruling (Italy, 2025)
A court in Italy ruled that a health authority's processing of sensitive Covid-related data was lawful, overturning a previous fine. This decision is significant because it clarifies that certain health data processing can be justified under specific circumstances. Health organizations should understand the legal grounds for processing sensitive data to avoid penalties.
What happened
The court found that the health authority's processing of Covid-related health data was lawful and did not require a Data Protection Impact Assessment (DPIA).
Who was affected
Residents of Friuli Venezia Giulia, particularly vulnerable populations like the elderly, were affected by the health authority's data processing.
What the authority found
The court held that the health authority acted within the law, countering the data protection authority's earlier ruling that deemed the processing unlawful.
Why this matters
This ruling sets a precedent for how health data can be processed during emergencies, emphasizing the need for clear legal justifications.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller for the case is Azienda Sanitaria Friuli Centrale (ASUFC), a local health authority. In 2020 the local government of Friuli Venezia Giulia issued a resolution that required the controller to carry out a large-scale analysis of Covid-related health risks for the resident population of the region of Friuli (the data subjects). During this analysis, individuals from vulnerable populations (such as the elderly) were assigned a score representing their vulnerability to covid. The results were disclosed to medical practitioners for the purpose of preventive intervention- especially with regards to vaccination priority. The processing was based on health data, including information in the data subjects’ electronic health file. The local government gave precise instructions to the health authority, including the instruction to appoint specific processors. The DPA investigated the processing and held that it was unlawful. Additionally, the DPA held that the controller violated its transparency obligations and failed to carry out a DPIA. On these grounds, the DPA fined the controller €50,000. The decision was later annulled by the civil courtCivil courts are competent to review the DPA’s decisions (see Art. 152 d. lgs. 196/2003). This is an exception to the general rule that administrative decisions are reviewed by administrative courts. (Tribunale di Udine). Contrary to the DPA’s findings, the Court held that the processing was lawful and that a DPIA was not required under the GDPR. The GPDP challenged the civil court’s decision with Italy’s Supreme court (Cassazione). Contrary to the lower court’s findings, the Cassazione held that the controller unlawfully processed sensitive data. In this regard, the Court first noted that Italian law lists different purposes for the processing of health data within the electronic health file. Among those, only the purposes related to individual treatment (i.e.: “prevention, diagnosis, health care, and rehabilitation”) ar
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for GPDP in IT
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
6 March 2025
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-court-9365About this data
Cite as: Cookie Fines. GPDP - Italy (2025). Retrieved from cookiefines.eu
Last updated: