INPS – Istituto nazionale previdenza sociale – €40,000 Fine (Italy, 2026)

€40,000Garante per la protezione dei dati personali12 March 2026Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

INPS allowed people to fill out forms online but accidentally let them see other people's private information, including sensitive data. This mistake affected over 47,000 individuals, including minors, and highlights the importance of protecting personal data. Companies must ensure strong security measures are in place to prevent such breaches.

What happened

INPS allowed citizens to access an online service that unintentionally exposed personal data of others due to poor security measures.

Who was affected

Individuals who used the online form service, including 1,526 minors whose data was exposed.

What the authority found

The Italian data protection authority ruled that INPS failed to implement adequate security measures, violating GDPR's requirements for data protection.

Why this matters

This case emphasizes the need for organizations to prioritize data security and implement proper safeguards. It serves as a warning that failure to protect personal information can lead to significant consequences.

GDPR Articles Cited

AI-verified

Art. 9(GDPR)
Art. 10(GDPR)
Art. 25(GDPR)
Art. 5(1)(a) GDPR
Art. 5(1)(f) GDPR
Art. 6(1)(e) GDPR
View original scraped data
Art. 5(1) a) GDPR
f) GDPR
Art. 6(1) e) GDPR
(3) GDPR
Art. 9(GDPR)
Art. 10(GDPR)
Art. 25(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 122 Codice Privacy
Source verified 19 May 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll INPS – Istituto nazionale previdenza sociale actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 40,000 on INPS – Istituto nazionale previdenza sociale. The controller allowed citizens to submit forms online and offered a service that populated the forms with data from the national ANPR database. However, the controller failed to implement adequate technical and organisational measures, resulting in data subjects gaining access not only to their own relevant data, but also to the data of other individuals, including special category data and data relating to criminal records. This failure resulted in a data breach affecting 47,464 individuals, 1,526 of whom were minors. Additionally, the online service was not intended for use by minors, but they were able to access it.

Related Enforcement Actions (0)

No other enforcement actions found for INPS – Istituto nazionale previdenza sociale in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

12 March 2026

Authority

Garante per la protezione dei dati personali

Fine Amount

€40,000

Enforcement Tracker ID

ETid-3153

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. INPS – Istituto nazionale previdenza sociale - Italy (2026). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: