Azienda ospedaliera di Perugia – €40,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Azienda ospedaliera di Perugia was fined EUR 40,000 for mishandling personal data in a whistleblower system. They failed to inform employees about data processing and did not assess the risks involved. This case shows the importance of transparency and risk assessment in data processing.
What happened
Azienda ospedaliera di Perugia failed to inform employees about data processing and did not conduct a risk assessment for their whistleblower system.
Who was affected
Employees of Azienda ospedaliera di Perugia using the whistleblower system.
What the authority found
The Italian DPA found that the healthcare facility did not inform employees about data processing and failed to conduct a data protection impact assessment.
Why this matters
This case emphasizes the need for organizations to be transparent with employees about data use and to assess risks to comply with GDPR.
GDPR Articles Cited
The Italian DPA (Garante) has fined Azienda ospedaliera di Perugia EUR 40,000. During an investigation at the healthcare facility, the DPA found multiple GDPR violations. The DPA's investigation took place as part of a series of inspections dealing with the processing of data in the context of whistleblower systems at employers. The healthcare facility used an open source-based whistleblowing web application. However, the application was accessed through systems that were not properly configured. This made it possible to record and store users' browsing data, thus identifying those users and, as such, potential whistleblowers. With respect to the processing of personal data, the health facility had failed to inform the employees in advance. In addition, the DPA found that the healthcare facility had not conducted a data protection impact assessment and had not registered the processing in the register of processing activities. Thus, no sufficient assessment of the risks to the rights and freedoms of the data subjects had been carried out. '
Related Enforcement Actions (0)
No other enforcement actions found for Azienda ospedaliera di Perugia in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 April 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€40,000
Enforcement Tracker ID
ETid-1159
About this data
Cite as: Cookie Fines. Azienda ospedaliera di Perugia - Italy (2022). Retrieved from cookiefines.eu
Last updated: