Azienda Universitaria Friuli Centrale – €55,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Azienda Universitaria Friuli Centrale was fined EUR 55,000 for using patient data to create risk profiles without proper legal permission. They also failed to conduct a necessary privacy impact assessment. This case highlights the importance of having a valid reason to use personal data, especially in healthcare.
What happened
Azienda Universitaria Friuli Centrale used patient data to create risk profiles without a valid legal basis.
Who was affected
Patients whose personal data was used to predict Covid-19 complications without their consent.
What the authority found
The Italian DPA found that the health authority lacked a valid legal basis for processing patient data and failed to conduct a required privacy impact assessment.
Why this matters
This decision emphasizes the need for healthcare providers to ensure they have proper legal grounds for processing personal data. It serves as a reminder that failing to assess privacy risks can lead to significant penalties.
GDPR Articles Cited
The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Centrale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected.
Related Enforcement Actions (0)
No other enforcement actions found for Azienda Universitaria Friuli Centrale in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
15 December 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€55,000
Enforcement Tracker ID
ETid-1607
About this data
Cite as: Cookie Fines. Azienda Universitaria Friuli Centrale - Italy (2022). Retrieved from cookiefines.eu
Last updated: