Veneto region – €100,000 Fine (Italy, 2022)

€100,000Garante per la protezione dei dati personali6 October 2022Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Veneto Region was fined EUR 100,000 for improperly sharing lists of unvaccinated employees with healthcare facilities. The Italian data authority found this sharing lacked a legal basis. This case underscores the importance of having a valid legal basis before sharing personal data.

What happened

The Veneto Region shared lists of unvaccinated employees with healthcare facilities without a valid legal basis.

Who was affected

Medical and nursing staff in the Veneto Region whose vaccination status was shared without proper authorization.

What the authority found

The authority ruled that the Region lacked a legal basis for disclosing employee vaccination status to healthcare facilities.

Why this matters

This decision highlights the need for public authorities to ensure they have a legal basis for sharing personal data, especially sensitive health information. Organizations should carefully assess their data sharing practices to comply with privacy laws.

GDPR Articles Cited

Art. 2-ter Codice della privacy GDPR
Art. 5 GDPR
Art. 6 GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll Veneto region actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 100,000 on the Veneto Region. The DPA had received a complaint from dozens of medical and nursing staff. During its investigation, the DPA found that the Region, in the context of Covid-19 containment measures, had provided lists of information on unvaccinated employees to various healthcare facilities and the physicians in charge there. The DPA found that the Region did not have a valid legal basis for such systematic disclosure of the lists to the physicians and that only the disclosure of the lists to the health authorities was covered by the legal decree in force at the time.

Related Enforcement Actions (0)

No other enforcement actions found for Veneto region in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

6 October 2022

Authority

Garante per la protezione dei dati personali

Fine Amount

€100,000

Enforcement Tracker ID

ETid-1669

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Veneto region - Italy (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: