Thin Srl – €15,000 Fine (Italy, 2023)

€15,000Garante per la protezione dei dati personali1 June 2023Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Thin Srl was fined EUR 15,000 for failing to properly anonymize patient data and not informing individuals about how their data was used. This case shows the importance of correctly handling personal data and being transparent with data subjects.

What happened

Thin Srl failed to anonymize patient data and did not provide adequate information to data subjects.

Who was affected

Patients whose data was collected and not properly anonymized by Thin Srl.

What the authority found

The Italian data protection authority found that Thin Srl violated GDPR by processing personal data without proper anonymization and failing to inform individuals.

Why this matters

This case emphasizes the need for companies to ensure data is truly anonymized and to be transparent about data processing activities, especially in projects involving sensitive health information.

GDPR Articles Cited

Art. 9 GDPR
Art. 13 GDPR
Art. 5(1)(a) GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll Thin Srl actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 15,000 on Thin Srl. The authority took action following a complaint from a GP who alleged that the company had breached data protection regulations. The company was running an international project to improve patient care by collecting and analyzing health data. To participate in the project, GPs were required to add an additional function to their existing management software. The additional function was supposed to automatically anonymize patient data and transfer it to the company's database. However, during its investigation, the DPA found that the add-on feature installed did not effectively anonymize data. In addition, the DPA found that Thin had also violated its information obligations under the GDPR. The company had incorrectly assumed that it was processing anonymized data and had actually processed personal data without providing adequate information to the data subjects.

Related Enforcement Actions (0)

No other enforcement actions found for Thin Srl in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

1 June 2023

Authority

Garante per la protezione dei dati personali

Fine Amount

€15,000

Enforcement Tracker ID

ETid-1993

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Thin Srl - Italy (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: