INPS – €300,000 Fine (Italy, 2021)

The Italian national social security institute (INPS) has provided financial aids to Italian citizens in order to face the Covid crisis. To access this aids, citizens were required to satisfy certain criteria. The INPS, in order to speed up the process to obtain the aid, first assessed the request only on the basis of the documentation provided in the request by the applicant, and just in a second moment, after the dispensing of the aid, carried out a more specific investigation for every applicant. During the second phase assessment, the INPS checked whether between the requests there were parliamentarians or holders of offices in public administrations. To do so, INPS collected some personal data from open source registers and generated from this open data the personal tax code of the applicants and compared it with the one in the application. This way of calculation of the tax code can entail some mistakes. The secondary examination was carried on also for the subjects to which the aid was already been refused under the first examination. Only afterwards, the Labour ministry declared that parliamentarians and holders of administrative office would be excluded from this financial aid. Were these activities contrary to the GDPR? The DPA found that the fact that the second examination on parliamentarians and holders of administrative offices has been carried out before the note of Labour ministry on the exclusion of these categories from the financial aid, comported a violation of the principles of lawfulness, fairness and transparency as per Article 5(1)(a) GDPR. The fact that the processing was not limited to who received the aid but included who had already been refused, was in violation of the principle of adequacy and minimisation as per Artcle 5(1)(c) GDPR. The fact that the tax code has been generated from open data and not obtain by official sources and thus potentially erroneous, was violating the principle of adequacy as per Article 5(1)(d) GDPR