Ministero dello sviluppo economico (Ministry of Economic Development) – €75,000 Fine (Italy, 2021)

Following some reports, the Italian DPA ascertained that the MISE uploaded on its website a list of more than 5,000 managers containing their personal data, including name, tax code, e-mail address, CV, mobile phone and, in some cases, ID and health card. All this data was freely visible and downloadable. The MISE published that list to help SMEs in booking advice from experienced business professionals on the technological and digital processes to manage vouchers provided in compliance with the 2019 Budget Law. The DPA has also found that the MISE did not appoint a DPO by May 25, 2018, as required for all public bodies according to art. 37 GDPR. The Italian DPA noted that MISE failed to appoint a DPO by the established deadline (May 25, 2018). Furthermore, it has found that there was no adequate legal basis for the online publication of managers' personal data, as there were less intrusive methods to ensure that SMEs would have access to the managers' consultancy services, such as ensuring restricted access to said information through the use of passwords and usernames. As such, the Authority found that the dissemination of their personal information also consisted of disproportionate processing of data. In light of the above and given that the MISE has appointed a DPO then, the Italian DPA issued a fine of €75,000.