XX (data subject) – Complaint Upheld (Italy, 2022)
A father complained that his and his son's personal data, including the son's injury details, were published on a municipality's website. Although the municipality removed the detailed resolution, some personal data remained online. The Italian data protection authority upheld the complaint, emphasizing the need for data minimization.
What happened
A municipality published personal data about a father and his son, including injury details, on its website.
Who was affected
A father and his son whose personal and injury details were shared online by the municipality.
What the authority found
The Italian authority found that the municipality breached data protection rules by not minimizing personal data shared online.
Why this matters
This case highlights the balance between transparency and privacy, stressing that public entities must ensure personal data is minimized when shared online. It serves as a reminder to review what information is necessary to publish.
GDPR Articles Cited
National Law Articles
Entities Involved
The Italian DPA received a complaint from the data subject concerning the dissemination of personal data concerning him and his son as well as information on his son’s injuries following a fall inside his school. These pieces of information were published in a Council resolution on the municipality of Brindisi’s website. The data subject had already requested the controller to remove any data from its website which could directly trace back to his minor son’s identity and pathology and republish it in compliance with the rules in force. The controller directly acted upon this request and deleted the resolution from its Municipal Notice Board. However, information on the legal proceedings including names and the circumstance of the existence of these legal proceedings could still be found in the subject of the resolution on the controller’s website. 2 years later there was no contest from the data subject to the controller, however the data subject lodged a complaint with the Italian DPA. The Italian DPA considered the fact that the controller had already removed the full text of the contested resolution from the web as requested by the data subject and that it kept the contested personal data included in the subject of the resolution only by mere mistake. Moreover, the controller asked to take into consideration the objective difficulty of sometimes balancing transparency and the protection of personal data. It pointed out the existence of a need, for the purposes of transparency of administrative action, to leave public the subject of the resolution with the names of the parties in clear; as well as the large number of acts to be published online. The Italian DPA held that the need for transparency could be achieved without disseminating online the personal data of the parties involved in the proceedings and therefore held that the controller breached Article 5(1)(c) in that it was inconsistent with the principle of data minimisation since the data were not li
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for XX (data subject) in IT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. XX (data subject) - Italy (2022). Retrieved from cookiefines.eu
Last updated: