FISAR – €5,000 Fine (Italy, 2022)

In January 2021, the Italian Federation of Sommeliers, Hoteliers and Restaurateurs (the controller) expelled a member of the association (the data subject). The decision was documented in the minutes for the meeting of the controller's National Council. The minutes were published on a cloud, accessible to all members. The decision to expel the data subject was still contestable at that time. The data subject did decide to contest the decision and appealed it before the controller's Arbitration Committee. In May 2021, he also filed a complaint with the Italian DPA because he felt that the decision was published unlawfully. The appeal before the Arbitration Committee was successful. It reversed the decision and reinstated the data subject as a member of the controller. However, the information on the cloud was only rectified six months later. The DPA noted that it followed from the controller’s privacy policy that the personal data of its members would be processed as prescribed by the internal rules of procedure. For this reason, the DPA held the controller’s internal regulation relevant to the case. The DPA found that the controller’s rules of procedure only prescribed the publication of final decisions. As the decision as still contestable at the time it was published, the DPA held that the decision was published unlawfully. Therefore, the DPA held that the controller violated Article 5(1)(a), 5(1)(c) and 6(1)(a)(f) GDPR and imposed a fine of €5,000.