Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino – Violation Found (Italy, 2023)
Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino processed personal data for medical research without getting consent. This matters because it highlights the importance of obtaining permission before using people's data, even for good causes like research.
What happened
The hospital processed personal data for medical research studies without consent.
Who was affected
Patients whose data was used for research without their consent were affected.
What the authority found
The authority found that the hospital lacked a valid legal basis for processing personal data, violating GDPR requirements.
Why this matters
This case emphasizes the need for organizations to secure consent before using personal data, even in research. It serves as a reminder for all companies to review their data handling practices.
GDPR Articles Cited
National Law Articles
Prior to conducting two medical research studies, the University Hospital Città della Salute e della Scienza di Torino (the controller) consulted the Italian DPA in accordance with Article 36 GDPR. The first study, "Head and neck tumours: relapses and second tumours," is a retrospective analysis focusing on 400 deceased or uncontactable patients, for which the request for prior consultation was deemed necessary. The hospital sought a favourable opinion from the DPA, in accordance with the GDPR and [https://www.garanteprivacy.it/codice Article 110 of the Italian Privacy Code], for processing personal data without obtaining consent due to practical difficulties in contacting patients. The study spanned seven years, involving pseudonymised data storage in accordance with the principles of data minimisation and storage limitation. The second study, "Use of coronagraphy and right heart catheterisation in the pre-liver transplant cardiological work-up," is a multi-centre, observational, retrospective study analysing liver transplant candidates. In this study, the hospital also sought a favourable opinion for processing personal data without consent, emphasising the challenges posed by the high mortality incidence of the patients. This study utilised as a legal basis Article 9(2)(a) GDPR for the processing of personal data of the living patients, meanwhile it requested, similarly to the first study, the prior consultation of the DPA pursuant to [https://www.garanteprivacy.it/codice Article 110 of the Italian Privacy Code] for those who are deceased. Moreover, in relation to the data processing of deceased patients, the study foresaw transparency measures for the family members of the deceased, such as information published on its website and those of participating centres, aligning with Article 14 GDPR. Following the information provided, for the first study, the DPA acknowledged the hospital's correct identification of legal bases for the data processing, including tho
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Decision Date
26 October 2023
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-7417About this data
Cite as: Cookie Fines. Azienda Ospedaliero Universitaria Città della Salute e della Scienza di Torino - Italy (2023). Retrieved from cookiefines.eu
Last updated: