XX (the data subject) – €5,000 Fine (Italy, 2022)

Fondazione Teatro Regio di Torino (the controller) is a non-profit opera organisation which was also involved in public procurement procedures. A former employee (the data subject), was in charge of two tender procedures. However, due to illness she could no longer be part of these biddings. In relation to this, the controller published on its website several decisions containing personal data of the data subject. These decisions addressed the replacement of the data subject from the responsibilities assigned to her in the tender procedures due to sickness. They also contained the data subject's illness certificate as well as information relating to the transfer of powers and functions following her suspension. On 15 November 2021, the data subject filed a complaint with the Italian DPA, which started an investigation on the case. In its defence, the controller argued that it had to fulfill its transparency obligations and thus had to publish infromation about the replacement of the person in charge of the tender procedure. Moreover, as soon as it received the notification from the DPA, the controller took care to remove the data that were the subject of the complaint, which were no longer visible on the website as of 21 February 2022. Additionally, no employee had ever raised an issue of a personal data breach against the controller prior to this case. Allegedly, the incident was caused by a material error of an employee who carried out the publication in full, not realising that among the various documents in his hands, some contained health data, which should not be published. Finally, the controller argued that the damage suffered by the data subject was minor because documents containing her personal data were published in a section of the controller's website that was not immediately accessible to the "average" user. The Italian DPA held that the controller, although subject to transparency obligations, published on its website data relating to health, the