Azienda ULSS – €5,000 Fine (Italy, 2023)

Rovigo Hospital, the data controller, stored the data subject's medical records in another patient's folder and inadvertently disclosed their health data to the latter. Upon becoming aware of this, the data controller asked the third party to return the documents and adopted technical and organisational measures to prevent similar data breaches. The controller notified the DPA and the DPA opened an investigation. There was no dispute as to the facts. The DPA pointed out that medical records constitute 'data relating to health' in the sense of Article 4(15) GDPR. Pursuant to Article 9 GDPR, this special category of data can only be disclosed to third parties on the basis of an appropriate legal ground or prior written authorisation by the data subject. It emphasized that the data controller must comply with the principle of "integrity and confidentiality", according to which personal data must be processed in such a way as to ensure appropriate security. This includes the protection against unauthorised or unlawful processing by appropriate technical and organisational measures (Art. 5(1)(f) GDPR). The DPA acknowledged that the controller acted immediately to minimise the damage and took measures to prevent further breaches, having cooperated with the investigations. However, it held that the disclosure of the data subject’s health data to an unauthorised third party violated Articles 5(1)(f), 9 and 32 GDPR. In view of this, it imposed a fine of €5.000.