Ordine delle Professioni Infermieristiche di Udine – €8,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject is a member of Arma dei Carabinieri, one of the police forces of Italy. He submitted several access to document requests and other inquires to the controller, the professional association of nurses of Udine (Ordine delle Professioni Infermieristiche – OPI). His wife is a nurse and had submitted similar requests as well. Furthermore, the data subject also filed an access request under Article 15 GDPR with the controller. The controller believed that these requests were excessive and were impairing the ability of the controller to deal with other administrative tasks. Moreover, it noted that the data subject submitted similar requests also to other nurses’ associations in the same region. Therefore, it coordinated with the latter and sent a joint letter to the data subject’s employer, in order to ask it to take some measures and make the data subject stop overloading the controller with excessive requests. The data subject filed a complaint with the DPA. He complained that the controller shared with his employer personal data, for example concerning the fact that he had visited the controller’s office. The controller argued that it shared this data with Carabinieri in order to ensure a proper cooperation between public authorities. Moreover, it pointed out that it is a really small public entity with only two employees, and therefore cannot process so many inquiries by the same person. First, the DPA pointed out that the collection of some personal data of the data subject, namely his job, by searching him on a public search engine was not necessary to process the data subject’s access to document request. Therefore, the DPA held that this processing activity was lacking a legal basis and found a violation of Articles 5(1)(a) and 6(1) GDPR. Second, the DPA noted that the controller shared the data with the other nurses’ associations of the region. The DPA could not find any legal basis justifying this sharing and, therefore, found a violation of A
GDPR Articles Cited
The data subject is a member of Arma dei Carabinieri, one of the police forces of Italy. He submitted several access to document requests and other inquires to the controller, the professional association of nurses of Udine (Ordine delle Professioni Infermieristiche – OPI). His wife is a nurse and had submitted similar requests as well. Furthermore, the data subject also filed an access request under Article 15 GDPR with the controller. The controller believed that these requests were excessive and were impairing the ability of the controller to deal with other administrative tasks. Moreover, it noted that the data subject submitted similar requests also to other nurses’ associations in the same region. Therefore, it coordinated with the latter and sent a joint letter to the data subject’s employer, in order to ask it to take some measures and make the data subject stop overloading the controller with excessive requests. The data subject filed a complaint with the DPA. He complained that the controller shared with his employer personal data, for example concerning the fact that he had visited the controller’s office. The controller argued that it shared this data with Carabinieri in order to ensure a proper cooperation between public authorities. Moreover, it pointed out that it is a really small public entity with only two employees, and therefore cannot process so many inquiries by the same person. First, the DPA pointed out that the collection of some personal data of the data subject, namely his job, by searching him on a public search engine was not necessary to process the data subject’s access to document request. Therefore, the DPA held that this processing activity was lacking a legal basis and found a violation of Articles 5(1)(a) and 6(1) GDPR. Second, the DPA noted that the controller shared the data with the other nurses’ associations of the region. The DPA could not find any legal basis justifying this sharing and, therefore, found a violation of A
Related Enforcement Actions (0)
No other enforcement actions found for Ordine delle Professioni Infermieristiche di Udine in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 September 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€8,000
GDPRhub ID
gdprhub-8494About this data
Cite as: Cookie Fines. Ordine delle Professioni Infermieristiche di Udine - Italy (2024). Retrieved from cookiefines.eu
Last updated: