Ordine delle Professioni Infermieristiche di Udine – €8,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Ordine delle Professioni Infermieristiche di Udine was fined EUR 8,000 for mishandling a member's requests for access to personal data. This case is significant because it emphasizes that organizations must respect individuals' rights to access their information.
What happened
Ordine delle Professioni Infermieristiche di Udine improperly handled a member's access requests and shared personal data with his employer.
Who was affected
A member of the Arma dei Carabinieri who submitted access requests to the nursing association.
What the authority found
The Italian DPA ruled that the nursing association violated GDPR by failing to provide access to the member's data and sharing it without a legal basis.
Why this matters
This case underscores the need for organizations to have clear policies for handling access requests. It also shows that sharing personal data without consent can lead to serious consequences.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject is a member of Arma dei Carabinieri, one of the police forces of Italy. He submitted several access to document requests and other inquires to the controller, the professional association of nurses of Udine (Ordine delle Professioni Infermieristiche – OPI). His wife is a nurse and had submitted similar requests as well. Furthermore, the data subject also filed an access request under Article 15 GDPR with the controller. The controller believed that these requests were excessive and were impairing the ability of the controller to deal with other administrative tasks. Moreover, it noted that the data subject submitted similar requests also to other nurses’ associations in the same region. Therefore, it coordinated with the latter and sent a joint letter to the data subject’s employer, in order to ask it to take some measures and make the data subject stop overloading the controller with excessive requests. The data subject filed a complaint with the DPA. He complained that the controller shared with his employer personal data, for example concerning the fact that he had visited the controller’s office. The controller argued that it shared this data with Carabinieri in order to ensure a proper cooperation between public authorities. Moreover, it pointed out that it is a really small public entity with only two employees, and therefore cannot process so many inquiries by the same person. First, the DPA pointed out that the collection of some personal data of the data subject, namely his job, by searching him on a public search engine was not necessary to process the data subject’s access to document request. Therefore, the DPA held that this processing activity was lacking a legal basis and found a violation of Articles 5(1)(a) and 6(1) GDPR. Second, the DPA noted that the controller shared the data with the other nurses’ associations of the region. The DPA could not find any legal basis justifying this sharing and, therefore, found a violation of A
Related Enforcement Actions (0)
No other enforcement actions found for Ordine delle Professioni Infermieristiche di Udine in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 September 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€8,000
GDPRhub ID
gdprhub-8494About this data
Cite as: Cookie Fines. Ordine delle Professioni Infermieristiche di Udine - Italy (2024). Retrieved from cookiefines.eu
Last updated: