La Combricola dei Birichini di Betty – €10,000 Fine (Italy, 2025)
The controller for the case is a private children's daycare. A parent filed a complaint with the DPA after finding that the controller published pictures of children online, including invasive pictures of rather delicate moments of their daily lives. During the investigation the DPA found that the controller implemented invasive CCTV surveillance on its premises and did not carry out a DPIA with regards to the system. The DPA held that the controller violated Articles 5(1)(a), 6, 7, 12(1), 13, 35, 37(7) and 38(6) GDPR as well as Article 2-ter of Italy’s “Privacy Code” (d. lgs. 196/2003). The DPA issued a €10,000 fine. The DPA also ordered the controller to stop publishing children’s pictures, erase all the pictures still available online, and delete any pictures it stored. In determining the fine, the DPA considered that by the time of the decision, the controller had removed (most of) the pictures, had appointed a new DPO, and had taken other steps towards compliance. = The DPA found that many pictures of the children in the controller’s care, were publicly available on the controller’s website as well as on its Google Maps business profile. Some of the pictures included rather delicate moments of the children’s daily lives. The controller pointed out that during enrolment, parents signed a consent form that covered the publication of children’s pictures for education purposes and for advertising the controller’s activities. On this basis, the controller claimed that it lawfully published the pictures under the legal basis of consent. The DPA rejected the argument, for several reasons. The DPA clarified that parental consent must be exercised in the pursuit of the child’s best interestWith regards to the centrality of the best interest of the child, the decision refers to WP29 guidance on the protection of children's data: see WP29, 'Working Document 1/2008 on the protection of children's personal data (General guidelines and the special case of schools)', 19 F
GDPR Articles Cited
National Law Articles
The controller for the case is a private children's daycare. A parent filed a complaint with the DPA after finding that the controller published pictures of children online, including invasive pictures of rather delicate moments of their daily lives. During the investigation the DPA found that the controller implemented invasive CCTV surveillance on its premises and did not carry out a DPIA with regards to the system. The DPA held that the controller violated Articles 5(1)(a), 6, 7, 12(1), 13, 35, 37(7) and 38(6) GDPR as well as Article 2-ter of Italy’s “Privacy Code” (d. lgs. 196/2003). The DPA issued a €10,000 fine. The DPA also ordered the controller to stop publishing children’s pictures, erase all the pictures still available online, and delete any pictures it stored. In determining the fine, the DPA considered that by the time of the decision, the controller had removed (most of) the pictures, had appointed a new DPO, and had taken other steps towards compliance. = The DPA found that many pictures of the children in the controller’s care, were publicly available on the controller’s website as well as on its Google Maps business profile. Some of the pictures included rather delicate moments of the children’s daily lives. The controller pointed out that during enrolment, parents signed a consent form that covered the publication of children’s pictures for education purposes and for advertising the controller’s activities. On this basis, the controller claimed that it lawfully published the pictures under the legal basis of consent. The DPA rejected the argument, for several reasons. The DPA clarified that parental consent must be exercised in the pursuit of the child’s best interestWith regards to the centrality of the best interest of the child, the decision refers to WP29 guidance on the protection of children's data: see WP29, 'Working Document 1/2008 on the protection of children's personal data (General guidelines and the special case of schools)', 19 F
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for La Combricola dei Birichini di Betty in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 July 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€10,000
GDPRhub ID
gdprhub-9563About this data
Cite as: Cookie Fines. La Combricola dei Birichini di Betty - Italy (2025). Retrieved from cookiefines.eu
Last updated: