Azienda Unità Sanitaria Locale Toscana Sud Est – €100,000 Fine (Italy, 2020)

The Italian DPA (Garante) imposed a fine of EUR 100,000 on Azienda USL Toscana Sud Est. The controller is a company in the healthcare sector that, among other things, launched the so-called 'Sanità di iniziativa' (Health Initiative) program. Within the framework of this program, participating healthcare companies transmit data on chronically ill patients to the controller. On the basis of this data, the controller then develops health plans for the patients. The Italian DPA notes several violations of data protection provisions related to this program. For example, when giving consent to the processing of their data, the data subjects were not adequately informed about how long their data would be stored, what rights they had (in particular their rights of complaint and access), and how exactly their data would be processed and for what purpose. In addition, the controller had not kept a register of processing activities. Finally, the controller had neither implemented adequate technical and organizational measures to protect the processing nor conducted a data protection impact assessment, although this would have been necessary due to the nature of the data processed (health data).