Scanshare S.r.l. – €10,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Scanshare S.r.l. received a fine for accidentally exposing personal data of 3,500 job candidates. This breach happened when a link to a web application was mistakenly shared, allowing others to access sensitive information. This case highlights the importance of careful data handling and the need for companies to secure personal data.
What happened
Scanshare S.r.l. accidentally disclosed personal data of 3,500 candidates by sending a wrong link in an email.
Who was affected
Candidates participating in a public recruitment competition for administrative assistant positions were affected.
What the authority found
The Garante ruled that Scanshare S.r.l. failed to protect personal data adequately, violating GDPR's requirements for data security.
Why this matters
This ruling emphasizes that companies must take data protection seriously and implement strong security measures. It serves as a warning for service providers about their responsibilities in handling personal data.
GDPR Articles Cited
This case was initiated by a data breach notification reported by the Tuscany Region authorities to the Italian DPA (Garante per la Protezione dei Dati Personali – Garante) on 30 July 2020. The breach involved the accidental disclosure of personal data belonging to approximately 3500 candidates participating in a public recruitment competition for administrative assistant job positions. The Tuscany Region carrying out the contest (the data controller in this case) had a processing agreement with IT company Scanshare S.r.l. for the provision of services related to the organisation and management of the pre-selection phase. The IT company was tasked with processing the data necessary for the completion of the recruitment tests, as well as uploading these on to a server that would host the web page in which each candidate could consult their individual scores. An email was sent by the processor to a candidate asking for information regarding the publication of the results, which mistakenly contained a link to the web application which was uploading the personal data related to the candidates and their scores, instead of the website where each candidate could log on to obtain their individual results. The mistakenly sent link to the web application which contained the upload of the entire data set was subsequently circulated among other candidates. From this link, it was possible to access and download, inter alia, the name, surname, date of birth, tax code, detailed results of questionnaires, as well as the overall scores of all the participants. This data was exposed for approximately one hour until the data breach was discovered and remedied. The processor, without consulting the controller, then proceeded to subcontract an IT company named Hostinger, in order to provide it with the logs of the IP addresses which had unauthorised access to the data. During the Garante’s investigation procedures, the processor claimed that this data breach was not of a malicious na
Related Enforcement Actions (0)
No other enforcement actions found for Scanshare S.r.l. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 February 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€10,000
Enforcement Tracker ID
ETid-1101
GDPRhub ID
gdprhub-4785About this data
Cite as: Cookie Fines. Scanshare S.r.l. - Italy (2022). Retrieved from cookiefines.eu
Last updated: