Italian political party Movimento 5 Stelle – €50,000 Fine (Italy, 2019)

A number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures. It is worth it to mention that the proceeding initiated before May 2018, but the Italian data protection authority issued a fine under the GDPR since the Rousseau platform had not adopted security measures required by means of an order issued after the 25th of May 2018. Interestingly, the fine was not issued against the Movimento 5 Stelle that is the data controller of the platform, but against the Rousseau association that is the data processor.