Regione Lombardia – €200,000 Fine (Italy, 2021)

€200,000Garante per la protezione dei dati personali22 July 2021Italy
final
ePrivacy
Fine

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on the Region of Lombardy. The region had published on its website the personal data of more than 100,000 students who had applied for state scholarships or financial grants for the purchase of textbooks, technical equipment and teaching materials. As the Garante's preliminary audit revealed, it was possible to view and download the list of approved and funded applications, the list of approved and to be funded applications, the list of state scholarship recipients and the list of ineligible applications from the region's website. These lists included personally identifiable information such as the application ID, the applicant's name, the student's grade, the code and name of the school, as well as the application number. In this context, the DPA stated that the data of persons applying for economic benefits must be protected in a special way to prevent the economic and social hardship of the data subjects from becoming evident.

GDPR Articles Cited

Art. 5(1)(a) GDPR
Art. 5(1)(c) GDPR
Art. 6(1)(c) GDPR
Art. 6(1)(e) GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll Regione Lombardia actions
Full Legal Summary

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on the Region of Lombardy. The region had published on its website the personal data of more than 100,000 students who had applied for state scholarships or financial grants for the purchase of textbooks, technical equipment and teaching materials. As the Garante's preliminary audit revealed, it was possible to view and download the list of approved and funded applications, the list of approved and to be funded applications, the list of state scholarship recipients and the list of ineligible applications from the region's website. These lists included personally identifiable information such as the application ID, the applicant's name, the student's grade, the code and name of the school, as well as the application number. In this context, the DPA stated that the data of persons applying for economic benefits must be protected in a special way to prevent the economic and social hardship of the data subjects from becoming evident.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (1)

Other enforcement actions involving Regione Lombardia in IT

Current
Jul 2021

Fine

€200K

Fine
Apr 2025· Garante per la protezione dei dati personali

The Italian DPA imposed a fine of EUR 50,000 on the Regione Lombardia. The controller tracked its employees' browser activities, including private one...

€50K

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

ANSPDCP

2025 · Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

22 July 2021

Authority

Garante per la protezione dei dati personali

Fine Amount

€200,000

Enforcement Tracker ID

ETid-826

GDPRhub ID

gdprhub-4001

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Regione Lombardia - Italy (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: