[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHmvQgkbOPfkjzbj93t5XL2XryoYyM1eMj5oIrGTB9Y8":3},{"article":4,"iocs":39},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"28053332-827f-43da-a584-bb888445596b","Cass.Civ. - 15628\u002F2026","cass-civ-15628-2026-453376","Holding ← Older revision Revision as of 13:52, 16 June 2026 Line 76: Line 76: === Holding === === Holding === The court dismissed the appeal, and upheld the reasoning of the lower court. The court followed the reasoning of the lower court, and stated that the controller could have informed its members of the case without including the data subject’s name. The court considered this processing to be disproportionate in relation to the goal. The court dismissed the controller’s argument that there was a difference between disseminating the information and communicating it to members. The court stated that, while the data subject’s name did not fall under the scope of [[Article 9 GDPR]], the controlled needed the consent of the data subject to process their data. Therefore, a resolution adopted by a general meeting or generic consent for statutory purposes did not meet the requirements of consent. The court dismissed the appeal and upheld the reasoning of the lower court. The court followed the reasoning of the lower court, and stated that the controller could have informed its members of the case without including the data subject’s name. The court considered this processing to be disproportionate in relation to the goal. The court dismissed the controller’s argument that there was a difference between disseminating the information and communicating it to members. The court stated that, while the data subject’s name did not fall under the scope of [[Article 9 GDPR]], the controlled needed the consent of the data subject to process their data. Therefore, a resolution adopted by a general meeting or generic consent for statutory purposes did not meet the requirements of consent. The court also dismissed the controller’s argument that the fine was disproportionate. The court held that the DPA had correctly applied and justified the fine in accordance with [[Article 83 GDPR#2|Article 83(2) GDPR]]. The court also dismissed the controller’s argument that the fine was disproportionate. The court held that the DPA had correctly applied and justified the fine in accordance with [[Article 83 GDPR#2|Article 83(2) GDPR]].","The Italian Supreme Court upheld a €5,000 fine against Federpol, an association of private investigators, for processing personal data without a legal basis. The association had distributed a newsletter to its members containing minutes of an executive board meeting that identified a member by name in relation to a defamation case. The court ruled this processing was disproportionate and lacked valid consent, affirming the DPA's decision.","Italian court upholds €5,000 GDPR fine for naming data subject in association newsletter.","Help Cass.Civ. - 15628\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:02, 16 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators686 editsmTag: Visual edit← Older edit Latest revision as of 13:52, 16 June 2026 view source Mba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators917 editsm Tag: Visual edit Line 76: Line 76: === Holding ====== Holding === The court dismissed the appeal, and upheld the reasoning of the lower court. The court followed the reasoning of the lower court, and stated that the controller could have informed its members of the case without including the data subject’s name. The court considered this processing to be disproportionate in relation to the goal. The court dismissed the controller’s argument that there was a difference between disseminating the information and communicating it to members. The court stated that, while the data subject’s name did not fall under the scope of [[Article 9 GDPR]], the controlled needed the consent of the data subject to process their data. Therefore, a resolution adopted by a general meeting or generic consent for statutory purposes did not meet the requirements of consent. The court dismissed the appeal and upheld the reasoning of the lower court. The court followed the reasoning of the lower court, and stated that the controller could have informed its members of the case without including the data subject’s name. The court considered this processing to be disproportionate in relation to the goal. The court dismissed the controller’s argument that there was a difference between disseminating the information and communicating it to members. The court stated that, while the data subject’s name did not fall under the scope of [[Article 9 GDPR]], the controlled needed the consent of the data subject to process their data. Therefore, a resolution adopted by a general meeting or generic consent for statutory purposes did not meet the requirements of consent. The court also dismissed the controller’s argument that the fine was disproportionate. The court held that the DPA had correctly applied and justified the fine in accordance with [[Article 83 GDPR#2|Article 83(2) GDPR]].The court also dismissed the controller’s argument that the fine was disproportionate. The court held that the DPA had correctly applied and justified the fine in accordance with [[Article 83 GDPR#2|Article 83(2) GDPR]]. Latest revision as of 13:52, 16 June 2026 Cass.Civ. - 15628\u002F2026 Court: Cass.Civ. (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Decided: 21.05.2026 Published: Parties: Federpol National Case Number\u002FName: 15628\u002F2026 European Case Law Identifier: ECLI:IT:CASS:2026:15628CIV Appeal from: Tribunale di Roma (Italy)9488\u002F2022 Appeal to: Unknown Original Language(s): Italian Original Source: Corte de Cassazione (in Italian) Initial Contributor: ap The Supreme Court upheld a €5,000 fine by the DPA against an association of private investigators for naming the data subject involved in a defamation related case discussed by the association’s executive board. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Federpol (the controller) is an association of private investigators. In 2021, the DPA fined the controller for distributing a newsletter to all members containing the minutes of a meeting with its executive board. The minutes concerned a case against a member who had sent a defamatory letter. The member was identified by name. The DPA found a violation of Articles 5(1)(a) and (c), and 6(1) GDPR as the controller did not have a legal basis to process the data. The DPA fined the controller €5,000. In 2022, the controller appealed the decision to the court of Rome. The controller argued that the processing was lawful under legitimate interest, and in any case, contractual obligation. The court dismissed the appeal and ordered the controller to pay the fine. The court considered that the controller could have informed members without naming the data subject. The controller filed an appeal to the court, and the DPA filed a counter appeal. Holding The court dismissed the appeal and upheld the reasoning of the lower court. The court followed the reasoning of the lower court, and stated that the controller could have informed its members of the case without including the data subject’s name. The court considered this processing to be disproportionate in relation to the goal. The court dismissed the controller’s argument that there was a difference between disseminating the information and communicating it to members. The court stated that, while the data subject’s name did not fall under the scope of Article 9 GDPR, the controlled needed the consent of the data subject to process their data. Therefore, a resolution adopted by a general meeting or generic consent for statutory purposes did not meet the requirements of consent. The court also dismissed the controller’s argument that the fine was disproportionate. The court held that the DPA had correctly applied and justified the fine in accordance with Article 83(2) GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. JUDGMENT on the appeal registered under No. 29623\u002F2022 R.G. filed by: Federpol, Italian Federation of Private Institutes for Investigation, for Information and Security, represented and defended by the lawyers Francesco Sardi De Letto, Marco Martorana, and Vittorio Cappuccilli -appellant- against the Guarantor for the Protection of Personal Data, represented and defended by the State Attorney General -counterappellant- against the judgment of the Court of Rome No. 9488\u002F2022 filed on June 15, 2022. Having heard the report of the case presented at the public hearing on January 22, 2026 by Councilor Davide De Giorgio; Court of Cassation - unofficial copy Civil Sentence, Section 2 No. 15628 Year 2026 President: MILENA FALASCHI Rapporteur: DAVIDE DE GIORGIO Publication date: 05\u002F21\u002F2026 2 Having heard the Public Prosecutor, represented by Deputy Prosecutor General Dr. Michele Di Mauro, who concluded that the first ground of the appeal should be upheld; Having heard the lawyers Francesco Sardi De Letto and Marco Martorana, counsel for the appellant, who referred to the defense briefs. FACTS OF THE CASE Federpol - Italian Federation of Private Institutes for Investigation, Information and Security has filed an appeal before the Court of Rome pursuant to Articles 152 of Legislative Decree No. 196\u002F2003 and 10 of Legislative Decree No. 150\u002F2011 against Order No. 165\u002F2021 of the Italian Data Protection Authority, with which the latter, having declared the unlawfulness of the processing carried out by the company in violation of Articles 5, paragraph 1, letters a) and c), and 6, paragraph 1, letter a) of Regulation (EU) 2016\u002F679 on the protection of personal data, ordered the company to pay a fine of €5,000.00. The violation in question consisted of the communication to all members (approximately one thousand) of a \"newsletter\" containing the minutes of the Executive Board and the National Council regarding the decision to forward to the Board of Arbitration a letter sent by a member, deemed untrue and derogatory, for assessment against the member, who was named. The opponent, believing that the data processing had occurred pursuant to a legal basis consisting of the legitimate interest of the data controller and in any case the membership relationship, requested a declaration of the lawfulness of the processing, with the consequent revocation ","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Cass.Civ._-_15628\u002F2026&diff=51883&oldid=51874","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-06-16T13:52:56+00:00","2026-06-16T14:00:13.108289+00:00",7,[18],{"name":19,"type":20},"Federpol","vendor","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":21,"icon":23,"name":24,"slug":25},null,"GDPR","gdpr",[27,29,34],{"category":28},{"id":21,"icon":23,"name":24,"slug":25},{"category":30},{"id":31,"icon":23,"name":32,"slug":33},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":35},{"id":36,"icon":23,"name":37,"slug":38},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]