Garante per la protezione dei dati personali (Italy) - 10238270

Summary

Italy's Data Protection Authority (Garante) fined Eni S.p.A. €96,000 for publishing the names, addresses, and social security numbers of plaintiffs in an environmental lawsuit on its website without legal basis. The DPA rejected Eni's claims of legitimate interest and public availability, finding violations of GDPR Articles 5(1)(a) and 6(1). The fine upheld that even publicly known claimants cannot have sensitive personal identifiers published without proper legal justification.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10238270: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:27, 20 April 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators334 editsmTag: Visual edit← Older edit Latest revision as of 14:28, 20 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators334 editsm Tag: Visual edit Line 65: Line 65: }}}} The DPA fined an energy corporation €96,000 for unlawfully publishing personal data of the plaintiffs of a lawsuit against the company.The DPA fined an energy corporation €96,000 for unlawfully publishing on its website the personal data of the plaintiffs involved in a lawsuit against the company's alleged non-compliance with environmental legislation. == English Summary ==== English Summary == Latest revision as of 14:28, 20 April 2026 Garante per la protezione dei dati personali - 10238270 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(a) GDPR Article 6(1) GDPR Type: Complaint Outcome: Upheld Started: 19.03.2024 Decided: 26.03.2026 Published: Fine: 96,000 EUR Parties: Eni S.p.a. Greenpeace Onlus National Case Number/Name: 10238270 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: carloc The DPA fined an energy corporation €96,000 for unlawfully publishing on its website the personal data of the plaintiffs involved in a lawsuit against the company's alleged non-compliance with environmental legislation. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In 2023 two NGOs and twelve individuals (the data subjects) filed a lawsuit against, among others, energy corporation Eni S.p.a. (the controller) over the alleged non-compliance with environmental legislation. The controller later published the statement of claims on its website, including the names, personal details, and social security numbers of the data subjects. In response, the data subjects and one of the NGOs (Greenpeace) filed complaints with the DPA, claiming that their names were unlawfully published. The controller later redacted the subject's data from the document available on its website and claimed that the publication was due to a human error. In its defense, the controller also claimed that, given the media attention drawn by the lawsuit, it had a legitimate interest to both defend its public image and clarify the exact content of the lawsuit it was facing. The controller also pointed out that some of the data it published was already publicly available and that the data subjects themselves had made it publicly known to the media that they were the claimants in its lawsuit. On these grounds, the controller argued that the data could be published. Holding The DPA first rejected the argument that the data were publicly available information. In this regard, the DPA noted that while some of the data subjects had publicly spoken about their lawsuit, they had never made their addresses and social security codes public. Furthermore, the DPA clarified that even publicly available data requires a legal basis for processing. The DPA then held that the processing of the data was not justified by the controller’s legitimate interest for two reasons. First, the processing was not necessary, as the controller could have pursued its interest by publishing a redacted copy of the statement of claims. Second, the data subjects’ rights and freedoms outweighed the controller’s interest in the case at hand. On these grounds, the DPA found a violation of Articles 5(1)(a) and 6(1) GDPR and fined the controller €96,000. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Newsletter of April 15, 2026 [web doc. no. 10238270] Measure of March 26, 2026 Register of Measures No. 207 of March 26, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Members, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); HAVING REGARD TO Legislative Decree No. 207 of June 30, 2003 196 (Personal Data Protection Code, hereinafter the "Code"), as amended by Legislative Decree No. 101 of August 10, 2018, containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; HAVING SEEN the report from the "Greenpeace Onlus" Association, submitted on March 19, 2024, complaining of violations of the personal data protection regulations relating to the processing of information concerning certain data subjects by Eni S.p.A. on its website; HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Guarantor's Regulation No. 1/2000; REPORTER: Professor Ginevra Cerrina Feroni; WHEREAS 1. The report against the Company and the investigation. Reference is made to the report from the "Greenpeace Onlus" Association, submitted to this Authority on March 19, 2024, containing the attached requests from Messrs. XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, XX, in which Greenpeace Onlus complained of certain violations of the personal data protection regulations relating to the processing of information concerning them by Eni S.p.A. (hereinafter "the Company"). Indeed, the aforementioned petition contested—in light of the Company's publication "on its website of a page entirely dedicated to the lawsuit" filed on May 9, 2023, at the Civil Court of Rome by "the organizations Greenpeace Onlus and ReCommon APS and 12 ordinary citizens (...) against Eni S.p.A., the Ministry of Economy and Finance, and Cassa Depositi e Prestiti S.p.A."—the specific circumstance that "on this page, Eni [had] published [the relevant] full summons without obscuring any of the data" identifying the interested parties, including their place and date of birth, tax code, and residential address (see note dated March 19, 2024, page 1). In light of the petitioners' concerns, an investigation was initiated against Eni S.p.A. on July 30, 2024. via a request for information. All of this is intended to obtain useful information regarding the application of the personal data protection regulations to the reported situation, with particular regard to the purposes of the aforementioned processing and the legal grounds for its lawfulness. The Company responded to this request in a letter received on September 23, 2024. A review of the request revealed the following: The publication of the contested personal data occurred following the data subjects' initiation of litigation against the Company—currently pending before the judicial authorities—for an alleged violation of the Paris Climate Agreement. This case falls within the broader framework of so-called climate litigation, "i.e., legal actions aimed at compelling states or companies to comply with certain standards regarding emissions reductions for the purpose of combating climate change." According to Eni S.p.A.'s assertions, these actions often share a strategy implemented by the actors involved, which focuses specifically on the potential media impact of such actions and therefore involves widespread publicity for the disputes in question through various media outlets. This is done with the aim, "on the one hand, of provoking public outcry and i

Entities