Garante per la protezione dei dati personali (Italy) - 347/2026

Summary

The Italian Garante per la protezione dei dati personali has fined Emirates €180,000 for violating GDPR. The airline failed to adequately inform passengers with reduced mobility about the processing of their health data via the MEDIF form and retained the data for an excessive period of 7 years. While the processing of health data was deemed lawful under specific conditions, the lack of transparency and excessive retention periods constituted a breach of GDPR.

Full text

Help Garante per la protezione dei dati personali (Italy) - 347/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 14:24, 18 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators690 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 14:24, 18 June 2026 Garante per la protezione dei dati personali - 347/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 9 GDPR Article 9(2) GDPR Article 12 GDPR Article 13 GDPR Type: Complaint Outcome: Upheld Started: 25.01.2025 Decided: 14.05.2026 Published: 15.06.2026 Fine: 180,000 EUR Parties: Emirates National Case Number/Name: 347/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined an airline company €180,000 for its processing activities related to a form required to provide assistance for data subjects with limited mobility. The DPA considered the processing of health data in the form itself lawful, however, found that the company did not inform data subjects sufficiently and retained the data for excessive periods. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Emirates (the controller) is an airline company. In 2025, a data subject brought a complaint to the DPA regarding the controller’s processing activities of data subjects with disabilities or reduced mobility. The controller required persons with reduced mobility to complete a form (Medical Information for Fitness to Travel, or MEDIF) to provide them with the transport services. This form processed names, contact details, health information, and medical certificates when needed. The controller presented the form without referring to the privacy notice and without obtaining data subjects’ consent. According to the data subject, the controller requested them to fill in the form despite them not needing the assistance. The controller required the data subject to provide their health data without explaining how it would be processed or obtaining consent for it. The controller argued that it requested this information as a preventative measure to ensure it can provide assistance to all data subjects that need it, in accordance with its obligations under EU law [FOOTNOTE]. The MEDIF form was a standardised tool to collect the data necessary to determine whether a data subject needed assistance. In terms of data protection, the controller claimed it provided clear and accessible information. In addition, the processing was lawful under performance of a contract and to comply with legal obligations related to safety. The controller processed health data lawfully under substantial public interest. Finally, the controller made the form accessible to a limited number of parties, and retained the data for a period of 7 years to meet legal and defence requirements. Holding The DPA first found that the controller did not violate Articles 5(1)(a), (b), (c), 6(1) and 9 GDPR. The DPA consulted the national authority responsible for monitoring compliance with the rights of passengers with disabilities (the Civil Aviation Authority, or ENAC). According to ENAC, the processing through the form was compliant with Article 5 GDPR, as it is strictly necessary to provide transportation services safely for passengers with disabilities or reduced mobility. Therefore, the DPA considered that the controller had a valid legal basis to process the data. However, the DPA found a violation of Articles 5(1)(a), 12 and 13 GDPR, as the controller had not complied with its transparency obligations. According to the DPA, the information provided in the form and privacy policy was vague, and did not inform data subjects of aspects such as the legal bases for processing and the retention periods. The DPA also found a violation of Article 5(1)(e) GDPR, as the controller did not comply with the principle of storage limitation. The DPA considered the retention periods for health data excessive, as they were based on hypothetical and highly unlikely future disputes. The DPA fined the controller 180,000. In addition, the DPA ordered the controller to review the categories of data subjects required to complete the form, provide complete information, and clarify which sections of the form can be left blank by data subjects (as the data is not necessary for the controller’s purposes). Finally, the DPA ordered the controller to reevaluate its data retention period. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Newsletter of June 17, 2026 [web doc. no. 10259296] Measure of May 14, 2026 Register of Measures No. 347 of May 14, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; CONSIDERING Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter the "Code"); HAVING SEEN the complaint filed by Ms. XX on January 29, 2025, pursuant to Article 77 of the Regulation, alleging a violation of personal data protection regulations by Emirates; HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Italian Data Protection Authority No. 1/2000; REPORTER: Dr. Agostino Ghiglia; WHEREAS 1. The complaint against the Company. In a complaint filed with this Authority on January 29, 2025, Ms. XX alleged a violation of personal data protection regulations by Emirates (hereinafter also "the Company" or "the Airline") regarding the collection of information on travelers with disabilities or reduced mobility. The complaint alleged that Emirates, with respect to "persons with reduced mobility" (so-called "PRMs"), makes the provision of air transportation services conditional upon completion of the so-called "MEDIF" form (acronym for Medical Information for Fitness to Travel or Special Assistance). Specifically, Emirates submitted this questionnaire without any reference to the privacy policy and without obtaining the data subject's consent. More specifically, the complainant reported that, despite not falling within the categories required to complete the form, "Emirates nevertheless requested that I complete the form and send it to MEDAattachments@emirates.com," thus requiring me to provide "a large amount of information about my health status for which I had no prior information on the processing methods, nor had I signed any consent or information notice for/on the processing of the same" (see complaint dated January 29, 2025, page 2). 2. The investigation. With a note dated May 8, 2025 (ref. no. 61864), this Authority invited the Company to provide observations regarding the facts of the complaint. Regarding the requests for clarification made by this Authority, the Company (note dated 06/06/2025) has clarified its position, with particular reference to the processing of passengers' personal data, including health-related data. It emphasized first of all that the air transport sector is governed by a complex re

Entities