[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fllCBWYWMNAW0g6K86ai3Pk_5lLBFEDMRaN_roNJU0hY":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"cbbedd21-1768-4d04-9c7a-24d3550a8005","Garante per la protezione dei dati personali (Italy) - 347\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-347-2026-bdb9cc","← Older revision Revision as of 08:27, 23 June 2026 Line 83: Line 83: === Facts === === Facts === Emirates (the controller) is an airline company. In 2025, a data subject brought a complaint to the DPA regarding the controller’s processing activities of data subjects with disabilities or reduced mobility. The controller required persons with reduced mobility to complete a form (Medical Information for Fitness to Travel, or MEDIF) to provide them with the transport services. This form processed names, contact details, health information, and medical certificates when needed. The controller presented the form without referring to the privacy notice and without obtaining data subjects’ consent. According to the data subject, the controller requested them to fill in the form despite them not needing the assistance. The controller required the data subject to provide their health data without explaining how it would be processed or obtaining consent for it. Emirates (the controller) is an airline company. In 2025, a data subject brought a complaint to the DPA regarding the controller’s processing activities of data subjects with disabilities or reduced mobility. The controller required persons with reduced mobility to complete a form to provide them with the transport services. This form processed names, contact details, health information, and medical certificates when needed. The controller presented the form without referring to the privacy notice and without obtaining data subjects’ consent. According to the data subject, the controller requested them to fill in the form despite them not needing the assistance. The controller required the data subject to provide their health data without explaining how it would be processed or obtaining consent for it. The controller argued that it requested this information as a preventative measure to ensure it can provide assistance to all data subjects that need it, in accordance with its obligations under EU law. The controller referred to Regulation 1107\u002F2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air ( https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Freg\u002F2006\u002F1107\u002Foj\u002Feng ) The MEDIF form was a standardised tool to collect the data necessary to determine whether a data subject needed assistance. In terms of data protection, the controller claimed it provided clear and accessible information. In addition, the processing was lawful under performance of a contract and to comply with legal obligations related to safety. The controller processed health data lawfully under substantial public interest. Finally, the controller made the form accessible to a limited number of parties, and retained the data for a period of 7 years to meet legal and defence requirements. The controller argued that it requested this information as a preventative measure to ensure it can provide assistance to all data subjects that need it, in accordance with its obligations under EU law. The controller referred to Regulation 1107\u002F2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air ( https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Freg\u002F2006\u002F1107\u002Foj\u002Feng ) The form was a standardised tool to collect the data necessary to determine whether a data subject needed assistance. In terms of data protection, the controller claimed it provided clear and accessible information. In addition, the processing was lawful under performance of a contract and to comply with legal obligations related to safety. The controller processed health data lawfully under substantial public interest. Finally, the controller made the form accessible to a limited number of parties, and retained the data for a period of 7 years to meet legal and defence requirements. === Holding === === Holding === Line 94: Line 94: The DPA also found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], as the controller did not comply with the principle of storage limitation. The DPA considered the retention periods for health data excessive, as they were based on hypothetical and highly unlikely future disputes. The DPA also found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], as the controller did not comply with the principle of storage limitation. The DPA considered the retention periods for health data excessive, as they were based on hypothetical and highly unlikely future disputes. The DPA fined the controller 180,000. In addition, the DPA ordered the controller to review the categories of data subjects required to complete the form, provide complete information, and clarify which sections of the form can be left blank by data subjects (as the data is not necessary for the controller’s purposes). Finally, the DPA ordered the controller to reevaluate its data retention period. The DPA fined the controller €180,000. In addition, the DPA ordered the controller to review the categories of data subjects required to complete the form, provide complete information, and clarify which sections of the form can be left blank by data subjects (as the data is not necessary for the controller’s purposes). Finally, the DPA ordered the controller to reevaluate its data retention period. == Comment == == Comment ==","Italy's data protection authority (Garante) has fined Emirates €180,000 for violating GDPR. The airline collected sensitive health data from passengers with disabilities or reduced mobility without proper consent or clear privacy notices. The Garante found that the retention period for this data was excessive and not justified by hypothetical future disputes, violating the storage limitation principle.","Italy's Garante fines Emirates €180,000 for GDPR violations related to passenger data.","Help Garante per la protezione dei dati personali (Italy) - 347\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:32, 18 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators698 editsmTag: Visual edit← Older edit Latest revision as of 08:27, 23 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators698 editsmTag: Visual edit Line 83: Line 83: === Facts ====== Facts === Emirates (the controller) is an airline company. In 2025, a data subject brought a complaint to the DPA regarding the controller’s processing activities of data subjects with disabilities or reduced mobility. The controller required persons with reduced mobility to complete a form (Medical Information for Fitness to Travel, or MEDIF) to provide them with the transport services. This form processed names, contact details, health information, and medical certificates when needed. The controller presented the form without referring to the privacy notice and without obtaining data subjects’ consent. According to the data subject, the controller requested them to fill in the form despite them not needing the assistance. The controller required the data subject to provide their health data without explaining how it would be processed or obtaining consent for it. Emirates (the controller) is an airline company. In 2025, a data subject brought a complaint to the DPA regarding the controller’s processing activities of data subjects with disabilities or reduced mobility. The controller required persons with reduced mobility to complete a form to provide them with the transport services. This form processed names, contact details, health information, and medical certificates when needed. The controller presented the form without referring to the privacy notice and without obtaining data subjects’ consent. According to the data subject, the controller requested them to fill in the form despite them not needing the assistance. The controller required the data subject to provide their health data without explaining how it would be processed or obtaining consent for it. The controller argued that it requested this information as a preventative measure to ensure it can provide assistance to all data subjects that need it, in accordance with its obligations under EU law.\u003Cref>The controller referred to Regulation 1107\u002F2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air (\u003Cnowiki>https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Freg\u002F2006\u002F1107\u002Foj\u002Feng\u003C\u002Fnowiki>) \u003C\u002Fref> The MEDIF form was a standardised tool to collect the data necessary to determine whether a data subject needed assistance. In terms of data protection, the controller claimed it provided clear and accessible information. In addition, the processing was lawful under performance of a contract and to comply with legal obligations related to safety. The controller processed health data lawfully under substantial public interest. Finally, the controller made the form accessible to a limited number of parties, and retained the data for a period of 7 years to meet legal and defence requirements.The controller argued that it requested this information as a preventative measure to ensure it can provide assistance to all data subjects that need it, in accordance with its obligations under EU law.\u003Cref>The controller referred to Regulation 1107\u002F2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air (\u003Cnowiki>https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Freg\u002F2006\u002F1107\u002Foj\u002Feng\u003C\u002Fnowiki>) \u003C\u002Fref> The form was a standardised tool to collect the data necessary to determine whether a data subject needed assistance. In terms of data protection, the controller claimed it provided clear and accessible information. In addition, the processing was lawful under performance of a contract and to comply with legal obligations related to safety. The controller processed health data lawfully under substantial public interest. Finally, the controller made the form accessible to a limited number of parties, and retained the data for a period of 7 years to meet legal and defence requirements. === Holding ====== Holding === Line 94: Line 94: The DPA also found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], as the controller did not comply with the principle of storage limitation. The DPA considered the retention periods for health data excessive, as they were based on hypothetical and highly unlikely future disputes.The DPA also found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], as the controller did not comply with the principle of storage limitation. The DPA considered the retention periods for health data excessive, as they were based on hypothetical and highly unlikely future disputes. The DPA fined the controller 180,000. In addition, the DPA ordered the controller to review the categories of data subjects required to complete the form, provide complete information, and clarify which sections of the form can be left blank by data subjects (as the data is not necessary for the controller’s purposes). Finally, the DPA ordered the controller to reevaluate its data retention period.The DPA fined the controller €180,000. In addition, the DPA ordered the controller to review the categories of data subjects required to complete the form, provide complete information, and clarify which sections of the form can be left blank by data subjects (as the data is not necessary for the controller’s purposes). Finally, the DPA ordered the controller to reevaluate its data retention period. == Comment ==== Comment == Latest revision as of 08:27, 23 June 2026 Garante per la protezione dei dati personali - Case number: 347\u002F2026 Internal number (from the DPA): 10259296 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 9 GDPR Article 9(2) GDPR Article 12 GDPR Article 13 GDPR Type: Complaint Outcome: Upheld Started: 25.01.2025 Decided: 14.05.2026 Published: 15.06.2026 Fine: 180,000 EUR Parties: Emirates National Case Number\u002FName: Case number: 347\u002F2026 Internal number (from the DPA): 10259296 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined an airline company €180,000 for its processing activities related to a form required to provide assistance for data subjects with limited mobility. The DPA considered the processing of health data in the form itself lawful, however, found that the company did not inform data subjects sufficiently and retained the data for excessive periods. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Emirates (the controller) is an airline company. In 2025, a data subject brought a complaint to the DPA regarding the controller’s processing activities of data subjects with disabilities or reduced mobility. The controller required persons with reduced mobility to complete a form to provide them with the transport services. This form processed names, contact details, health information, and medical certificates when needed. The controller presented the form without referring to the privacy notice and without obtaining data subjects’ consent. According to the data subject, the controller requested them to fill in the form despite them not needing the assistance. The controller required the data subject to provide their health data without explaining how it would be processed or obtaining consent for it. The controller argued that it requested this information as a preventative measure to ensure it can provide assistance to all data subjects that ","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_347\u002F2026&diff=51951&oldid=51921","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-06-23T08:27:32+00:00","2026-06-23T10:00:12.097902+00:00",7,[18,21],{"name":19,"type":20},"Emirates","vendor",{"name":22,"type":23},"MEDIF form","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":26,"name":27,"slug":28},null,"Policy","policy",[30,35,40,42],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":36},{"id":37,"icon":26,"name":38,"slug":39},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":41},{"id":24,"icon":26,"name":27,"slug":28},{"category":43},{"id":44,"icon":26,"name":45,"slug":46},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]