Garante per la protezione dei dati personali (Italy) - 347/2026

Summary

Italy's Garante per la protezione dei dati personali has fined Emirates €180,000 for transparency violations related to a form for customers with limited mobility. The airline failed to adequately inform users about data processing and obtain consent for health data collection. Despite these violations, the DPA found the overall processing to be lawful.

Full text

Help Garante per la protezione dei dati personali (Italy) - 347/2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:35, 24 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators700 editsmTag: Visual edit← Older edit Latest revision as of 15:56, 24 June 2026 view source Carloc (talk | contribs)708 editsm Tag: Visual edit Line 78: Line 78: }}}} The DPA fined an airline €180,000 for transparency violations connected to the form it requires customers with limited mobility to fill out in order to receive assistance. However, the court considered the processing generally to be lawful.The DPA fined an airline €180,000 for transparency violations connected to the form it requires customers with limited mobility to fill out in order to receive assistance. However, the DPA considered the processing generally to be lawful. == English Summary ==== English Summary == Latest revision as of 15:56, 24 June 2026 Garante per la protezione dei dati personali - Case number: 347/2026 Internal number (from the DPA): 10259296 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 9 GDPR Article 9(2) GDPR Article 12 GDPR Article 13 GDPR Type: Complaint Outcome: Upheld Started: 25.01.2025 Decided: 14.05.2026 Published: 15.06.2026 Fine: 180,000 EUR Parties: Emirates National Case Number/Name: Case number: 347/2026 Internal number (from the DPA): 10259296 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined an airline €180,000 for transparency violations connected to the form it requires customers with limited mobility to fill out in order to receive assistance. However, the DPA considered the processing generally to be lawful. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Emirates (the controller) is an airline company. In 2025, a data subject brought a complaint to the DPA regarding the controller’s processing activities of data subjects with disabilities or reduced mobility. The controller required persons with reduced mobility to complete a form to provide them with the transport services. This form processed names, contact details, health information, and medical certificates when needed. The controller presented the form without referring to the privacy notice and without obtaining data subjects’ consent. According to the data subject, the controller requested them to fill in the form despite them not needing the assistance. The controller required the data subject to provide their health data without explaining how it would be processed or obtaining consent for it. The controller argued that it requested this information as a preventative measure to ensure it can provide assistance to all data subjects that need it, in accordance with its obligations under EU law.[1] The form was a standardised tool to collect the data necessary to determine whether a data subject needed assistance. In terms of data protection, the controller claimed it provided clear and accessible information. In addition, the processing was lawful under performance of a contract and to comply with legal obligations related to safety. The controller processed health data lawfully under substantial public interest. Finally, the controller made the form accessible to a limited number of parties, and retained the data for a period of 7 years to meet legal and defence requirements. Holding The DPA first found that the controller did not violate Articles 5(1)(a), (b), (c), 6(1) and 9 GDPR. The DPA consulted the national authority responsible for monitoring compliance with the rights of passengers with disabilities (the Civil Aviation Authority, or ENAC). According to ENAC, the processing through the form was compliant with Article 5 GDPR, as it is strictly necessary to provide transportation services safely for passengers with disabilities or reduced mobility. Therefore, the DPA considered that the controller had a valid legal basis to process the data. However, the DPA found a violation of Articles 5(1)(a), 12 and 13 GDPR, as the controller had not complied with its transparency obligations. According to the DPA, the information provided in the form and privacy policy was vague, and did not inform data subjects of aspects such as the legal bases for processing and the retention periods. The DPA also found a violation of Article 5(1)(e) GDPR, as the controller did not comply with the principle of storage limitation. The DPA considered the retention periods for health data excessive, as they were based on hypothetical and highly unlikely future disputes. The DPA fined the controller €180,000. In addition, the DPA ordered the controller to review the categories of data subjects required to complete the form, provide complete information, and clarify which sections of the form can be left blank by data subjects (as the data is not necessary for the controller’s purposes). Finally, the DPA ordered the controller to reevaluate its data retention period. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Newsletter of June 17, 2026 [web doc. no. 10259296] Measure of May 14, 2026 Register of Measures No. 347 of May 14, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; CONSIDERING Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter the "Code"); HAVING SEEN the complaint filed by Ms. XX on January 29, 2025, pursuant to Article 77 of the Regulation, alleging a violation of personal data protection regulations by Emirates; HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Italian Data Protection Authority No. 1/2000; REPORTER: Dr. Agostino Ghiglia; WHEREAS 1. The complaint against the Company. In a complaint filed with this Authority on January 29, 2025, Ms. XX alleged a violation of personal data protection regulations by Emirates (hereinafter also "the Company" or "the Airline") regarding the collection of information on travelers with disabilities or reduced mobility. The complaint alleged that Emirates, with respect to "persons with reduced mobility" (so-called "PRMs"), makes the provision of air transportation services conditional upon completion of the so-called "MEDIF" form (acronym for Medical Information for Fitness to Travel or Special Assistance). Specifically, Emirates submitted this questionnaire without any reference to the privacy policy and without obtaining the data subject's consent. More specifically, the complainant reported that, despite not falling within the categories required to complete the form, "Emirates nevertheless requested that I complete the form and send it to MEDAattachments@emirates.com," thus requiring me to provide "a large amount of information about my health status for which I had no prior information on the processing methods, nor had I signed any consent or information notice for/on th

Entities