[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3c4oYf3iTgM-jSLTe3AYEkiPKOZQ1hl0ydX4m8AXUaA":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"04f03ad1-4da0-417f-a6d4-c5db551159c5","Garante per la protezione dei dati personali (Italy) - 385\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-385-2026-073707","Created page with \"{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=385\u002F2026 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https:\u002F\u002Fwww.garanteprivacy.it\u002Fweb\u002Fguest\u002Fhome\u002Fdocweb\u002F-\u002Fdocweb-display\u002Fdocweb\u002F10262455 |Original_Source_Language_1=Italian |Original_Source_Language__Code_1=...\" Show changes","Italy's Garante per la protezione dei dati personali has fined the Italian Red Cross €700 for unlawfully disclosing a patient's HIV status alongside their full name on a meal tray note. The DPA found violations of GDPR articles related to data minimization, security, and lawful processing of special category data, noting that national law's protective measures did not justify such a disclosure.","Italian Red Cross fined €700 for unlawfully disclosing HIV status on meal tray.","Help Garante per la protezione dei dati personali (Italy) - 385\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 09:51, 7 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators724 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 09:51, 7 July 2026 Garante per la protezione dei dati personali - 385\u002F2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(c) GDPR Article 5(1)(f) GDPR Article 9 GDPR Art. 157 of the Code Type: Complaint Outcome: Upheld Started: Decided: 28.05.2026 Published: Fine: 700 EUR Parties: Italian Red Cross National Case Number\u002FName: 385\u002F2026 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined the Italian Red Cross €700 for unlawfully disclosing a data subject’s medical condition along with their full name in a note next to the data subject’s meal tray. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject brought a complaint to the DPA through a non-profit organisation (LILA) against the Italian Red Cross (the controller). While the data subject was hospitalised, they recieved their food tray with a note stating their full name and medical condition as a patient with HIV. The data subject had also contacted the health directorate of the hospital, but had not received a response. During the DPA’s investigations, the controller stated that it included information on patients’ conditions to alert the kitchen staff on protective measures needed. The controller later modified the form alerting the staff to replace the patient’s medical condition with specific requests (e.g. to use disposable tableware). Holding The DPA found a violation of Article 9 GDPR. The DPA highlighted that under national law, the controller has additional responsibilities in ensuring the confidentiality of data subjects that have HIV or AIDS. National law also requires medical facilities to implement protective measures to prevent the transmission of HIV. However, this requirement does not justify including the data subject’s full name and condition in the context of meal service. Therefore, the controller did not have a legal basis to process the data subject’s personal data in the context of disclosing the data subject’s HIV status while providing meals. The DPA also found a violation of Articles 5(1)(c) and (f) GDPR. The DPA considered that the processing activity violated the principle of data minimisation. The controller also failed to ensure security of processing by disclosing the data subject’s medical condition. Finally, the DPA found a violation of Article 157 of the Code, as the controller had not complied with its obligation to provide information to the DPA during its investigations. The DPA fined the controller €700. The DPA took into account that the controller had implemented measures to prevent future incidents from happening, such as raising awareness among staff. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. [web doc. no. 10262455] Measure of May 28, 2026 Register of Measures No. 385 of May 28, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stazione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Members, and Luigi Montuori, Attorney-at-Law, Secretary General; CONSIDERING Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC, \"General Data Protection Regulation\" (hereinafter \"Regulation\"); HAVING SEEN the Personal Data Protection Code (Legislative Decree No. 196 of June 30, 2003) (hereinafter the \"Code\"); HAVING SEEN Regulation No. 1\u002F2019 concerning internal procedures of external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Italian Data Protection Authority, approved by Resolution No. 98 of April 4, 2019, published in the Official Journal No. 106 of May 8, 2019, and on www.gpdp.it, web doc. No. 9107633 (hereinafter \"Data Protection Authority Regulation No. 1\u002F2019\"); HAVING SEEN the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Data Protection Authority Regulation No. 1\u002F2000 on the organization and functioning of the Office of the Guarantor for the Protection of Personal Data, web doc. no. 1098801; Rapporteur: Professor Pasquale Stazione; WHEREAS 1. The Complaint and Investigation With a note dated XX, XX filed a complaint, through the LILA non-profit organization, against the Italian Red Cross – Tuscany Regional Committee – Anna Torrigiani Hospital, alleging a violation of the regulations regarding the protection of personal data that occurred during his hospitalization in the orthopedic department. Specifically, the complainant stated that, after \"upon admission to the orthopedics department (...) informing the doctor on duty and the nurse (...) of her HIV and HCV status,\" the following day \"she received her lunch and dinner trays with a piece of paper annotating her HIV and HCV status,\" as well as her name and surname on the lunch tray. She also stated that she had requested \"clarification from the Health Director of the Anna Torrigiani Hospital and the Head of the Orthopedics Department (...), without receiving any response to date.\" As part of the investigation, with note dated XX, protocol no. XX, the Authority requested from the Association, pursuant to art. 157 of the Code, information useful for assessing the case. The request was sent by registered mail to Via di Camerata n. 10, 50133 Florence, and was duly notified on XX. Having received no response, with a note dated XX, protocol no. XX, the Association was notified of the initiation of proceedings for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, alleging violation of Article 157 of the Code, pursuant to Article 166, paragraph 5, of the same Code. With a note dated XX, the Association responded to the Authority's request for information, but did not submit written defenses in relation to the dispute referred to in the aforementioned note dated XX. Specifically, the data controller stated, among other things, that: - \"In the specific case of the incident, (...) the catering company, although external, has an in-house kitchen. Therefore, this helps us ensure that the information remains within the confines of the Facility and that the kitchen staff (not subject to constant movement) are considered by the Hospital as those responsible for caring for the patients and are consequently informed of any biological risks.\" - \"The information about the patient's condition was reported on the complaint form intended exclusively for the kitchen to pre-alert the portioning staff (who come into contact with the patients) to take appropriate protective\u002Fpreventive measures (e.g., use of disposable tableware).\" - \"Following the patient's verbal complaint on the ward, we have amended the meal request form, using only the words 'disposable tableware' in the notes. We sincerely apologize to Ms. (...) for this incident and will take further action to prevent similar situations from recurring.\" 2. Department's assessment of the treatment performed and notification of the violation pursuant to Article 166, paragraph 5, of the Code In relation to the facts described in","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_385\u002F2026&diff=52073&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-07-07T09:51:50+00:00","2026-07-07T10:00:26.279234+00:00",7,[18,21],{"name":19,"type":20},"Italian Red Cross","vendor",{"name":22,"type":23},"GDPR","product","d95477d7-eb04-4fad-a2dc-be1428040ce7",{"id":24,"icon":26,"name":27,"slug":28},null,"Privacy Fines","privacy-fines",[30,34,39,44],{"category":31},{"id":32,"icon":26,"name":22,"slug":33},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","gdpr",{"category":35},{"id":36,"icon":26,"name":37,"slug":38},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":40},{"id":41,"icon":26,"name":42,"slug":43},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":45},{"id":24,"icon":26,"name":27,"slug":28},[]]