[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7lR8OuajBU7OvDlwLBRcTZFHKbv-ubI5-H2HF9Wj0b8":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"7540a29f-750c-4ce4-b74f-5898c9ddc194","Garante per la protezione dei dati personali (Italy) - 419\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-419-2026-157510","Moved part of the facts to the Holding section ← Older revision Revision as of 08:43, 23 June 2026 Line 77: Line 77: === Facts === === Facts === ==== The context of the case ==== The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. Line 87: Line 85: Some data subjects complained It is not clear whether the DPA started the investigation ''ex officio'' or due to the complaints. that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that they will only be used for strictly professional communications. When the addressess became digital domiciles, third parties (such as public bodies) started using them for communications unrelated to the data subjects' personal lives - which occasionally led to unintended data disclosures. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. Some data subjects complained It is not clear whether the DPA started the investigation ''ex officio'' or due to the complaints. that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that they will only be used for strictly professional communications. When the addressess became digital domiciles, third parties (such as public bodies) started using them for communications unrelated to the data subjects' personal lives - which occasionally led to unintended data disclosures. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. === Holding === ==== The investigation ==== ==== The investigation ==== Line 101: Line 100: During the investigation, the controller confirmed that InfoCamere had no role in the processing of personal data. The controller also stated that it had contacted the actual service provider in order to correct the error and that the provider had done so with great delay. During the investigation, the controller confirmed that InfoCamere had no role in the processing of personal data. The controller also stated that it had contacted the actual service provider in order to correct the error and that the provider had done so with great delay. === Holding === ==== The DPA's conclusion ==== The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of [[Article 5 GDPR|Articles 5(1)(a), 5(1)(b), 5(2)]], [[Article 12 GDPR|12]], [[Article 14 GDPR|14]] and [[Article 25 GDPR|25 GDPR]]. On these grounds, the DPA fined the controller €55,000. The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of [[Article 5 GDPR|Articles 5(1)(a), 5(1)(b), 5(2)]], [[Article 12 GDPR|12]], [[Article 14 GDPR|14]] and [[Article 25 GDPR|25 GDPR]]. On these grounds, the DPA fined the controller €55,000.","Italy's data protection authority, the Garante, has fined the Agency for Digital Italy (AgID) €55,000 for failing to properly inform data subjects about the inclusion of their professional email addresses in the INAD index. The DPA found that AgID violated GDPR articles related to transparency, data minimization, and lawful processing, as these email addresses were used for communications unrelated to professional duties, leading to potential data disclosures and preventing timely opt-outs.","Italy's Garante fines AgID €55,000 for GDPR violations related to email address processing.","Help Garante per la protezione dei dati personali (Italy) - 419\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 20:14, 22 June 2026 view sourceCarloc (talk | contribs)707 editsm Tag: Visual edit← Older edit Latest revision as of 08:43, 23 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators698 editsm Tag: Visual edit Line 77: Line 77: === Facts ====== Facts === ==== The context of the case ==== The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act.The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. Line 87: Line 85: Some data subjects complained\u003Cref>It is not clear whether the DPA started the investigation ''ex officio'' or due to the complaints.\u003C\u002Fref> that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that they will only be used for strictly professional communications. When the addressess became digital domiciles, third parties (such as public bodies) started using them for communications unrelated to the data subjects' personal lives - which occasionally led to unintended data disclosures. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion.Some data subjects complained\u003Cref>It is not clear whether the DPA started the investigation ''ex officio'' or due to the complaints.\u003C\u002Fref> that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that they will only be used for strictly professional communications. When the addressess became digital domiciles, third parties (such as public bodies) started using them for communications unrelated to the data subjects' personal lives - which occasionally led to unintended data disclosures. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. === Holding === ==== The investigation ======== The investigation ==== Line 101: Line 100: During the investigation, the controller confirmed that InfoCamere had no role in the processing of personal data. The controller also stated that it had contacted the actual service provider in order to correct the error and that the provider had done so with great delay.During the investigation, the controller confirmed that InfoCamere had no role in the processing of personal data. The controller also stated that it had contacted the actual service provider in order to correct the error and that the provider had done so with great delay. === Holding ======= The DPA's conclusion ==== The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of [[Article 5 GDPR|Articles 5(1)(a), 5(1)(b), 5(2)]], [[Article 12 GDPR|12]], [[Article 14 GDPR|14]] and [[Article 25 GDPR|25 GDPR]]. On these grounds, the DPA fined the controller €55,000.The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of [[Article 5 GDPR|Articles 5(1)(a), 5(1)(b), 5(2)]], [[Article 12 GDPR|12]], [[Article 14 GDPR|14]] and [[Article 25 GDPR|25 GDPR]]. On these grounds, the DPA fined the controller €55,000. Latest revision as of 08:43, 23 June 2026 Garante per la protezione dei dati personali - 419\u002F2026 Internal number (from the DPA): 10252460 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(2) GDPR Article 12 GDPR Article 14 GDPR Article 25 GDPR Type: Investigation Outcome: Violation Found Started: Decided: 28.05.2026 Published: Fine: 55,000 EUR Parties: AgID National Case Number\u002FName: 419\u002F2026 Internal number (from the DPA): 10252460 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: carloc The DPA fined the government agency for digitalization €55,000 for failing to inform data subjects about the inclusion of their certified email addresses in a public index of digital domiciles. Contents 1 English Summary 1.1 Facts 1.2 Holding 1.2.1 The investigation 1.2.1.1 On the duty of information 1.2.1.2 On the controller’s identity 1.2.2 The DPA's conclusion 2 Comment 2.1 The DPA’s Opinion on the processing 2.2 No injunction in the decision 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. The case revolves around two public online indexes of certified email addresses: the INI-PEC and the INAD. INI-PEC is the older of the two indexes and includes, among others, the email addressess of professionals (the data subjects). INAD was created by AgID in 2023 as provided by Italian law[1] and functions as an index of “digital domiciles” for both professionals and other owners of a digital email address. Shortly after setting up the INAD index, AgID automatically included the addresses of professionals from the old INI-PEC index. As a result, the addresses automatically became the digital domicile for communications not related to the professional lives of the data subjects. Data subjects were given the option to opt-out of the inclusion in the INAD index. Some data subjects complained[2] that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that they will only be used for strictly professional communications. When the addressess became digital domiciles, third parties (such as public bodies) started using them for communications unrelated to the data subjects' personal lives - which occasionally led to unintended data disclosures. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. Holding The investigation On the duty of information First of all, the DPA clarified that by including email addresses in the INAD index, the controller further processed personal data for a new purpose, incompatible with the original purpose of the processing (i.e.: the inclusion of email addresses in the older index). With regards to the duty of information, the controller pointed out that it contacted professional orders to inform them about the creation of the INAD index. In the context of these communications, the controller asked professional orders to inform the data subjects about this processing of personal data and about their right to opt out. The controller stated that it did not directly contact the data subjects via their email addresses, as it feared that its emails would have been mistaken as phishing or scams[3]. The controller later launched a more effective information campaign with the help of other gov","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_419\u002F2026&diff=51952&oldid=51945","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-06-23T08:43:36+00:00","2026-06-23T10:00:12.097902+00:00",7,[18,21],{"name":19,"type":20},"AgID","vendor",{"name":22,"type":23},"INAD index","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":26,"name":27,"slug":28},null,"Policy","policy",[30,35,40,45],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":36},{"id":37,"icon":26,"name":38,"slug":39},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":41},{"id":42,"icon":26,"name":43,"slug":44},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":46},{"id":47,"icon":26,"name":48,"slug":49},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]