[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsA2d4J0T1o9rQ1nTJ21cD0rCG2r4-wfrM88posZ03OA":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":28,"category":29,"article_tags":33},"96bdd609-1861-4959-a9d3-c4f80d53fe33","Garante per la protezione dei dati personali (Italy) - 419\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-419-2026-6b16fd","The context of the case ← Older revision Revision as of 20:14, 22 June 2026 (6 intermediate revisions by the same user not shown) Line 8: Line 8: |Case_Number_Name=419\u002F2026 |Case_Number_Name=419\u002F2026 Internal number (from the DPA): 10252460 |ECLI= |ECLI= Line 76: Line 77: === Facts === === Facts === The context of the case ==== The context of the case ==== The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. The case revolves around two public online indexes of certified email addresses: the INI-PEC and the INAD. INI-PEC is the older of the two indexes and includes, among others, the email addressess of professionals (the data subjects). INAD was created by AgID in 2023 as provided by Italian law. INAD functions as an index of “digital domiciles” for both professionals and other owners of a digital email address. The case revolves around two public online indexes of certified email addresses: the INI-PEC and the INAD. INI-PEC is the older of the two indexes and includes, among others, the email addressess of professionals (the data subjects). INAD was created by AgID in 2023 as provided by Italian law See Articles 3-''bis'', 6-''quater'' and 6''-quinquies'', d. lgs. 82\u002F2005. and functions as an index of “digital domiciles” for both professionals and other owners of a digital email address. Shortly after setting up the INAD index, AgID automatically included the addresses of professionals from the old INI-PEC index. As a result, the exported emails became the digital domicile for communications not related to the professional lives of the data subjects. Data subjects were given the option to opt-out of the inclusion in the INAD index. Shortly after setting up the INAD index, AgID automatically included the addresses of professionals from the old INI-PEC index. As a result, the addresses automatically became the digital domicile for communications not related to the professional lives of the data subjects. Data subjects were given the option to opt-out of the inclusion in the INAD index. Some data subjects complained (1) that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that it will only be used for strictly professional communications. In some cases, co-workers were able to view strictly personal emails after the email address was listed as a digital domicile for all communications. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. Some data subjects complained It is not clear whether the DPA started the investigation ''ex officio'' or due to the complaints. that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that they will only be used for strictly professional communications. When the addressess became digital domiciles, third parties (such as public bodies) started using them for communications unrelated to the data subjects' personal lives - which occasionally led to unintended data disclosures. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. The investigation ==== The investigation ==== On the duty of information ===== On the duty of information ===== First of all, the DPA clarified that by including email addresses in the INAD index, the controller further processed personal data for a new purpose, incompatible with the original purpose of the processing (i.e.: the inclusion of email addresses in the older index). First of all, the DPA clarified that by including email addresses in the INAD index, the controller further processed personal data for a new purpose, incompatible with the original purpose of the processing (i.e.: the inclusion of email addresses in the older index). With regards to the duty of information, the controller pointed out that it contacted professional orders to inform them about the creation of the INAD index. In the context of these communications, the controller asked professional orders to inform the data subjects about this processing of personal data and about their right to opt out. The controller stated that it did not directly contact the data subjects via their email addresses, as it feared that its emails would have been mistaken as phishing or scams(1). With regards to the duty of information, the controller pointed out that it contacted professional orders to inform them about the creation of the INAD index. In the context of these communications, the controller asked professional orders to inform the data subjects about this processing of personal data and about their right to opt out. The controller stated that it did not directly contact the data subjects via their email addresses, as it feared that its emails would have been mistaken as phishing or scams The DPA seems to have accepted this argument, as the decision contains no rebuttal; also see the \"Comments\" section on the lack of an injunction to inform data subjects). . The controller later launched a more effective information campaign with the help of other government bodies; however, this campaign only took place two years after the processing of personal data. The controller later launched a more effective information campaign with the help of other government bodies; however, this campaign only took place in 2025 - two years after addresses where included in the INAD index. On the controller’s identity ===== On the controller’s identity ===== The DPA’s investigation also focused on a second issue, relative to the authentication procedure for digital domiciles: for a long time, a company (InfoCamere S.c.p.a.) was erroneously listed as a service provider for the INAD index. The DPA’s investigation also focused on a second issue, relative to the authentication procedure for digital domiciles: for a long time, a company (InfoCamere S.c.p.a.) was erroneously listed as a service provider for the INAD index. Line 103: Line 102: === Holding === === Holding === The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of Articles 5(1)(a), 5(1)(b), 5(2), 12, 14 and 25 GDPR. On these grounds, the DPA fined the controller €55,000. The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of [[Article 5 GDPR|Articles 5(1)(a), 5(1)(b), 5(2)]], [[Article 12 GDPR|12]], [[Article 14 GDPR|14]] and [[Article 25 GDPR|25 GDPR]]. On these grounds, the DPA fined the controller €55,000. With regards to the erroneous indication of the service provider in the authentication screen, the DPA found that the mistake was isolated and that overall, the information provided during the procedure was still sufficient to clarify that AgID was the controller. On these grounds, the DPA found that the mistake did not, in and of itself, constitute a violation of the GDPR. With regards to the erroneous indication of the service provider in the authentication screen, the DPA found that the mistake was isolated and that overall, the information provided during the procedure was still sufficient to clarify that AgID was the controller. On these grounds, the DPA found that the mistake did not, in and of itself, constitute a violation of the GDPR. == Comment == == Comment == On the DPA’s Opinion Before the creation of INAD, the DPA had specifically provided the controller with an opinion on the relative processing of personal data. In particular, the DPA’s guidance noted that the controller had not planned sufficient measures to inform the data subjects, which could practically undermine their option to opt out of the processing. In the decision, the controller noted that this guidance was entirely ignored. On the controller’s arguments on individual e-mails ==== The DPA’s Opinion on the processing ==== Before the creation of INAD, the DPA had specifically provided the controller with an opinion Garante per la protezione dei dati personali, ''Parere all’AgID sullo schema di Linee guida dell’Indice nazionale dei domicili digitali delle persone fisiche, dei professionisti e degli altri enti di diritto privato non tenuti all’iscrizione in albi, elenchi o registri professionali o nel registro delle imprese'', July 2021 (available [https:\u002F\u002Fwww.garanteprivacy.it\u002Fhome\u002Fdocweb\u002F-\u002Fdocweb-display\u002Fdocweb\u002F9690742 here]). on the relative processing of personal data. In particular, the DPA’s guidance noted that the controller had not planned sufficient measures to inform the data subjects, which could practically undermine their option to opt out of the processing. In the decision, the controller noted that this guidance was entirely ignored. ==== No injunction in the decision ==== Notably, the decision does not contain an injunction to properly inform the data subjects. This implies that in the DPA’s eyes, the controller had remedied the violation with its broader 2025 information campaign. Notably, the decision does not contain an injunction to properly inform the data subjects. This implies that in the DPA’s eyes, the controller had remedied the violation with its broader 2025 information campaign.","Italy's data protection authority, the Garante, has fined the Agency for Digital Italy (AgID) €55,000 for violating GDPR. The violations stemmed from AgID's automatic inclusion of professionals' email addresses in the INAD index, which served as a digital domicile for all communications, leading to privacy infringements. AgID failed to adequately inform data subjects about this processing, hindering their ability to opt-out in a timely manner.","Italy's Garante fines AgID €55,000 for GDPR violations related to digital domicile index.","Help Garante per la protezione dei dati personali (Italy) - 419\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 19:50, 22 June 2026 view sourceCarloc (talk | contribs)707 edits Tag: submission [1.0] Latest revision as of 20:14, 22 June 2026 view source Carloc (talk | contribs)707 editsm Tag: Visual edit (6 intermediate revisions by the same user not shown)Line 8: Line 8: |Case_Number_Name=419\u002F2026|Case_Number_Name=419\u002F2026 Internal number (from the DPA): 10252460 |ECLI=|ECLI= Line 76: Line 77: === Facts ====== Facts === The context of the case ==== The context of the case ==== The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act.The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. The case revolves around two public online indexes of certified email addresses: the INI-PEC and the INAD. INI-PEC is the older of the two indexes and includes, among others, the email addressess of professionals (the data subjects). INAD was created by AgID in 2023 as provided by Italian law. INAD functions as an index of “digital domiciles” for both professionals and other owners of a digital email address.The case revolves around two public online indexes of certified email addresses: the INI-PEC and the INAD. INI-PEC is the older of the two indexes and includes, among others, the email addressess of professionals (the data subjects). INAD was created by AgID in 2023 as provided by Italian law\u003Cref>See Articles 3-''bis'', 6-''quater'' and 6''-quinquies'', d. lgs. 82\u002F2005.\u003C\u002Fref> and functions as an index of “digital domiciles” for both professionals and other owners of a digital email address. Shortly after setting up the INAD index, AgID automatically included the addresses of professionals from the old INI-PEC index. As a result, the exported emails became the digital domicile for communications not related to the professional lives of the data subjects. Data subjects were given the option to opt-out of the inclusion in the INAD index.Shortly after setting up the INAD index, AgID automatically included the addresses of professionals from the old INI-PEC index. As a result, the addresses automatically became the digital domicile for communications not related to the professional lives of the data subjects. Data subjects were given the option to opt-out of the inclusion in the INAD index. Some data subjects complained (1) that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that it will only be used for strictly professional communications. In some cases, co-workers were able to view strictly personal emails after the email address was listed as a digital domicile for all communications. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion.Some data subjects complained\u003Cref>It is not clear whether the DPA started the investigation ''ex officio'' or due to the complaints.\u003C\u002Fref> that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that they will only be used for strictly professional communications. When the addressess became digital domiciles, third parties (such as public bodies) started using them for communications unrelated to the data subjects' personal lives - which occasionally led to unintended data disclosures. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. The investigation==== The investigation ==== On the duty of information ===== On the duty of information ===== First of all, the DPA clarified that by including email addresses in the INAD index, the controller further processed personal data for a new purpose, incompatible with the original purpose of the processing (i.e.: the inclusion of email addresses in the older index).First of all, the DPA clarified that by including email addresses in the INAD index, the controller further processed personal data for a new purpose, incompatible with the original purpose of the processing (i.e.: the inclusion of email addresses in the older index). With regards to the duty of information, the controller pointed out that it contacted professional orders to inform them about the creation of the INAD index. In the context of these communications, the controller asked professional orders to inform the data subjects about this processing of personal data and about their right to opt out. The controller stated that it did not directly contact the data subjects via their email addresses, as it feared that its emails would have been mistaken as phishing or scams(1).With regards to the duty of information, the controller pointed out that it contacted professional orders to inform them about the creation of the INAD index. In the context of these communications, the controller asked professional orders to inform the data subjects about this processing of personal data and about their right to opt out. The controller stated that it did not directly contact the data subjects via their email addresses, as it feared that its emails would have been mistaken as phishing or scams\u003Cref>The DPA seems to have accepted this argument, as the decision contains no rebuttal; also see the \"Comments\" section on the lack of an injunction to inform data subjects).\u003C\u002Fref>. The controller later launched a more effective information campaign with the help of other government bodies; however, this campaign only took place two years after the processing of personal data.The controller later launched a more effective information campaign with the help of other government bodies; however, this campaign only took place in 2025 - two years after addresses where included in the INAD index. On the controller’s identity ===== On the controller’s identity ===== The DPA’s investigation also focused on a second issue, relative to the authentication procedure for digital domiciles: for a long time, a company (InfoCamere S.c.p.a.) was erroneously listed as a service provider for the INAD index.The DPA’s investigation also focused on a second issue, relative to the authentication procedure for digital domiciles: for a long time, a company (InfoCamere S.c.p.a.) was erroneously listed as a service provider for the INAD index. Line 103: Line 102: === Holding ====== Holding === The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of Articles 5(1)(a), 5(1)(b), 5(2), 12, 14 and 25 GDPR. On these grounds, the DPA fined the controller €55,000.The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of [[Article 5 GDPR|Articles 5(1)(a), 5(1)(b), 5(2)]], [[Article 12 GDPR|12]], [[Article 14 GDPR|14]] and [[Article 25 GDPR|25 GDPR]]. On these grounds, the DPA fined the controller €55,000. With regards to the erroneous indication of the service provider in the authentication screen, the DPA found that the mistake was isolated and that overall, the information provided during the procedure was still sufficient to clarify that AgID was the controller. On th","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_419\u002F2026&diff=51945&oldid=51938","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-06-22T20:14:53+00:00","2026-06-22T22:00:23.058763+00:00",7,[18,21,24,26],{"name":19,"type":20},"AgID","vendor",{"name":22,"type":23},"INI-PEC","product",{"name":25,"type":23},"INAD",{"name":27,"type":20},"InfoCamere S.c.p.a.","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":28,"icon":30,"name":31,"slug":32},null,"Policy","policy",[34,39,44,46],{"category":35},{"id":36,"icon":30,"name":37,"slug":38},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":40},{"id":41,"icon":30,"name":42,"slug":43},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":45},{"id":28,"icon":30,"name":31,"slug":32},{"category":47},{"id":48,"icon":30,"name":49,"slug":50},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]