[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f526ji-ZCa7kYkMCpf_0FyNM__iYDTgluYyW5IB-D9lc":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"bc29e5ae-a22a-48c2-8ac6-3c6743cbf88a","Garante per la protezione dei dati personali (Italy) - 471\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-471-2026-efe0b0","← Older revision Revision as of 08:07, 14 July 2026 Line 7: Line 7: |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=471\u002F2026 |Case_Number_Name=Case number: 471\u002F2026 Internal number (from the DPA): 10268727 |ECLI= |ECLI= Line 81: Line 82: === Holding === === Holding === The DPA found a violation of Articles 5, 6 and 10 GDPR. The DPA first clarified that the controller processed data related to the commission of crimes or pending criminal proceedings involving the data subject. This data fell under the scope of [[Article 10 GDPR|Article 10 GDPR]], meaning the controller had specific obligations for the processing activity to be lawful. The DPA considered that the controller had processed this data unlawfully by publishing it, and had failed to comply with the principle of lawfulness (Article 5(1)(a) GDPR) and data minimisation (Article 5(1)(c) GDPR). The DPA found a violation of [[Article 5 GDPR|Articles 5]], [[Article 6 GDPR|6]] and [[Article 10 GDPR|10 GDPR]]. The DPA first clarified that the controller processed data related to the commission of crimes or pending criminal proceedings involving the data subject. This data fell under the scope of [[Article 10 GDPR]], meaning the controller had specific obligations for the processing activity to be lawful. The DPA considered that the controller had processed this data unlawfully by publishing it, and had failed to comply with the principle of lawfulness ([[Article 5 GDPR|Article 5(1)(a) GDPR]]) and data minimisation ([[Article 5 GDPR|Article 5(1)(c) GDPR]]). The DPA also found a violation of [[Article 17 GDPR|Article 17 GDPR]]. The DPA stated that the controller failed to adequately respond to the data subject’s request for erasure by not recognising that the data remained visible in a different section of its website. The DPA also found a violation of [[Article 17 GDPR]]. The DPA stated that the controller failed to adequately respond to the data subject’s request for erasure by not recognising that the data remained visible in a different section of its website. The DPA fined the controller €20,000. The DPA fined the controller €20,000.","Italy's Garante per la protezione dei dati personali has fined the provincial Health Authority of Enna €20,000 for violating GDPR. The authority unlawfully published a resolution containing a data subject's judicial records and failed to adequately remove the data upon request, breaching principles of lawfulness, data minimisation, and the right to erasure.","Italian DPA fines health authority €20,000 for unlawful data publication.","Help Garante per la protezione dei dati personali (Italy) - 471\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:05, 14 July 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 edits Tag: submission [1.0] Latest revision as of 08:07, 14 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 editsmTag: Visual edit Line 7: Line 7: |DPA_With_Country=Garante per la protezione dei dati personali (Italy)|DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=471\u002F2026|Case_Number_Name=Case number: 471\u002F2026 Internal number (from the DPA): 10268727 |ECLI=|ECLI= Line 81: Line 82: === Holding ====== Holding === The DPA found a violation of Articles 5, 6 and 10 GDPR. The DPA first clarified that the controller processed data related to the commission of crimes or pending criminal proceedings involving the data subject. This data fell under the scope of [[Article 10 GDPR|Article 10 GDPR]], meaning the controller had specific obligations for the processing activity to be lawful. The DPA considered that the controller had processed this data unlawfully by publishing it, and had failed to comply with the principle of lawfulness (Article 5(1)(a) GDPR) and data minimisation (Article 5(1)(c) GDPR).The DPA found a violation of [[Article 5 GDPR|Articles 5]], [[Article 6 GDPR|6]] and [[Article 10 GDPR|10 GDPR]]. The DPA first clarified that the controller processed data related to the commission of crimes or pending criminal proceedings involving the data subject. This data fell under the scope of [[Article 10 GDPR]], meaning the controller had specific obligations for the processing activity to be lawful. The DPA considered that the controller had processed this data unlawfully by publishing it, and had failed to comply with the principle of lawfulness ([[Article 5 GDPR|Article 5(1)(a) GDPR]]) and data minimisation ([[Article 5 GDPR|Article 5(1)(c) GDPR]]). The DPA also found a violation of [[Article 17 GDPR|Article 17 GDPR]]. The DPA stated that the controller failed to adequately respond to the data subject’s request for erasure by not recognising that the data remained visible in a different section of its website. The DPA also found a violation of [[Article 17 GDPR]]. The DPA stated that the controller failed to adequately respond to the data subject’s request for erasure by not recognising that the data remained visible in a different section of its website. The DPA fined the controller €20,000.The DPA fined the controller €20,000. Latest revision as of 08:07, 14 July 2026 Garante per la protezione dei dati personali - Case number: 471\u002F2026 Internal number (from the DPA): 10268727 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 10 GDPR Article 17 GDPR Type: Complaint Outcome: Upheld Started: Decided: 18.07.2026 Published: Fine: 20,000 EUR Parties: The provincial Health Authority of Enna National Case Number\u002FName: Case number: 471\u002F2026 Internal number (from the DPA): 10268727 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a health authority €20,000 for unlawfully publishing information related to a data subject’s judicial records, and failing to fully remove the information from its website when requested. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The provincial Health Authority of Enna (the controller) published a resolution that contained the personal data of a data subject (specifically related to their judicial records). The data subject contacted the controller and requested the controller to remove or redact the data. The controller responded that it would remove it promptly, however, the data subjects’ data remained in a separate page of the controller’s website. The data subject later brought a complaint to the DPA. The controller stated that it completely removed the data subject’s personal data after the DPA requested it, including data that was accidentally included in its website. Holding The DPA found a violation of Articles 5, 6 and 10 GDPR. The DPA first clarified that the controller processed data related to the commission of crimes or pending criminal proceedings involving the data subject. This data fell under the scope of Article 10 GDPR, meaning the controller had specific obligations for the processing activity to be lawful. The DPA considered that the controller had processed this data unlawfully by publishing it, and had failed to comply with the principle of lawfulness (Article 5(1)(a) GDPR) and data minimisation (Article 5(1)(c) GDPR). The DPA also found a violation of Article 17 GDPR. The DPA stated that the controller failed to adequately respond to the data subject’s request for erasure by not recognising that the data remained visible in a different section of its website. The DPA fined the controller €20,000. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. [web doc. no. 10268727] Measure of June 18, 2026 Register of Measures No. 471 of June 18, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC, \"General Data Protection Regulation\" (hereinafter, the \"Regulation\"); SEEN Legislative Decree 30 June 2003, n. 196 of 30 April 2019, containing the \"Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (hereinafter the \"Code\"); CONSIDERING Regulation No. 1\u002F2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with Resolution No. 98 of 4 April 2019, published in the Official Journal No. 106 of 8 May 2019 and on www.gpdp.it, web doc. No. 9107633 (hereinafter \"Data Protection Authority Regulation No. 1\u002F2019\"); Having seen the documentation in the file; Having seen the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1\u002F2000 on the organization and functioning of the Office of the Guarantor for the Protection of Personal Data, web doc. No. 1098801; Rapporteur: Dr. Agostino Ghiglia; WHEREAS 1. Introduction. With a complaint filed pursuant to Article 77 of the Regulation against the Provincial Health Authority of Enna (hereinafter \"Health Authority\"), XX, through his lawyer, represented to this Authority that he had exercised the rights under Articles 15 to 22 of the Regulation and had not received an adequate response. In particular, the complainant stated that in publishing Resolution No. XX of XX, the Health Authority \"attached to letter \"P\" the note from the Regional Department Of the Economy - Special Office \"Single Central Procurement Office for the Acquisition of Goods and Services, distinguished by ","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_471\u002F2026&diff=52202&oldid=52201","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-07-14T08:07:32+00:00","2026-07-14T10:00:13.567324+00:00",7,[18,21],{"name":19,"type":20},"Garante per la protezione dei dati personali","vendor",{"name":22,"type":23},"GDPR","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":26,"name":27,"slug":28},null,"Policy","policy",[30,34,39,41],{"category":31},{"id":32,"icon":26,"name":22,"slug":33},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","gdpr",{"category":35},{"id":36,"icon":26,"name":37,"slug":38},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":40},{"id":24,"icon":26,"name":27,"slug":28},{"category":42},{"id":43,"icon":26,"name":44,"slug":45},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]