[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fH3OnAhzPu8mykFU5VgAAmyUafEEe0_a55IVYdgJYtGs":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":28},"d10e6f7c-6516-4354-ab3f-0d1c85e7b33e","Garante per la protezione dei dati personali (Italy) - 471\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-471-2026-f3655a","Created page with \"{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=471\u002F2026 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https:\u002F\u002Fwww.garanteprivacy.it\u002Fweb\u002Fguest\u002Fhome\u002Fdocweb\u002F-\u002Fdocweb-display\u002Fdocweb\u002F10268727 |Original_Source_Language_1=Italian |Original_Source_Language__Code_1=...\" Show changes","The Italian Data Protection Authority (Garante per la protezione dei dati personali) has fined the provincial Health Authority of Enna €20,000. The fine was issued for unlawfully publishing personal data related to a data subject's judicial records and for failing to fully remove the information from its website upon request, violating Articles 5, 6, and 10 of the GDPR.","Italian DPA fines health authority €20,000 for unlawful data publication.","Help Garante per la protezione dei dati personali (Italy) - 471\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:05, 14 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 08:05, 14 July 2026 Garante per la protezione dei dati personali - 471\u002F2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 10 GDPR Article 17 GDPR Type: Complaint Outcome: Upheld Started: Decided: 18.07.2026 Published: Fine: 20,000 EUR Parties: The provincial Health Authority of Enna National Case Number\u002FName: 471\u002F2026 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a health authority €20,000 for unlawfully publishing information related to a data subject’s judicial records, and failing to fully remove the information from its website when requested. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The provincial Health Authority of Enna (the controller) published a resolution that contained the personal data of a data subject (specifically related to their judicial records). The data subject contacted the controller and requested the controller to remove or redact the data. The controller responded that it would remove it promptly, however, the data subjects’ data remained in a separate page of the controller’s website. The data subject later brought a complaint to the DPA. The controller stated that it completely removed the data subject’s personal data after the DPA requested it, including data that was accidentally included in its website. Holding The DPA found a violation of Articles 5, 6 and 10 GDPR. The DPA first clarified that the controller processed data related to the commission of crimes or pending criminal proceedings involving the data subject. This data fell under the scope of Article 10 GDPR, meaning the controller had specific obligations for the processing activity to be lawful. The DPA considered that the controller had processed this data unlawfully by publishing it, and had failed to comply with the principle of lawfulness (Article 5(1)(a) GDPR) and data minimisation (Article 5(1)(c) GDPR). The DPA also found a violation of Article 17 GDPR. The DPA stated that the controller failed to adequately respond to the data subject’s request for erasure by not recognising that the data remained visible in a different section of its website. The DPA fined the controller €20,000. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. [web doc. no. 10268727] Measure of June 18, 2026 Register of Measures No. 471 of June 18, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC, \"General Data Protection Regulation\" (hereinafter, the \"Regulation\"); SEEN Legislative Decree 30 June 2003, n. 196 of 30 April 2019, containing the \"Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (hereinafter the \"Code\"); CONSIDERING Regulation No. 1\u002F2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with Resolution No. 98 of 4 April 2019, published in the Official Journal No. 106 of 8 May 2019 and on www.gpdp.it, web doc. No. 9107633 (hereinafter \"Data Protection Authority Regulation No. 1\u002F2019\"); Having seen the documentation in the file; Having seen the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1\u002F2000 on the organization and functioning of the Office of the Guarantor for the Protection of Personal Data, web doc. No. 1098801; Rapporteur: Dr. Agostino Ghiglia; WHEREAS 1. Introduction. With a complaint filed pursuant to Article 77 of the Regulation against the Provincial Health Authority of Enna (hereinafter \"Health Authority\"), XX, through his lawyer, represented to this Authority that he had exercised the rights under Articles 15 to 22 of the Regulation and had not received an adequate response. In particular, the complainant stated that in publishing Resolution No. XX of XX, the Health Authority \"attached to letter \"P\" the note from the Regional Department Of the Economy - Special Office \"Single Central Procurement Office for the Acquisition of Goods and Services, distinguished by file no. XX of XX,\" containing its own judicial data. The complainant also stated that he had \"warned the Enna Provincial Health Authority to obscure\u002Fremove the prejudicial data indicated in the aforementioned resolution,\" and although the Health Authority \"undertook to promptly remove them,\" such data was still published online at the time the complaint was filed. 2. The preliminary investigation. In response to a request from the Authority of XX, the Health Authority, in a note of XX, stated, in particular, that: - \"Resolution no. XX of XX concerning the open procedure for the awarding of cleaning and accessory services, was published on the Public Notice Board of the Enna Health Authority in accordance with the Company Regulations for the management of the Public Notice Board\"; - \"Following the formal notice sent by XX, through its lawyer […] on XX, the Company has taken steps to redact the data contained in Annex \"P\" to the aforementioned resolution containing the interested party's judicial information, notifying the interested party of this with note ref. XX of XX\"; - \"Following notification of the aforementioned request by the Guarantor Authority, this Company has ascertained that although the Corporate Staff Coordination Office had redacted the interested party's personal data from the company's notice board, the same data remained inadvertently visible in another section of the company website, namely the section relating to tenders and contracts, under the responsibility of the Company's Procurement Office, in compliance with anti-corruption and transparency regulations\"; - \"Taking the above into account, the UOC Servizio Provveditorato was promptly requested to obscure the interested party's personal data contained in the aforementioned section. Therefore, to date, XX's personal data relating to the judicial matter involving him are no longer visible in the aforementioned section of the company website.\" With a note from XX, the Office, based on the information acquired, the investigations carried out, and the facts emerging from the preliminary investigation, notified the Health Authority, pursuant to Article 166, paragraph 5, of the Code, of the initiation of proceedings for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation for having disclosed personal data and information, including judicial data relating to the complainant, in a mann","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_471\u002F2026&diff=52201&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-07-14T08:05:31+00:00","2026-07-14T10:00:13.567324+00:00",7,[18,21],{"name":19,"type":20},"Garante per la protezione dei dati personali","vendor",{"name":22,"type":23},"GDPR","product","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":24,"icon":26,"name":22,"slug":27},null,"gdpr",[29,34,36,41],{"category":30},{"id":31,"icon":26,"name":32,"slug":33},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":35},{"id":24,"icon":26,"name":22,"slug":27},{"category":37},{"id":38,"icon":26,"name":39,"slug":40},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":42},{"id":43,"icon":26,"name":44,"slug":45},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]