Italy
ASST di Lodi
GDPR enforcement action by Italian Data Protection Authority (Garante) on 2022-04-26.
Case details
- Authority
- Italian Data Protection Authority (Garante)
- Date
- 2022-04-26
- Controller / Processor
- ASST di Lodi
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Italian DPA (Garante) has imposed a fine of EUR 1,000 on ASST di Lodi.
The healthcare facility had reported a data breach to the DPA pursuant to Art. 33 GDPR. A patient had provided two contacts for their medical affairs. The facility had been explicitly authorized to obtain medical information of the patient from these two persons in case of emergency.
In the context of an important diagnostic examination of the patient, the two authorized contacts were not reachable, so a healthcare facility employee asked a family member they personally knew for the information.
During its investigation, the DPA found that the healthcare facility processed the data subject's information without the data subject's consent and, therefore, without a valid legal basis.
In addition, the DPA concluded that the healthcare facility had not taken appropriate technical and organizational measures to protect personal data in order to prevent such incidents.
Related fines