Italy

Istituto Nazionale Assicurazione Infortuni sul Lavoro

50,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2022-04-28.

Rank · Sector

#66

of 356 in Public Sector and Education

Rank · Italy

#113

of 543

Rank · All fines

#707

of 3,039

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2022-04-28
Controller / Processor: Istituto Nazionale Assicurazione Infortuni sul Lavoro
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) a), f) GDPR, Art. 6 (1) e) GDPR, Art. 9 (2) g) GDPR, Art. 32 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Italian DPA has fined Istituto Nazionale Assicurazione Infortuni sul Lavoro (Public Accident Insurance for workers) EUR 50,000.
As part of its investigation, the DPA found that on three occasions the accident and occupational illnesses of other employees were publicly viewable on an online system of the insurance carrier. The incident occurred due to an outdated version of the system.
The DPA concluded that the insurance carrier had not sufficiently fulfilled its duty to take appropriate technical and organizational measures to prevent personal data breaches. The insurance carrier should have ensured that updated and secure online systems were used.

Open original source Links to the regulator's original publication or another source.