Italy

Azienda Universitaria Giuliano Isontina

55,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2022-12-15.

Rank · Sector

#61

of 270 in Health Care

Rank · Italy

#108

of 543

Rank · All fines

#677

of 3,051

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2022-12-15
Controller / Processor: Azienda Universitaria Giuliano Isontina
Sector: Health Care
Quoted Articles: Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 35 GDPR, Art. 2-sexies Codice della privacy
Type of violation: Insufficient legal basis for data processing

Summary

The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Giuliano Isontina . The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected.

Open original source Links to the regulator's original publication or another source.