Italy

INPS – Istituto nazionale previdenza sociale

40,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2026-03-12.

Rank · Sector

#79

of 357 in Public Sector and Education

Rank · Italy

#155

of 543

Rank · All fines

#849

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2026-03-12
Controller / Processor: INPS – Istituto nazionale previdenza sociale
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) a), f) GDPR, Art. 6 (1) e), (3) GDPR, Art. 9 GDPR, Art. 10 GDPR, Art. 25 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Italian DPA has imposed a fine of EUR 40,000 on INPS – Istituto nazionale previdenza sociale. The controller allowed citizens to submit forms online and offered a service that populated the forms with data from the national ANPR database. However, the controller failed to implement adequate technical and organisational measures, resulting in data subjects gaining access not only to their own relevant data, but also to the data of other individuals, including special category data and data relating to criminal records. This failure resulted in a data breach affecting 47,464 individuals, 1,526 of whom were minors. Additionally, the online service was not intended for use by minors, but they were able to access it.

Open original source Links to the regulator's original publication or another source.