Italy
Società triveneta di chirurgia
GDPR enforcement action by Italian Data Protection Authority (Garante) on 2021-04-15.
Case details
- Authority
- Italian Data Protection Authority (Garante)
- Date
- 2021-04-15
- Controller / Processor
- Società triveneta di chirurgia
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Società triveneta di chirurgia. A physician had shown slides of a clinical case at a congress, which were subsequently published on the controller's website. The slides contained personal data of a patient, such as the patient's initials, age, gender, a detailed history of the pathology suffered by the patient, details of admissions from 1980 to 2016 and the surgical procedures performed during this period, indicating the date of admission and surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images, and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his personal data.
Related fines