Italy

Physician

5,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2021-04-15.

Rank · Sector

#178

of 270 in Health Care

Rank · Italy

#350

of 543

Rank · All fines

#1,729

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2021-04-15
Controller / Processor: Physician
Sector: Health Care
Quoted Articles: Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Italian DPA (Garante) has imposed a fine of EUR 5,000 on a physician. The controller had shown slides of a clinical case at a congress, which were subsequently published on the website of the Società triveneta di chirurgia. The slides contained personal data of a patient, such as the patient's initials, age, gender, a detailed medical history of the patient, details of admissions from 1980 to 2016 and surgical procedures performed during that period, indicating the date of admission and the date of surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his or her personal data.

Open original source Links to the regulator's original publication or another source.