Italy
Regione Lombardia
GDPR enforcement action by Italian Data Protection Authority (Garante) on 2021-07-22.
Case details
- Authority
- Italian Data Protection Authority (Garante)
- Date
- 2021-07-22
- Controller / Processor
- Regione Lombardia
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The Italian DPA (Garante) has imposed a fine of EUR 200,000 on the Region of Lombardy. The region had published on its website the personal data of more than 100,000 students who had applied for state scholarships or financial grants for the purchase of textbooks, technical equipment and teaching materials. As the Garante's preliminary audit revealed, it was possible to view and download the list of approved and funded applications, the list of approved and to be funded applications, the list of state scholarship recipients and the list of ineligible applications from the region's website. These lists included personally identifiable information such as the application ID, the applicant's name, the student's grade, the code and name of the school, as well as the application number.
In this context, the DPA stated that the data of persons applying for economic benefits must be protected in a special way to prevent the economic and social hardship of the data subjects from becoming evident.
Related fines