The Italian DPA published annual activities report
On 7 July 2022, the Garante per la protezione dati personali published its annual report on its activities in 2021. In this report, the Data Protection Authority focused on the ethical implications of technology, the data-driven economy, the big platforms, the artificial intelligence, and the main issues related to the algorithms. The DPA also highlighted the scenarios outlined by neuroscience, the security of systems and the protection of cyberspace, the spread of facial recognition systems, the personal data value, and the phenomena of revenge porn and “sharenting”.
Following the increase in cyber-attacks since 2021, the DPA drew the attention of public administrations and companies to the need to invest in security and to set up defences against ransomware. In this regard, it shoul be considered that most of the data breaches involved the dissemination of health data.
DPA: The data processing consent for scientific research can be collected progressively
The Italian Data Protection Authority issued a positive opinion on the processing of personal data for the study of patients suffering from diseases of the thoracic district. This opinion followed the request for prior consultation – based on article 36 of Regulation (EU) 2016/679 and on article 110 of Legislative Decree 196/2003 – submitted by a hospital .
The aim of the project was to create a database and conduct research in nine areas.
However, in order to authorize the processing, the Authority required the sequential co-creation of consensus for subsequent processing of health data for medical research purposes.
Italian DPA: public administrations must be careful when publishing personal data online
With the decision no. 198/2022, the Italian Data Protection Authority sanctioned the dissemination of personal data contained in a curriculum vitae published on the institutional website of a municipality, with which the data subject had long since ceased working.
The complaint of the data subject had also pointed out his peculiar personal condition, due to which the disclosure of the data could have entailed risks for himself and his family.
During the preliminary investigation, the Authority established that the curriculum vitae had remained available online for longer than the period provided by the applicable legislation and that this had led to an unlawful disclosure of data without a legal basis.
The Authority stated that, when public administrations publish acts and documents online, they must not disseminate data that are not relevant to the transparency purposes pursued. In fact, the Italian DPA fined the municipality for 10,000 euros.
Italian DPA: no personalised advertising based on legitimate interest
On 7 July 2022, the Italian DPA adopted a provision in which it warned that the platform could not use personal data stored in user’s devices to profile them and send them personalized advertising, in the absence of explicit consent.
As a result, Tik Tok informed the Authority that it had suspended new forecasts to change the legal basis.
Unauthorized access to the health record has been sanctioned by the Italian DPA
The Italian Data Protection Authority has imposed fines of 50,000 euros and 70,000 euros on the Azienda sanitaria universitaria Friuli Occidentale and the Azienda sanitaria universitaria Friuli centrale, respectively, following complaints and notifications of abusive access to the health record. The authority reminds that only staff treating patients can access their records. In addition, they mst implement the correct measures to prevent irregular access to patient information by health care providers not involved in their care pathways. In this regard, it should be noted that in June 2015, the Data Protection Authority issued the “Guidelines on the Health Record”, which states that the data controller must pay a particular attention to the identification of the authorisation profiles and the utilization of customised technical measures for access to the record in each organisation.
GDPR: data controller sanctioned for invalid DPO designation
With provision no. 174 of 2022, the Italian Data Protection Authority fined a public data controller for the lack of a valid appointment of a data protection officer for 6.000 euros.
The public body, in fact, had informally designated as DPO the official in charge of the General Affairs (an apical role for which there is an irremediable conflict of interest), and then formalised this by the adoption of a trade union determination, while specifying the temporary nature of this designation.
The financial difficulties and staff shortages underlying the data controller’s defense were not considered sufficient reasons to overcome the alleged violations concerning the failure to designate the DPO.