Garante per la protezione dei dati personali (Italy) - 471/2026
Facts — The provincial Health Authority of Enna (the controller) published a resolution that contained the personal data of a data subject (specifically related to their judicial records). The data subject contacted the controller and requested the controller to remove or redact the data. The controller responded that it would remove it promptly, however, the data subjects’ data remained in a separate page of the controller’s website. The data subject later brought a complaint to the DPA. The controller stated that it completely removed the data subject’s personal data after the DPA requested it, including data that was accidentally included in its website. Holding — The DPA found a violation of Articles 5, 6 and 10 GDPR. The DPA first clarified that the controller processed data related to the commission of crimes or pending criminal proceedings involving the data subject. This data fell under the scope of Article 10 GDPR, meaning the controller had specific obligations for the processing activity to be lawful. The DPA considered that the controller had processed this data unlawfully by publishing it, and had failed to comply with the principle of lawfulness (Article 5(1)(a) GDPR) and data minimisation (Article 5(1)(c) GDPR). The DPA also found a violation of Article 17 GDPR. The DPA stated that the controller failed to adequately respond to the data subject’s request for erasure by not recognising that the data remained visible in a different section of its website. The DPA fined the controller €20,000.
How it connects
Related across sources
Full text
[web doc. no. 10268727] Measure of June 18, 2026 Register of Measures No. 471 of June 18, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, the "Regulation"); SEEN Legislative Decree 30 June 2003, n. 196 of 30 April 2019, containing the "Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the "Code"); CONSIDERING Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with Resolution No. 98 of 4 April 2019, published in the Official Journal No. 106 of 8 May 2019 and on www.gpdp.it, web doc. No. 9107633 (hereinafter "Data Protection Authority Regulation No. 1/2019"); Having seen the documentation in the file; Having seen the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1/2000 on the organization and functioning of the Office of the Guarantor for the Protection of Personal Data, web doc. No. 1098801; Rapporteur: Dr. Agostino Ghiglia; WHEREAS 1. Introduction. With a complaint filed pursuant to Article 77 of the Regulation against the Provincial Health Authority of Enna (hereinafter "Health Authority"), XX, through his lawyer, represented to this Authority that he had exercised the rights under Articles 15 to 22 of the Regulation and had not received an adequate response. In particular, the complainant stated that in publishing Resolution No. XX of XX, the Health Authority "attached to letter "P" the note from the Regional Department Of the Economy - Special Office "Single Central Procurement Office for the Acquisition of Goods and Services, distinguished by file no. XX of XX," containing its own judicial data. The complainant also stated that he had "warned the Enna Provincial Health Authority to obscure/remove the prejudicial data indicated in the aforementioned resolution," and although the Health Authority "undertook to promptly remove them," such data was still published online at the time the complaint was filed. 2. The preliminary investigation. In response to a request from the Authority of XX, the Health Authority, in a note of XX, stated, in particular, that: - "Resolution no. XX of XX concerning the open procedure for the awarding of cleaning and accessory services, was published on the Public Notice Board of the Enna Health Authority in accordance with the Company Regulations for the management of the Public Notice Board"; - "Following the formal notice sent by XX, through its lawyer […] on XX, the Company has taken steps to redact the data contained in Annex "P" to the aforementioned resolution containing the interested party's judicial information, notifying the interested party of this with note ref. XX of XX"; - "Following notification of the aforementioned request by the Guarantor Authority, this Company has ascertained that although the Corporate Staff Coordination Office had redacted the interested party's personal data from the company's notice board, the same data remained inadvertently visible in another section of the company website, namely the section relating to tenders and contracts, under the responsibility of the Company's Procurement Office, in compliance with anti-corruption and transparency regulations"; - "Taking the above into account, the UOC Servizio Provveditorato was promptly requested to obscure the interested party's personal data contained in the aforementioned section. Therefore, to date, XX's personal data relating to the judicial matter involving him are no longer visible in the aforementioned section of the company website." With a note from XX, the Office, based on the information acquired, the investigations carried out, and the facts emerging from the preliminary investigation, notified the Health Authority, pursuant to Article 166, paragraph 5, of the Code, of the initiation of proceedings for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation for having disclosed personal data and information, including judicial data relating to the complainant, in a manner that does not comply with the principles of "lawfulness, fairness, and transparency" as well as "data minimization," in violation of Articles 5 and 6 of the Regulation and in the absence of an appropriate regulatory basis, in violation of Articles 15 and 16 of the Regulation. 6 and 10 of the Regulation, as well as 2-ter and 2-octies of the Code, and by de facto failing to comply with the complainant's subsequent request to delete the data, in violation of Article 17 of the Regulation. With the same notice, the aforementioned data controller was invited to submit written defenses or documents to the Data Protection Authority or to request a hearing with the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981). The Health Authority has not submitted its defense briefs. 3. Outcome of the investigation. 3.1. Applicable legislation. Personal data protection legislation provides that public bodies may process data subjects' personal data (Article 4(1) of the Regulation) if the processing is necessary "for compliance with a legal obligation to which the controller is subject" (Articles 6(1)(c), 9(2)(b), and 4; Article 88 of the Regulation) or "for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" (Article 6(1)(c) and (e) of the Regulation and Article 2-ter of the Code). European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing in accordance with paragraph 1(c) and (e) by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing [...]" (Article 6(2) of the Regulation). In this regard, it is noted that processing operations consisting of the "dissemination" (Article 2-ter, paragraph 4, letter b), of the Code) of personal data are permitted only when the conditions of Article 2-ter of the Code are met, when provided for by an appropriate legal basis. Specifically, with regard to the processing of data relating to criminal convictions and offenses or related security measures, it is noted that such processing may only occur under the control of official authority or if the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects (Article 10 of the Regulation), or only if the processing is authorized by a provision of law or, where provided for by law, a regulation (Article 2-octies, paragraphs 1 and 5, of the Code). The data controller is required to comply with data protection principles, including "lawfulness, fairness, and transparency," as well as "data minimization." These principles require that personal data be "processed lawfully, fairly, and in a transparent manner in relation to the data subject" and be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed" (Article 5, paragraph 1, letters a) and c) of the Regulation). With specific reference to the exercise of rights, it is noted that pursuant to Articles 15 to 22 of the Regulation, the data subject has the right to request from the data controller access to, rectification or erasure of, or restriction of processing concerning him or her, or to object to processing, as well as the right to data portability, where applicable. 3.2. Dissemination of personal data. That said, following the investigation into the complaint, it emerged that the Health Authority published Resolution No. XX of XX on its institutional website until XX, the date on which it received the Authority's request. This resolution, in an attached note, contained the complainant's personal data, specifically regarding its legal proceedings. Although, following the exercise of the data subject's rights on XX, it emerged that the Health Authority provided the necessary response on XX, stating that it had obscured the complainant's personal data, such data remained "inadvertently visible in another section of the company website," as the Health Authority stated in the note dated XX. Only following receipt of the Authority's request dated XX did the Health Authority proceed to obscure the complainant's personal data contained in the attachment to the aforementioned resolution. As repeatedly highlighted by the Garante (see, among others, provision no. 530 of 25 September 2025, web doc. no. 10184967), the processing of data relating to criminal convictions and offences, including in the context of the online publication of records and documents by Public Administrations, may only take place under the control of official authority or if the processing is authorised by Union or Member State law providing appropriate safeguards for the rights and freedoms of data subjects, or only if the processing is authorised by a provision of law or, where provided for by law, by a regulation. Therefore, before disclosing any personal data relating to data subjects online, the data controller is required to verify which data and information to publish, while ensuring full compliance with personal data protection regulations, specifically regarding the relevance and non-excessiveness of the data disclosed. The Guarantor has over time provided specific indications to public administrations regarding the precautions to be adopted for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action, in particular, in 2014, with the "Guidelines on the processing of personal data, including those contained in administrative acts and documents, carried out for publicity and transparency purposes on the web by public bodies and other obliged entities" (provision no. 243 of 15 May 2014, web doc. no. 3134436, part I and II, spec. par. 3.a; see also the "Guidelines on the processing of personal data of workers for the purposes of managing the employment relationship in the public sector" web doc. no. 1417809) clarifying, also through numerous decisions on individual cases adopted against specific administrations, that the presence of a publicity regime, not found in the case in question, cannot lead to any automaticity with respect to the online dissemination of personal data nor a derogation from the principles of personal data protection, as confirmed by the personal data protection system contained in the Regulation, which requires the data controller to "implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed" and must be "able to demonstrate" – in light of the "accountability" principle – that it has done so pursuant to Articles 5(2), 24, and 25(2) of the Regulation (see, among others, most recently, Decision No. 768 of December 12, 2024, web doc. 10102355; Decision No. 729 of November 27, 2024, web doc. 1009734; and Decision No. 404 of July 4, 2024, web doc. 10050145 and the previous decisions cited therein). In particular, in numerous decisions regarding the obligations arising from art. 124 of Legislative Decree 267/2000, regarding the publication of municipal resolutions on the public notice board, the Guarantor reiterated that all the limitations set by the principles of personal data protection also apply to the publication of acts or resolutions on the online public notice board, taking into account, first and foremost, the prior verification of the existence of suitable conditions for the lawfulness of the online dissemination of the personal data contained therein and the minimization of data (see, among many others, most recently, provisions no. 729 and 730 of 27 November 2024, web doc. nos. 10097341 and 10100956, and the precedents cited therein; see also Part II, paragraph 3.a. of the "Guidelines on the processing of personal data, including those contained in administrative acts and documents, carried out for advertising and transparency purposes on the web by public bodies and other obligated entities", cited above). In this case, in particular, the Healthcare Company disclosed information relating to events related to the commission of crimes or pending criminal proceedings of the complainant, which constitute "personal data relating to criminal convictions and offenses or related security measures" pursuant to and for the purposes of Article 10 of the Regulation. As mentioned, the processing of such data may only take place under the control of official authority or if the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects, or only if the processing is authorized by a law or, where provided for by law, a regulation. Based on the above, it must be concluded that the Healthcare Company disclosed the complainant's personal data, specifically relating to judicial proceedings, in a manner that does not comply with the principles of "lawfulness, fairness, and transparency" and "data minimization," in violation of Article 5 of the Regulation, and in the absence of an appropriate legal basis, in violation of Articles 15 and 16 of the GDPR. 6 and 10 of the Regulation, as well as Articles 2-ter and 2-octies of the Code. 3.3 Exercise of the data subject's rights. From the information acquired during the investigation, it is also clear that, although the Health Authority complied with a request to exercise the rights of the data subject of XX on 20th, thus fulfilling the aforementioned request within the legal deadline, the complainant's personal data remained "visible in another section of the company website." For these reasons, although the Health Authority stated that it had obscured the complainant's personal data, it did not, in fact, comply with the aforementioned deletion request, as the data were still visible, albeit "inadvertently," in another section of the website. In this regard, it is generally stated that the data controller is required to facilitate the exercise of the data subject's rights and, in any case, to provide an explicit response to the data subject's request pursuant to Articles 15 to 22 of the Regulation, regardless of whether the request is well-founded or not, without undue delay and, in any case, no later than one month after receipt, in the context of a direct relationship between the data subject and the data controller. In particular, pursuant to art. Article 17 of the Regulation states, "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where […] the personal data have been unlawfully processed" (see Article 17, paragraph 1, letter d), unless the processing is necessary "for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" (see Article 17, paragraph 3, letter b of the Regulation). Therefore, with regard to the complainant's exercise of the right to erasure of his or her personal data, the Health Authority—although on the erroneous assumption that it had complied with the complainant's request for erasure, failing to realize that such data was still visible in a different section of the website—did not allow the data subject to exercise his or her right to erasure, in violation of Article 17 of the Regulation. 4. Conclusions. In light of the above considerations, it is noted that the statements made by the data controller during the investigation—the veracity of which may be held accountable pursuant to Article 168 of the Code—although worthy of consideration, do not overcome the concerns notified by the Office with the initiation of the proceedings and are insufficient to allow the dismissal of this proceeding, pursuant to Article 14, paragraph 1, of the Regulation of the Garante no. 1/2019, as none of the cases provided for in Article 11 referred to therein apply. The Office's preliminary assessments are therefore confirmed, and the Health Authority's processing of personal data is found to be unlawful. It disclosed the complainant's personal data by publishing information on its institutional website, specifically regarding the complainant's criminal proceedings, in violation of Articles 5, 6, and 10 of the Regulation, as well as Articles 2-ter and 2-octies of the Code, and, with reference to the failure to erase the data subject's personal data, in violation of Article 17 of the Regulation. Although in this case, the Health Authority complied with the request to delete the complainant's personal data and only mistakenly failed to notice that the aforementioned data was still published in another area of its institutional website, the Health Authority's numerous previous violations of the same provisions of the Regulation and the Code, which occurred in the specific and sensitive work context, must be considered a decisive factor in determining the sanction (see, among others, decisions no. 666 of 13 November 2024, web doc. no. 10084453 and no. 730 of 27 November 2024, web doc. no. 10100956). Given that the violation of the aforementioned provisions occurred as a result of a single conduct (the same processing or related processing), Article 83, paragraph 1, of the Italian Civil Code applies. 3 of the Regulation, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the present case, all violations relating to Articles 5 and 6 of the Regulation, as well as Article 2-ter of the Code, are subject to the sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000. In this context, considering that, with regard to the processing carried out by the Health Authority, the conduct has exhausted its effects—given that, following receipt of the request from this Authority, the Health Authority has proceeded to obscure the complainant's personal data contained in the annex to Resolution No. XX of XX—the conditions for adopting the corrective measures referred to in Article 58, paragraph 1, are not met. 2 of the Regulations. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and additional sanctions (Articles 58, paragraph 2, letters i and 83 of the Regulations; Article 166, paragraph 7, of the Code). The Guarantor, pursuant to Articles 58, paragraph 2, letter i), and 83 of the Regulation, as well as Article 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] corrective measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case." Within this framework, "the [Garante] Panel shall adopt the injunction order, by which it shall also order the publication of the injunction, in full or in extract, on the Guarantor's website pursuant to Article 166, paragraph 7, of the Code, with regard to the application of the additional administrative sanction (Article 16, paragraph 1, of the Guarantor Regulation No. 1/2019). In this regard, taking into account Article 83, paragraph 1, of the Regulation, the Guarantor shall: 3 of the Regulation, in this case, violation of the aforementioned provisions is subject to the application of the administrative pecuniary sanction provided for in Article 83(5) of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the factors set out in Article 83(2) of the Regulation. Considering that: - the violation concerned a single data subject, resulting in the online dissemination of personal data up to XX, without any indexing by search engines (Article 83(2)(a) of the Regulation); - the publication concerned, in particular, information relating to the data subject's criminal proceedings (see Article 83(2)(g) of the Regulation); - the breach is negligent (Article 83, paragraph 2, letter b), of the Regulation), considering that the Healthcare Authority, although it had obscured the data subject's data following a request for deletion, realized, following the request from this Authority, that such data had remained "inadvertently visible in another section of the company website"; It is considered that, in this case, the severity of the breach committed by the data controller, given the specific circumstances of the case, is medium (see European Data Protection Board, "Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR" of May 24, 2023, point 60). Given the above, it is believed that, for the purposes of quantifying the sanction, the following circumstances should be taken into consideration: - there are certain previous violations of the same provisions of the Regulation and the Code, even in the same context (see Article 83, paragraph 2, letter e), of the Regulation); - the Health Authority offered reasonable cooperation with the Authority during the investigation (Article 83, paragraph 2, letter f), of the Regulation). Given the above factors, assessed as a whole, it is deemed appropriate to determine the amount of the fine at €20,000 (twenty thousand) for the violation of Articles 5, 6, and 10 and Article 17 of the Regulation, as well as Articles 2-ter and 2-octies of the Code, as an administrative fine deemed, pursuant to Article 83, paragraph 2, letter f), to be imposed. 1, of the Regulation, effective, proportionate, and dissuasive. It is also considered that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Italian Data Protection Authority (Garante) No. 1/2019, this chapter containing the injunction order should be published on the Italian Data Protection Authority's website. This is in consideration of the fact that, as noted above, the violation consisted of the online dissemination of sensitive personal data, including information on criminal proceedings, relating to the complainant. Finally, it is noted that the conditions set out in Article 17 of Regulation No. 1/2019 are met. NOW WITH ALL THE ABOVE MENTIONED, THE GUARANTOR declares, pursuant to Article 57, paragraph 1, letter f), of the Regulation, the unlawfulness of the processing carried out by the Provincial Health Authority of Enna due to violation of Articles 5, 6, and 10 and Article 17 of the Regulations, as well as Articles 2-ter and 2-octies of the Code, within the time limits set forth in the reasons for the decision; ORDERS The Provincial Health Authority of Enna, represented by its legal representative pro tempore, with registered office at Viale Armando Diaz, 7 - 94100 Enna (EN), Tax Code 01151150867, to pay the sum of €20,000.00 (twenty thousand/00) as an administrative fine for the violations indicated in the reasons for the decision. It is hereby stated that the offender, pursuant to Article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half the imposed fine; ORDER - the aforementioned Health Authority, in the event of failure to resolve the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of €20,000.00 (twenty thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this order, under penalty of the adoption of the subsequent enforcement proceedings pursuant to Article 27 of Law No. 689/1981; ORDERS - pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Guarantor Regulation No. 1/2019, the publication of the injunction order on the Guarantor's website; - pursuant to Article 154-bis, paragraph 3 of the Code and Article 37 of the Guarantor Regulation No. 1/2019, the publication of this provision on the Authority's website; - pursuant to Article 17 of the Guarantor Regulation No. 1/2019, the recording of violations and measures adopted pursuant to Article 58, paragraph 2 of the Regulation in the Authority's internal register provided for by Article 57, paragraph 1, letter u) of the Regulation. Pursuant to Articles 78 of the Regulation, 152 of the Code, and 10 of Legislative Decree No. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of notification of the provision itself, or within sixty days if the appellant resides abroad. Rome, June 18, 2026 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE SECRETARY GENERAL Montuori [web doc. no. 10268727] Measure of June 18, 2026 Register of Measures no. 471 of June 18, 2026 THE DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, the "Regulation"); HAVING REGARD to Legislative Decree no. 196 of 30 June 2003 196 of 30 April 2019, containing the "Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the "Code"); CONSIDERING Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with Resolution No. 98 of 4 April 2019, published in the Official Journal No. 106 of 8 May 2019 and on www.gpdp.it, web doc. No. 9107633 (hereinafter "Data Protection Authority Regulation No. 1/2019"); Having seen the documentation in the file; Having seen the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1/2000 on the organization and functioning of the Office of the Guarantor for the Protection of Personal Data, web doc. No. 1098801; Rapporteur: Dr. Agostino Ghiglia; WHEREAS 1. Introduction. With a complaint filed pursuant to Article 77 of the Regulation against the Provincial Health Authority of Enna (hereinafter "Health Authority"), XX, through his lawyer, represented to this Authority that he had exercised the rights under Articles 15 to 22 of the Regulation and had not received an adequate response. In particular, the complainant stated that in publishing Resolution No. XX of XX, the Health Authority "attached to letter "P" the note from the Regional Department Of the Economy - Special Office "Single Central Procurement Office for the Acquisition of Goods and Services, distinguished by file no. XX of XX," containing its own judicial data. The complainant also stated that he had "warned the Enna Provincial Health Authority to obscure/remove the prejudicial data indicated in the aforementioned resolution," and although the Health Authority "undertook to promptly remove them," such data was still published online at the time the complaint was filed. 2. The preliminary investigation. In response to a request from the Authority of XX, the Health Authority, in a note of XX, stated, in particular, that: - "Resolution no. XX of XX concerning the open procedure for the awarding of cleaning and accessory services, was published on the Public Notice Board of the Enna Health Authority in accordance with the Company Regulations for the management of the Public Notice Board"; - "Following the formal notice sent by XX, through its lawyer […] on XX, the Company has taken steps to redact the data contained in Annex "P" to the aforementioned resolution containing the interested party's judicial information, notifying the interested party of this with note ref. XX of XX"; - "Following notification of the aforementioned request by the Guarantor Authority, this Company has ascertained that although the Corporate Staff Coordination Office had redacted the interested party's personal data from the company's notice board, the same data remained inadvertently visible in another section of the company website, namely the section relating to tenders and contracts, under the responsibility of the Company's Procurement Office, in compliance with anti-corruption and transparency regulations"; - "taking the above into account, the UOC Servizio Provveditorato was promptly requested to obscure the personal data of the interested party contained in the aforementioned section. Therefore, to date, XX's personal data relating to the judicial matter involving him are no longer visible in the aforementioned section of the company website." With a note dated 20th, the Office, based on the information acquired, the investigations conducted, and the facts emerging from the investigation, notified the Health Authority, pursuant to Article 166, paragraph 5, of the Code, of the initiation of proceedings to adopt the measures referred to in Article 58, paragraph 2, of the Regulation for having disclosed personal data and information, including judicial data relating to the complainant, in a manner that did not comply with the principles of "lawfulness, fairness, and transparency" as well as "data minimization," in violation of Articles 5 of the Regulation and in the absence of an appropriate regulatory basis, in violation of Articles 6 and 10 of the Regulation, as well as Articles 2-ter and 2-octies of the Code, and by de facto failing to comply with the subsequent request to delete the complainant's data, in violation of Article 17 of the Regulation. With the same notice, the aforementioned data controller was invited to submit written statements or documents to the Data Protection Authority or to request a hearing with the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981). The Health Authority did not submit its written statements. 3. Outcome of the preliminary investigation. 3.1. Applicable legislation. Personal data protection legislation provides that public bodies may process the personal data of data subjects (Article 4, paragraph 1, of the Regulation) if the processing is necessary "for compliance with a legal obligation to which the data controller is subject" (Articles 6, paragraph 1, letter c), 9, paragraphs 2, letter b), and 4); 88 of the Regulation) or "for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" (Article 6, paragraph 1, letters c) and e) of the Regulation and Article 2-ter of the Code). European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing in accordance with paragraph 1, letters c) and e), by laying down more precisely specific requirements for the processing and other measures to ensure lawful and fair processing [...]" (Article 6, paragraph 2, of the Regulation). In this regard, it is noted that processing operations consisting of the "dissemination" (Article 2-ter, paragraph 4, letter b), of the Code) of personal data are permitted only when the conditions of Article 2-ter of the Code are met, when provided for by an appropriate legal basis. With specific regard to the processing of data relating to criminal convictions and offenses or related security measures, it is emphasized that this may only be carried out under the control of official authority or if the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects (Article 10 of the Regulation), or only if the processing is authorized by a law or, where provided for by law, a regulation (Article 2-octies, paragraphs 1 and 5, of the Code). The data controller is required to comply with data protection principles, including "lawfulness, fairness, and transparency" as well as "minimization," according to which personal data must be "processed lawfully, fairly, and in a transparent manner in relation to the data subject" and must be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed" (Article 5, paragraph 1, letters a) and c) of the Regulation). With specific reference to the exercise of rights, it is noted that pursuant to Articles 15 to 22 of the Regulation, the data subject has the right to request from the data controller access to, rectification or erasure of, or restriction of processing concerning him or her, or to object to processing, as well as the right to data portability, where the conditions are met. 3.2. Dissemination of personal data. That said, following the investigation into the complaint, it emerged that the Health Authority had published Resolution No. XX of XX on its institutional website until XX, the date on which it received the request from the Authority. This document, in an attached note, contained the complainant's personal data, with particular reference to its legal proceedings. According to this resolution, although following the exercise of the data subject's rights on XX, it emerged that the Health Authority provided the necessary feedback on XX, stating that it had obscured the complainant's personal data, such data remained "inadvertently visible in another section of the company website," as stated by the Health Authority in the note on XX. Only following receipt of the Authority's request on XX did the Health Authority proceed to obscure the complainant's personal data contained in the attachment to the aforementioned resolution. As repeatedly highlighted by the Italian Data Protection Authority (see, among others, Order No. 530 of 25 September 2025, Web Document No. 10184967), the processing of data relating to criminal convictions and offenses, including in the context of the online publication of records and documents by public administrations, may only take place under the control of official authority or if the processing is authorized by Union or Member State law providing appropriate safeguards for the rights and freedoms of data subjects, or only if the processing is authorized by a law or, where required by law, a regulation. Therefore, the data controller is required to verify which data and information to publish before disseminating any personal data relating to data subjects online, while ensuring full compliance with personal data protection regulations, with specific reference to the relevance and non-excessiveness of the data disseminated. The Guarantor has over time provided specific indications to public administrations regarding the precautions to be adopted for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action, in particular, in 2014, with the "Guidelines on the processing of personal data, including those contained in administrative acts and documents, carried out for publicity and transparency purposes on the web by public bodies and other obliged entities" (provision no. 243 of 15 May 2014, web doc. no. 3134436, part I and II, spec. par. 3.a; see also the "Guidelines on the processing of personal data of workers for the purposes of managing the employment relationship in the public sector" web doc. no. 1417809) clarifying, also through numerous decisions on individual cases adopted against specific administrations, that the presence of a publicity regime, not found in the case in question, cannot lead to any automaticity with respect to the online dissemination of personal data nor a derogation from the principles of personal data protection, as confirmed by the personal data protection system contained in the Regulation, which requires the data controller to "implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed" and must be "able to demonstrate" – in light of the "accountability" principle – that it has done so pursuant to Articles 5(2), 24, and 25(2) of the Regulation (see, among others, most recently, Decision No. 768 of December 12, 2024, web doc. 10102355; Decision No. 729 of November 27, 2024, web doc. 1009734; and Decision No. 404 of July 4, 2024, web doc. 10050145 and the previous decisions cited therein). In particular, in numerous decisions regarding the obligations arising from art. 124 of Legislative Decree 267/2000, regarding the publication of municipal resolutions on the public notice board, the Guarantor reiterated that all the limitations set by the principles of personal data protection also apply to the publication of acts or resolutions on the online public notice board, taking into account, first and foremost, the prior verification of the existence of suitable conditions for the lawfulness of the online dissemination of the personal data contained therein and the minimization of data (see, among many others, most recently, provisions no. 729 and 730 of 27 November 2024, web doc. nos. 10097341 and 10100956, and the precedents cited therein; see also Part II, paragraph 3.a. of the "Guidelines on the processing of personal data, including those contained in administrative acts and documents, carried out for advertising and transparency purposes on the web by public bodies and other obligated entities", cited above). In this case, in particular, the Healthcare Company disclosed information relating to events related to the commission of crimes or pending criminal proceedings of the complainant, which constitute "personal data relating to criminal convictions and offenses or related security measures" pursuant to and for the purposes of Article 10 of the Regulation. As mentioned, the processing of such data may only take place under the control of official authority or if the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects, or only if the processing is authorized by a law or, where provided for by law, a regulation. Based on the above, it must be concluded that the Healthcare Company disclosed the complainant's personal data, specifically relating to judicial proceedings, in a manner that does not comply with the principles of "lawfulness, fairness, and transparency" and "data minimization," in violation of Article 5 of the Regulation, and in the absence of an appropriate legal basis, in violation of Articles 15 and 16 of the GDPR. 6 and 10 of the Regulation, as well as 2-ter and 2-octies of the Code. 3.3 Exercise of data subject rights. From the information acquired during the preliminary investigation, it is also clear that, although the Health Authority complied with a request to exercise the rights of the data subject of XX on 20th, thus fulfilling the aforementioned request within the legal deadline, the complainant's personal data remained "visible in another section of the company website." For these reasons, although the Health Authority stated that it had obscured the complainant's personal data, it did not, in fact, comply with the aforementioned deletion request, as the data were still visible, albeit "inadvertently," in another section of the website. In this regard, it is generally stated that the data controller is required to facilitate the exercise of the data subject's rights and, in any case, to provide an explicit response to the data subject's request pursuant to Articles 15 to 22 of the Regulation, regardless of whether the request is well-founded or not, without undue delay and, in any case, no later than one month after receipt, in the context of a direct relationship between the data subject and the data controller. In particular, pursuant to art. Article 17 of the Regulation states, "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where […] the personal data have been unlawfully processed" (see Article 17, paragraph 1, letter d), unless the processing is necessary "for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" (see Article 17, paragraph 3, letter b of the Regulation). Therefore, with regard to the complainant's exercise of the right to erasure of his or her personal data, the Health Authority—although on the erroneous assumption that it had complied with the complainant's request for erasure, failing to realize that such data was still visible in a different section of the website—did not allow the data subject to exercise his or her right to erasure, in violation of Article 17 of the Regulation. 4. Conclusions. In light of the above considerations, it is noted that the statements made by the data controller during the investigation—the veracity of which may be held accountable pursuant to Article 168 of the Code—although worthy of consideration, do not overcome the concerns notified by the Office with the initiation of the proceedings and are insufficient to allow the dismissal of this proceeding, pursuant to Article 14, paragraph 1, of the Regulation of the Garante no. 1/2019, as none of the cases provided for in Article 11 referred to therein apply. The Office's preliminary assessments are therefore confirmed, and the Health Authority's processing of personal data is found to be unlawful. It disclosed the complainant's personal data by publishing information on its institutional website, specifically regarding the complainant's criminal proceedings, in violation of Articles 5, 6, and 10 of the Regulation, as well as Articles 2-ter and 2-octies of the Code, and, with reference to the failure to erase the data subject's personal data, in violation of Article 17 of the Regulation. Although in this case, the Health Authority complied with the request to delete the complainant's personal data and only mistakenly failed to notice that the aforementioned data was still published in another area of its institutional website, the Health Authority's numerous previous violations of the same provisions of the Regulation and the Code, which occurred in the specific and sensitive work context, must be considered a decisive factor in determining the sanction (see, among others, decisions no. 666 of 13 November 2024, web doc. no. 10084453 and no. 730 of 27 November 2024, web doc. no. 10100956). Given that the violation of the aforementioned provisions occurred as a result of a single conduct (the same processing or related processing), Article 83, paragraph 1, of the Italian Civil Code applies. 3 of the Regulation, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the present case, all violations relating to Articles 5 and 6 of the Regulation, as well as Article 2-ter of the Code, are subject to the sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000. In this context, considering that, with regard to the processing carried out by the Health Authority, the conduct has exhausted its effects—given that, following receipt of the request from this Authority, the Health Authority has proceeded to obscure the complainant's personal data contained in the annex to Resolution No. XX of XX—the conditions for adopting the corrective measures referred to in Article 58, paragraph 1, are not met. 2 of the Regulation. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and additional sanctions (Articles 58, paragraph 2, letters i) and 83 of the Regulation; Article 166, paragraph 7, of the Code). The Guarantor, pursuant to Articles 58, paragraph 2, letters i) and 83 of the Regulation as well as Article 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] corrective measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case." Within this framework, "the [Garante] Panel shall adopt the injunction order, by which it also orders the application of the additional administrative sanction, its publication, in full or in extract, on the Garante's website pursuant to Article 166, paragraph 7, of the Code" (Article 16, paragraph 1, of the Garante Regulation No. 1/2019). In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case, violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for in Article 83, paragraph 5, of the Regulation. The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the factors set forth in Article 83, paragraph 2, of the Regulation. Considering that: - the violation concerned a single data subject, resulting in the online dissemination of personal data up to XX, without any indexing by search engines (Article 83, paragraph 2, letter a) of the Regulation); - the publication concerned, in particular, information relating to the data subject's criminal proceedings (see Article 83, paragraph 2, letter g), of the Regulation); - the breach is negligent (Article 83, paragraph 2, letter b), of the Regulation), considering that the Healthcare Authority, although it had obscured the data subject's data following a request for deletion, realized, following the request from this Authority, that such data had remained "inadvertently visible in another section of the company website"; It is considered that, in this case, the severity of the breach committed by the data controller, given the specific circumstances of the case, is medium (see European Data Protection Board, "Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR" of May 24, 2023, point 60). Given the above, it is believed that, for the purposes of quantifying the sanction, the following circumstances should be taken into consideration: - there are certain previous violations of the same provisions of the Regulation and the Code, even in the same context (see Article 83, paragraph 2, letter e), of the Regulation); - the Health Authority offered reasonable cooperation with the Authority during the investigation (Article 83, paragraph 2, letter f), of the Regulation). Given the above factors, assessed as a whole, it is deemed appropriate to determine the amount of the fine at €20,000 (twenty thousand) for the violation of Articles 5, 6, and 10 and Article 17 of the Regulation, as well as Articles 2-ter and 2-octies of the Code, as an administrative fine deemed, pursuant to Article 83, paragraph 2, letter f), to be imposed. 1, of the Regulation, effective, proportionate, and dissuasive. It is also considered that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Italian Data Protection Authority (Garante) No. 1/2019, this chapter containing the injunction order should be published on the Italian Data Protection Authority's website. This is in consideration of the fact that, as noted above, the violation consisted of the online dissemination of sensitive personal data, including information on criminal proceedings, relating to the complainant. Finally, it is noted that the conditions set out in Article 17 of Regulation No. 1/2019 are met. NOW WITH ALL THE ABOVE MENTIONED, THE GUARANTOR declares, pursuant to Article 57, paragraph 1, letter f), of the Regulation, the unlawfulness of the processing carried out by the Provincial Health Authority of Enna due to violation of Articles 5, 6, and 10 and Article 17 of the Regulations, as well as Articles 2-ter and 2-octies of the Code, within the time limits set forth in the reasons for the decision; ORDERS The Provincial Health Authority of Enna, represented by its legal representative pro tempore, with registered office at Viale Armando Diaz, 7 - 94100 Enna (EN), Tax Code 01151150867, to pay the sum of €20,000.00 (twenty thousand/00) as an administrative fine for the violations indicated in the reasons for the decision. It is hereby stated that the offender, pursuant to Article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half the imposed fine; ORDER - the aforementioned Health Authority, in the event of failure to resolve the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of €20,000.00 (twenty thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this order, under penalty of the adoption of the subsequent enforcement proceedings pursuant to Article 27 of Law No. 689/1981; ORDERS - pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Guarantor Regulation No. 1/2019, the publication of the injunction order on the Guarantor's website; - pursuant to Article 154-bis, paragraph 3 of the Code and Article 37 of the Guarantor Regulation No. 1/2019, the publication of this provision on the Authority's website; - pursuant to Article 17 of the Guarantor Regulation No. 1/2019, the recording of violations and measures adopted pursuant to Article 58, paragraph 2 of the Regulation in the Authority's internal register provided for by Article 57, paragraph 1, letter u) of the Regulation. Pursuant to Articles 78 of the Regulation, 152 of the Code, and 10 of Legislative Decree No. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of notification of the provision itself, or within sixty days if the appellant resides abroad. Rome, June 18, 2026 THE PRESIDENT Stanzione THE RAPPORTEUR Ghiglia THE SECRETARY GENERAL Montuori