Skip to content
Enforcement
EN

ASST di Lodi: Insufficient technical and organisational measures to ensure information security

€1,000 fine - Italian Data Protection Authority (Garante)

€1,000 Fine
ASST di Lodi
ITALY
Insufficient technical and organisational measures to ensure information security

Content

The Italian DPA (Garante) has imposed a fine of EUR 1,000 on ASST di Lodi. The healthcare facility had reported a data breach to the DPA pursuant to Art. 33 GDPR. A patient had provided two contacts for their medical affairs. The facility had been explicitly authorized to obtain medical information of the patient from these two persons in case of emergency. In the context of an important diagnostic examination of the patient, the two authorized contacts were not reachable, so a healthcare facility employee asked a family member they personally knew for the information. During its investigation, the DPA found that the healthcare facility processed the data subject's information without the data subject's consent and, therefore, without a valid legal basis. In addition, the DPA concluded that the healthcare facility had not taken appropriate technical and organizational measures to protect personal data in order to prevent such incidents.

GDPR Articles: Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GDPR
Industry: Health Care