Azienda Universitaria Giuliano Isontina: Insufficient legal basis for data processing

The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Giuliano Isontina . The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected.

GDPR Articles: Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 35 GDPR, Art. 2-sexies Codice della privacy
Industry: Health Care