Skip to content
News
EN

Cass.Civ. - 15625/2026

GDPRhub

Content

=== Facts ====== Facts === Istituto nazionale della previdenza sociale (INPS, the controller) is the Italian National Institute for Social Security. In 2021, the DPA fined the controller €300,000 for its data processing activities linked to a subsidy given during the pandemic (also called “the COVID bonus”). The DPA found that the controller had postponed its second screening of verifying the eligibility of data subjects to a later stage, on the grounds that there was a need to immediately pay the subsidy. The controller considered that politicians did not fall under the scope of eligible data subjects, as they were already enrolled in a mandatory social security scheme. The controller processed their personal data from databases to cross reference them with data subjects who had applied for the subsidy. The DPA found a violation of several GDPR principles: the principle of lawfulness (Article 5(1)(a) GDPR), data minimisation (Article 5(1)(c) GDPR), accuracy (Article 5(1)(d) GDPR) and