- Date of final decision: 28 April 2022
- Cross-border case or national case: National case
- Controller: Istituto Nazionale Assicurazione Infortunio sul Lavoro (INAIL), the National Agency for Insurance Against Occupational Accidents.
- Legal Reference: GDPR: Art. 5.1, letters a) and f) (lawfulness, fairness and transparency; integrity and confidentiality); Art. 6. 1, letter e); Art. 9.2, letter g) (lawfulness of processing also regarding health data); Art. 32 (security); Art. 33 (personal data breach).
Italian DP Code: sections 2-b and 2-f (lawfulness of processing also regarding health data / unlawful communication of personal data).
- Decision: finding of infringements of the GDPR (imposition of administrative fine); finding of data breaches.
- Key words: employees; health data; occupational accidents.
Summary of the Decision
Origin of the case:
Notification of data breach to the Italian SA. The breach originated from three Italian incidents that resulted into unauthorised accesses to the data relating to employees, in particular data on their health and occupational accidents.
The “Virtual Desk” managed by INAIL enabled a few users to access other workers’ files relating to occupational accidents and diseases. In one case the incident occurred following execution of an obsolete release of the “Virtual Desk” on account of a human error. The investigations found that INAIL was liable for unauthorised accesses to third parties’ (i.e., other users’) personal data including health data (Art. 4.10 GDPR), which amounted to the unauthorised disclosure of personal data; and that no adequate technical and organisational measures were in place to ensure the appropriate security level in light of the risks arising from the given processing, which resulted in turn into the personal data breaches at issue.
The Italian SA found that a public body tasked with key public functions entailing the processing of highly sensitive data - relating at times to highly vulnerable individuals - was required under the accountability principle to implement such technical and organisational measures as could ensure confidentiality of the data and integrity of the relevant systems and services on a permanent basis. Taking account of the fully cooperative approach shown by INAIL in the course of the fact-finding activities as well as of the small number of individuals affected by the data breaches in question, the Italian SA imposed an EUR 50,000 administrative fine.
For further information: national language decision.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.