Garante per la protezione dei dati personali (Italy) – 10218564

10 February 2026

Lde: Created page with “{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10218564 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10218564 |Original_Source_Language_1=Italian |Original_Source_Language__Code_1=…”

{{DPAdecisionBOX

|Case_Number_Name=10218564
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=lde
|
}}

The DPA imposed a 6,000 administrative fine on a public hospital for unlawfully circulating an employee’s health data internally by using shared email inboxes accessible to unauthorised staff.

== English Summary ==

=== Facts ===
The data subject, an employee of a public hospital, lodged a complaint alleging that a technical expert report prepared in the context of ongoing litigation with his employer had been circulated internally within the workplace. The document contained personal data relating to the employment dispute as well as detailed information concerning the data subject’s health, including a list of specialist medical examinations.

The controller sent the document via certified email (PEC) to several internal units, including public relations, medical-legal services, and human resources, using shared email inboxes accessible to multiple employees with different roles and responsibilities. As a result, numerous staff members who were not directly involved in the litigation and did not require access to the information were able to view the document.

The controller argued that the internal circulation was necessary for handling the litigation, that staff members were bound by confidentiality obligations, and that there was no evidence that unauthorised employees had actually opened or read the document. Moreover, it was argued that due to understaffing and limited resources, many employees covered multiple tasks outside of their primary ones.

=== Holding ===
The DPA found that the controller had unlawfully communicated personal data, including health data, to internal recipients who were not authorised to process such information for their specific job functions.

It held that, even within an employment relationship and in the context of public-sector tasks, the processing and internal communication of personal data must be strictly limited to what is necessary and proportionate. The use of shared email inboxes accessible to staff with heterogeneous roles violated the principles of lawfulness, data minimisation, and data protection by design and by default under Articles 5 and 25 GDPR.

The DPA rejected the controller’s argument that confidentiality duties and organisational constraints justified the broad circulation of the document. It stressed that the absence of proof that unauthorised staff actually accessed the document was irrelevant, as the unlawful disclosure consisted in making the data accessible.

The controller was found to have infringed Articles 5(1)(a) and (c), 6, and 9(2)(b) GDPR, as well as the relevant national provisions, and was ordered to pay an administrative fine of €6,000.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

<pre>
[web doc. no. 10218564]

Provision of January 16, 2026

THE ITALIAN DATA PROTECTION AUTHORITY

IN today’s meeting, attended by Professor Pasquale Stanzione, President, Dr. Agostino Ghiglia and Guido Scorza, Attorney, members, and Dr. Luigi Montuori, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, the “Regulation”);

SEEN Legislative Decree no. 30 June 2003 196 of 30 April 2019, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “Code”);

CONSIDERING Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with Resolution No. 98 of 4 April 2019, published in the Official Journal No. 106 of 8 May 2019 and on www.gpdp.it, web doc. No. 9107633 (hereinafter “Data Protection Authority Regulation No. 1/2019”);

Having seen the documentation on file;

Having seen the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1/2000 on the organization and functioning of the Office of the Guarantor for the Protection of Personal Data, web doc. No. 1098801;

Rapporteur: Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

With a complaint filed pursuant to Article 77 of the Regulation, Mr. XX, an employee of the S. Pio Hospital in Benevento (hereinafter the “Hospital”), complained about the circulation within the workplace of documents relating to an ongoing dispute with the administration, specifically the Technical Consultant (hereinafter the “CTP”).

In particular, he stated that “the CTP contains information related to work-related matters, sensitive data relating to health status, as well as a detailed list of specialist visits to which [the [the appellant] has been submitted.”

2. The preliminary investigation.

In response to a request for information from the Authority, the Hospital, in a note dated 20th December, stated, in particular, that:

“For the purposes of the preliminary investigation relating to the appellant’s legal documents […] following an urgent request from the defense attorney, reports were requested from the recipients and holders of duties and responsibilities pertaining to the appeal, from certified email addresses (PEC), where available, and from individual company email addresses”;

“In particular, [reports were requested]: – from the UOC URP, via certified email, because that structure also includes the URS, of which the appellant was a member; – from the UOC DMP, via certified email, for the medico-legal aspects; – to the Human Resources Unit, via certified email, because the URS was previously assigned to the HR and because the appeal concerns that Department”;

Requests were also sent “to XX’s personal email address, because the appeal concerns the post of P.O., held in the Department and the UOC of which this Medical Director is Director; to XX’s personal email address, as the Director in charge of the Healthcare Professions/Nursing Service, where the P.O. position held by the appellant is located”;

“It is noted that these Directors of the Department/Complex Structure and the Director in charge of the Healthcare Professions/Nursing Service are responsible for privacy/data processing matters as they were expressly delegated in this regard by resolution no. 437/2018, no. 505 of 05/09/21”.

With a note dated 20th, the Office, based on the information acquired, the investigations carried out, and the facts emerging from the preliminary investigation, notified the Hospital, pursuant to Article 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations for having communicated to various offices, and in particular to the Complex Operating Unit – Public Relations Office, which includes the Union Relations Office, the Complex Operating Unit – Medical Department, and the Complex Operating Unit – Human Resources, via the shared email address accessible to personnel performing various functions and tasks within the administration, the CTP containing also data on the interested party’s health, in violation of Articles 5, paragraph 1, and 2 of the Code. 1, letters a) and c), 6 and 9, paragraph 2, letter b) of the Regulation, and Article 2-ter of the Code.

With the same note, the aforementioned owner was invited to submit written defenses or documents to the Guarantor or to request a hearing by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of November 24, 1981).

With a note dated XX, the Hospital Trust, which did not request a hearing, submitted a defense brief, declaring, in particular, that:

“unlike large institutions […], the operating procedures of an institution with a small number of administrative staff [must] necessarily include the assignment/pro-unit of a plurality of responsibilities, also in order to ensure, in the management of various types of absences of operators, the continuity of an essential public service such as that provided by a Hospital”;

“The Hospital, to ensure compliance with the provisions regarding privacy and personal data protection, has established the following in the Code of Conduct (CC) and the Code of Ethics (CE), approved with resolution no. 457 of 13/07/2018 […], which establish: recipients are required not to use confidential information for purposes not related to the performance of their duties (Code of Ethics, art. 2.2, letter d, last part); the use of data and information acquired in the performance of their duties or for the purpose of their position, for their own benefit or that of others, is contrary to the interests of the Hospital (CE, art. 2.2, letter e, second paragraph); and, above all, the prohibition on using information obtained in their official capacity for private purposes (Code of Conduct: art. 4, paragraph 4, third paragraph); the obligation of confidentiality in the provision of healthcare services, and to respect professional and official secrecy (Italian Civil Code, Art. 4, paragraph 4, final subparagraph);

“Moreover, there has been no evidence whatsoever that the employees authorized to use the certified email (but not involved in the assignment of the procedure) actually viewed it—a possibility that is merely potential—so as to gain actual knowledge of the contents of that specific document (CTP), among the various attachments included in the appeal, contained in the certified email in question”;

“the absence of evidence provided by the appellant of any data leakage that caused him any harm, even potential harm, an aspect that is not in any way contested, given that there has never been—it is reiterated—proof that the relevant UOC employees—authorized but not involved in the specific procedure as they were not assigned to the case—even so much as viewed (in any case bound by the strict observance of professional secrecy) the contents of the documentation concerning the appellant.”

3. Outcome of the investigation.

Following the investigation, it was established, in particular, that the Hospital sent the CTP containing the complainant’s personal data, including health-related data, via certified email (PEC) to various offices, specifically: the Complex Operating Unit – Public Relations Office, which includes the Union Relations Office, whose certified email address is accessible to two employees from the same office; the Complex Operating Unit – Presidia Medical Department, whose certified email address is accessible to two employees, each with the title of administrative assistant; and the Complex Operating Unit – Human Resources, whose certified email address is accessible to twenty employees of various qualifications.

Personal data protection legislation provides that public bodies, within the employment context, may process the personal data of data subjects, including data relating to special categories of data subjects, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks established by law or by Union or Member State law (Articles 6, paragraph 1, letter c), 9, paragraph 2, letter b), 4, and 88 of the Regulation). Processing is also lawful when it is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6, paragraphs 1, letter e), 2 and 3, and Article 9, paragraph 2, letter g), of the Regulation; Article 2-ter of the Code and Article 2-sexies, paragraph 1, of the Code). Such processing must, however, be based on Union or Member State law, which must pursue an objective of public interest and be proportionate to the pursuit of that objective. The purpose of the processing must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this regard, it is noted that the “communication” of personal data by public bodies is permitted only when provided for by an appropriate legal basis (see Article 6, paragraph 3, of the Regulation and Article 2-ter of the Code).

The employer, the data controller, is, in any case, required to comply with the general principles of personal data protection (Article 5 of the Regulation) and must process the data through “authorized” personnel who have been “trained” regarding data access and processing (Articles 4, point 10), 29, and 32, paragraph 4, of the Regulation).

As is well known, since 2007, the Garante has clarified that, within the context of the employment relationship, employees’ personal data cannot, as a rule, be disclosed to anyone other than those involved in the specific employment relationship, nor to specifically authorized personnel, due to the duties performed within the data controller’s organization. This is in accordance with the definitions of “personal data” and “data subject” contained in Article 4, paragraph 1, no. 1, of the Regulation (see points 2, 4, 5.1, and 5.3 of the “Guidelines on the Processing of Workers’ Personal Data for the Purposes of Managing Employment Relationships in the Public Sector,” dated June 14, 2007, web doc. no. 1417809. Although adopted within the context of the previous regulatory framework for the protection of personal data, these guidelines still provide valid guidance). The administration, as an employer, must, however, adopt technical and organizational measures to prevent unjustified disclosure of its employees’ personal data to other colleagues or third parties. This is to prevent the unauthorized circulation of personal information—in this case, particularly sensitive and sensitive data such as health data—not only externally but also within the workplace by unauthorized parties. This is because making data available to parties who, although part of the data controller’s organization, cannot, due to their role and functions within that organization, be considered “authorized” to process it (see Articles 4(10), 28(3)(b), 29, and 32(4) of the Regulation, as well as Article 13 of the GDPR). 2-quaterdecies of the Code), may give rise to a communication of personal data in the absence of a legal basis (see, among many, provisions no. no. 485 of 11 September 2025, web doc. no. 10177237; 27 February 2025, no. 101, web doc. no. 10123227; 27 February 2025, no. 92, web doc. no. 10114763; 3 February 2025, no. 70, web doc. no. 10118395; of 30 January 2025, no. 35 web doc 10112709; of 30 January 2025, no. 36, web doc. no. 10112750; 26 September 2024, no. 606, web doc. no. 10068155; June 1, 2023, no. 223, web doc. no. 9916798; March 23, 2023, no. 82, web doc. no. 9885151; February 23, 2023, no. 43, web doc. no. 9868646; September 16, 2021, no. 322, web doc. no. 9711517; May 27, 2021, no. 214, web doc. 9689234; June 18, 2020, no. 105, web doc. no. 9444865; March 24, 2022, no. 98, web doc. no. 976305; February 11 2021, No. 50, web doc. No. 9562866; July 31, 2014, No. 392, web doc. No. 3399423; October 3, 2013, No. 431, web doc. 2747867; May 8, 2013, No. 232, web doc. No. 2501216; October 18, 2012, No. 296, web doc. Nos. 2174351 and 297, web doc. No. 2174582).

In any case, the employer is required to limit access to employees’ personal data to only those individuals who actually need it due to the functions performed within the data controller’s organization and each individual organizational unit or structure, and to avoid any opportunity for unnecessary and unjustified access to the data by unauthorized persons. In this regard, with particular regard to the case under complaint, it is also emphasized that “the employer must also take special precautions when transmitting personal information that may occur between the same persons in charge or responsible for ongoing personnel organization and management activities […] and] avoid, as a matter of principle, making unnecessary specific references to specific personal conditions relating to individual employees, especially those concerning health conditions, selecting the information that is indispensable, relevant, and not excessive from time to time” (see especially points 5.1 of the aforementioned Guidelines).

In this regard, it should be noted that, although the Hospital Trust declared that the employees of the above-mentioned offices had been provided with all necessary instructions and that they were bound by strict confidentiality obligations, it did not demonstrate that all recipients of the aforementioned communication, including the attached CTP, were actually authorized, by virtue of the tasks assigned to them and the duties performed, to process the specific personal data in question, including health-related data, relating to the complainant. This is also particularly true for the twenty employees of the Human Resources Office, given the information provided regarding their roles and specific duties (see: 1 employee assigned to the “Secretariat for Health Professionals and Officials”; 1 employee assigned to the “Secretariat for Assistants”; 1 employee assigned to “Financial Affairs for Health Professionals and Officials”; 2 employees assigned to “Competitions for Health Professionals and Officials”; 1 employee assigned to “Financial Affairs – Assistants”; 2 employees assigned to “Social Security – Assistants”; 5 employees assigned to “Competitions for Assistants”; 1 employee assigned to “Art. 53 – Assistants”; 2 employees assigned to “Management of Health Professionals and Officials”; 1 employee assigned to “Financial Affairs – PTA Manager”).

In particular, although the aforementioned employees, according to what was declared and as can be seen from the documentation in the file, had access to the shared email inbox of the Human Resources Office attributed to the entire organizational unit, it must be considered that the transmission channel used in this case did, in fact, inform colleagues of the complainant of events related to the administration’s dispute with the interested party and of personal data also relating to the health of the same, including personal data, who, however, had no need, as confirmed by the data controller (“the employees authorized to use the certified email (but not affected by the assignment of the procedure) […] as they were not assigned to the case” see note of XX) to know the aforementioned information due to the specific tasks performed. Indeed, for example, the performance of specific duties by personnel assigned to the “competition area” or the “social security area” is not in itself sufficient to justify the provision of documentation regarding the administration’s dispute with the interested party and the data contained therein, including the interested party’s health data.

More generally, it is noted that, based on the principle of “data protection by design” (Article 25, paragraph 1, of the Regulation), the data controller must adopt appropriate technical and organizational measures to implement the data protection principles (Article 5 of the Regulation), integrating the necessary safeguards into the processing to meet the requirements of the Regulation for the protection of the rights and freedoms of data subjects and, in accordance with the principle of “data protection by default” (Article 25, paragraph 2, of the Regulation), must make choices that ensure that, by default, only processing that is strictly necessary to achieve a specific and lawful purpose is guaranteed (see “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default”, adopted on 20 October 2020 by the European Data Protection Board, esp. points 42, 44 and 49). In light of these considerations, in this specific case, a transmission channel should have been used to ensure that documentation relating to the data subject’s dispute was received exclusively by those who, in the performance of their duties, were required to process the aforementioned data (for example, by selecting only individual email addresses among the recipients, thus ensuring that only the personnel actually required to be involved actually received the information). This should not have been achieved by using an email address shared by a number of employees with different roles and responsibilities, even if they belong to a larger organizational unit.

From a different but related perspective, a version of the aforementioned CTP should have been sent, devoid of personal details about the complainant, specifically, a detailed list of the specialist visits he or she had undergone, in compliance with the principles of necessity, lawfulness, and minimization (for example, by obscuring, including using the “redacting” technique), all references to the complainant and his or her health conditions, thus avoiding informing all colleagues in the offices to which the document was sent of particularly sensitive information, such as that concerning health).

Furthermore, the Hospital’s argument that “the operating procedures of an institution with a small number of administrative staff [must] necessarily include the assignment/pro-unit of a plurality of competences” cannot be considered sufficient for the purposes of excluding the data controller’s liability. As clarified by the Guarantor on numerous occasions and as reported above, the scope of access to employees’ personal data, especially if related to health and with a view to preventing the improper circulation of information pertaining to the individual employment relationship of each data subject among colleagues, must be strictly limited to those individuals who, within the overall organizational reality and in individual offices, are actually authorized to process such data for the performance of their work activities.

In light of the foregoing considerations, it is clear that the provision of the CTP to a shared email address, accessible to personnel performing various functions and tasks within the administration, which also contained data on the data subject’s health, resulted in the disclosure of highly sensitive and delicate matters concerning an employee to numerous colleagues, not all of whom were authorized to process the aforementioned personal data in the course of their work. This meant that the aforementioned information, disclosed to individuals who were not all authorized to process it, resulted in the disclosure of personal data in violation of Articles 5, paragraph 1, letters a) and c), 6, and 9, paragraph 2, letter b) of the Regulation and Article 2-ter of the Code.

4. Conclusions.

In light of the above assessments, it is noted that the statements made by the data controller during the investigation – the veracity of which may be held accountable pursuant to Article 168 of the Code – although worthy of consideration, do not address the concerns notified by the Office with the document initiating the proceedings and are insufficient to allow the dismissal of this proceeding. Furthermore, none of the cases envisaged by Article 11 of the Garante’s Regulation No. 1/2019 apply.

The Office’s preliminary assessments are therefore confirmed and the Hospital’s processing of personal data, including health-related data, is found to be unlawful due to the lack of a legal basis, in violation of Articles 5, paragraph 1, letters a) and c), 6, and 9, paragraph 2, letter b) of the Regulation and Article 2-ter of the Code.

Given that the violation of the aforementioned provisions occurred as a result of a single conduct (the same processing or related processing), Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case at hand, the most serious violations, relating to Articles 5, paragraph 1, letters a) and c), 6, and 9, paragraph 2, letter b) of the Regulation and Article 2-ter of the Code, are subject to the sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to Article 58, paragraph 2, of the Regulation are not met.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and additional sanctions (Articles 58, paragraph 2, letters i) and 83 of the Regulation; Article 166, paragraph 7, of the Code).

The Guarantor, pursuant to Articles 58, paragraph 2, letters i) and 83 of the Regulation as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] corrective measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case.” Within this framework, “the [Garante] Panel shall adopt the injunction order, by which it also orders the application of the additional administrative sanction, its publication, in full or in extract, on the Garante’s website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Garante Regulation No. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case, violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for in Article 83, paragraph 5, of the Regulation.

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the factors set out in Article 83, paragraph 2, of the Regulation.

Considering that:

With specific regard to the nature, severity, and duration of the violation, it must be emphasized that the processing concerned the personal data of a single worker (Article 83, paragraph 2, letter a), of the Regulation);

With specific regard to the subjective aspect, the violation was committed in the belief of having acted correctly, having been caused by an error of assessment (Article 83, paragraph 2, letter b), of the Regulation);

The processing involved highly sensitive information, including the complainant’s health data (see Article 83, paragraph 2, letter g), of the Regulation).

In this case, the severity of the violation committed by the data controller is considered to be medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative fines under the GDPR,” dated May 24, 2023, point 60).

That said, it is believed that, for the purposes of quantifying the fine, the following circumstances should be taken into consideration:

The hospital cooperated well with the Authority during the investigation (Article 83, paragraph 2, letter f), of the Regulation);

The Hospital has declared that it has provided its employees with specific instructions aimed at complying with the provisions regarding the protection of personal data (see Article 83, paragraph 2, letter c), of the Regulation);

There are no previous relevant violations committed by the Hospital (Article 83, paragraph 2, letter e), of the Regulation).

Based on the above factors, assessed as a whole, it is deemed appropriate to determine the amount of the fine at €6,000 (six thousand) for the violation of Articles 5, paragraph 1, letters a) and c), 6, and 9, paragraph 2, letter b) of the Regulation and Article 2-ter of the Code, as an administrative fine deemed, pursuant to Article 83, paragraph 1, of the Regulation, to be effective, proportionate, and dissuasive.

It is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Data Protection Authority Regulation No. 1/2019, this chapter containing the injunction order must be published on the Data Protection Authority’s website. This is in light of the sensitive nature of the information being processed.

Finally, it is noted that the conditions set forth in Article 17 of Regulation No. 1/2019 are met.

NOW CONSIDERING ALL THE ABOVE, THE DATA PROTECTION AUTHORITY

declares, pursuant to Article 57, paragraph 1, letter f), of the Regulation, the unlawfulness of the processing carried out by the S. Pio Hospital – Benevento for violation of Articles 5, paragraph 1, letters a) and c), 6, and 9, paragraph 2, letter b) of the Regulation and Article 2-ter of the Code as set out in the reasons given;

ORDER

The S. Pio Hospital – Benevento, represented by its legal representative pro tempore, with registered office at Via dell’Angelo No. 1, Benevento (BN), Fiscal Code 01009760628, to pay the sum of €6,000 (six thousand) as an administrative fine for the violations indicated in the grounds. It is hereby stated that the offender, pursuant to Article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half the imposed fine;

ORDERS

In the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of €6,000 (six thousand) according to the methods indicated in the attachment, within 30 days of notification of this order, under penalty of the adoption of the subsequent enforcement proceedings pursuant to Article 27 of Law No. 689/1981;

ORDERS

– pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Guarantor Regulation No. 1/2019, the publication of the injunction order on the Guarantor’s website;

– pursuant to Article 154-bis, paragraph 3 of the Code and Article 37 of the Guarantor Regulation No. 1/2019, the publication of this order on the Authority’s website;

– pursuant to Article 17 of the Guarantor Regulation No. 1/2019, the recording of violations and measures adopted pursuant to Article 58, paragraph 2 of the Regulation, in the Authority’s internal register provided for by Article 57, paragraph 1, letter u) of the Regulation.

Pursuant to Articles 78 of the Regulation, 152 of the Code, and 10 of Legislative Decree No. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of notification of the provision itself, or within sixty days if the appellant resides abroad.

Rome, January 16, 2026

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE SECRETARY GENERAL
Montuori

[web doc. no. 10218564]

Provision of January 16, 2026

THE ITALIAN DATA PROTECTION AUTHORITY

IN today’s meeting, attended by Professor Pasquale Stanzione, President, Dr. Agostino Ghiglia and Guido Scorza, Attorney, Members, and Dr. Luigi Montuori, Secretary General;

SEEN Legislative Decree No. 30 June 2003 196 of 30 April 2019, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “Code”);

Having seen the documents in the file;

Having seen the observations made by the Secretary General pursuant to Article 15 of Regulation No. 1/2000 of the Italian Data Protection Authority on the organization and functioning of the Office of the Italian Data Protection Authority, web doc. No. 1098801;

Rapporteur: Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

In a complaint filed pursuant to Article 77 of the Regulation, Mr. XX, an employee of the S. Pio Hospital in Benevento (hereinafter the “Hospital”), complained about the circulation within the workplace of documents relating to an ongoing dispute with the administration, specifically the Technical Consultant (hereinafter the “CTP”).

Specifically, he stated that “the CTP contains information related to work-related matters, sensitive data relating to his health, as well as a detailed list of the specialist visits to which [the complainant] has undergone.”

2. The preliminary investigation.

In response to a request for information from the Authority, the Hospital Trust, in a note dated 20th, stated, in particular, that:

“For the purposes of the investigation into the appellant’s legal documents […] following an urgent request from the defense attorney, reports were requested from the recipients and holders of roles and responsibilities pertaining to the appeal, from certified email addresses (PEC), where available, and from individual company email addresses.”

“In particular, [reports were requested]: – from the URP UOC, via certified email, because that structure also includes the URS, of which the appellant was a member; – from the DMP UOC, via certified email, for medical-legal aspects; – from the Human Resources UOC, via certified email, because the URS was previously assigned to the HR and because the appeal involves that structure.”

Requests were also sent “to XX’s personal email address, because the appeal calls into question the role of P.O., held at the Department and the UOC of which this Medical Director is the Director; to XX’s personal email address, as the Director in charge of the Healthcare Professions/Nursing Service, where the P.O. role held by the appellant is located”;

“it is noted that these Directors of the Department/Complex Structure and the Director in charge of the Healthcare Professions/Nursing Service are responsible for privacy/data processing matters as they were expressly delegated in this regard by resolutions no. 437/2018, no. 505 of 05/09/21.”

With a note from XX, the Office, based on the information acquired, the investigations carried out, and the facts that emerged from the preliminary investigation, notified the Hospital Trust, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation for having communicated to various offices, and in particular to the Complex Operating Unit – Public Relations Office, which includes the Union Relations Office, the Complex Operating Unit – Presidia Medical Department, and the Complex Operating Unit – Human Resources, via the shared email address accessible to personnel performing various functions and tasks within the administration, the CTP containing also data on the data subject’s health, in violation of Articles 5, paragraph 1, letters a) and c), 6, and 9, paragraph 2, letter b) of the Regulation and Article 2-ter of the Code.

In the same note, the aforementioned owner was invited to submit written defenses or documents to the Guarantor or to request a hearing before the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of November 24, 1981).

In a note dated 20th, the Hospital Trust, which did not request a hearing, submitted a defense brief, declaring, in particular, that:

“Unlike large institutions […], the operating procedures of an institution with a small number of administrative staff [must] necessarily include the assignment/pro-unit of a plurality of responsibilities, also in order to ensure, in the management of various staff absences, the continuity of an essential public service such as that provided by a Hospital Trust.”

“The Company, to ensure compliance with the provisions on privacy and protection of personal data, has intended to establish the following in the Code of Conduct (CC) and in the Code of Ethics (CE), approved with resolution no. 457 of 13/07/2018 […], which in fact establish: the recipients are required not to use confidential information for purposes not connected with the exercise of their activity (Code of Ethics art.2.2 letter d last part); the use of data and information acquired in the exercise of their functions or for the position held, for their own benefit or that of others is in conflict with the interests of the Company (CE art.2.2 letter e, second paragraph); and above all the prohibition to use for private purposes the information available for official reasons (Code of Conduct: art.4, paragraph 4, third paragraph); the obligation of confidentiality in the performance of healthcare services, to respect professional and official secrecy (CC Art.4, paragraph 4, final subparagraph);

“Moreover, there has been no evidence whatsoever that the employees authorized to use the certified email (but not involved in the assignment of the procedure) actually viewed it—a possibility that is currently merely potential—so as to actually gain knowledge of the contents of that specific document (CTP), among the various attachments included with the appeal, contained in the certified email in question.”

“the absence of evidence provided by the appellant of any data leakage that caused him harm, even potential harm. This aspect is not in any way contested, as there has never been evidence—it is reiterated—that the relevant UOC employees—authorized but not involved in the specific procedure as they were not assigned to the case—even so much as viewed (in any case bound by the strict observance of professional secrecy) the contents of the documentation concerning the appellant.”

3. Outcome of the investigation.

Following the investigation, it was established, in particular, that The Hospital sent the CTP containing the complainant’s personal data, including health-related data, via certified email (PEC) to various offices, specifically the Complex Operating Unit – Public Relations Office, which includes the Union Relations Office, to whose certified email address two employees from the same office have access; the Complex Operating Unit – Medical Department, to whose certified email address two employees, each with the qualification of administrative assistant, have access; and the Complex Operating Unit – Human Resources, to whose certified email address twenty employees with various qualifications have access.

Personal data protection regulations provide that public bodies, in the employment context, may process the personal data of data subjects, including those relating to special categories, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks established by law or by Union or Member State law (Articles 6, paragraph 1, letter c), 9, paragraph 2, letter b), 4, and 88 of the GDPR. Regulation). Processing is also lawful when it is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6, paragraphs 1, letter e), 2 and 3, and Article 9, paragraph 2, letter g), of the Regulation; Article 2-ter of the Code and Article 2-sexies, paragraph 1, of the Code). Such processing must, however, be based on Union or Member State law, which must pursue an objective of public interest and be proportionate to the pursuit of the same. The purpose of the processing must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In this regard, it is noted that the “communication” of personal data by public bodies is permitted only when provided for by an appropriate legal basis (see Article 6, paragraph 3, of the Regulation and Article 2-ter of the Code).

The employer, as the data controller, is, in any case, required to comply with the general principles of personal data protection (Article 5 of the Regulation) and must process the data through “authorized” personnel who are “trained” regarding data access and processing (Articles 4, point 10), 29, and 32, paragraph 4, of the Regulation).

As is well known, since 2007, the Garante has clarified that, in the context of the employment relationship, employees’ personal data cannot, as a rule, be disclosed to persons other than those who are party to the specific employment relationship, nor to specifically authorized personnel, due to the duties performed within the controller’s organizational structure, taking into account the definitions of “personal data” and “data subject” contained in Article 4, paragraph 1, no. 1, of the Regulation (see points 2, 4, 5.1, and 5.3 of the “Guidelines on the Processing of Personal Data of Workers for the purposes of managing the employment relationship in the public sector”, dated 14 June 2007, web doc. no. 1417809, which, although adopted in the context of the previous regulatory framework on the protection of personal data, provide indications and guidelines that are still valid). The administration, as an employer, must, however, adopt technical and organizational measures to prevent the unjustified disclosure of personal data of its employees by other colleagues or third parties, in order to avoid the undue circulation of personal information – in this case concerning particularly delicate and sensitive information such as health data – not only externally, but also within the workplace by unauthorized persons. This is because the provision of data to persons who, although part of the data controller’s organization, cannot, by virtue of the role they perform and the functions performed within said organization, be considered “authorized” to process it (see Articles 4, no. 10, 28, par. 3, letter b), 29 and 32, par. 4, of the Regulation, as well as art. 2-quaterdecies of the Code), may give rise to a communication of personal data in the absence of a legal basis (see, among many, provisions no. no. 485 of 11 September 2025, web doc. no. 10177237; 27 February 2025, no. 101, web doc. no. 10123227; 27 February 2025, no. 92, web doc. no. 10114763; 3 February 2025, no. 70, web doc. no. 10118395; of 30 January 2025, no. 35 web doc 10112709; of 30 January 2025, no. Web doc. no. 10112750; September 26, 2024, no. 606, web doc. no. 10068155; June 1, 2023, no. 223, web doc. no. 9916798; March 23, 2023, no. 82, web doc. no. 9885151; February 23, 2023, no. 43, web doc. no. 9868646; September 16, 2021, no. 322, web doc. no. 9711517; May 27, 2021, no. 214, web doc. 9689234; June 18, 2020, no. 105, web doc. no. 9444865; March 24 2022, no. 98, web doc. no. 976305; February 11, 2021, no. 50, web doc. no. 9562866; July 31, 2014, no. 392, web doc. no. 3399423; October 3, 2013, no. 431, web doc. 2747867; May 8, 2013, no. 232, web doc. no. 2501216; October 18, 2012, no. 296, web doc. nos. 2174351 and 297, web doc. no. 2174582).

Employers are, in any case, required to limit access to employees’ personal data to only those individuals who actually need it due to their roles within the data controller’s organization and each individual organizational unit or structure, and to avoid any unnecessary or unjustified access to data by unauthorized parties. In this regard, with regard to what is particularly relevant to the case under complaint, it is also emphasized that “the employer must also take special precautions when transmitting personal information that may occur between the same persons in charge or responsible for ongoing personnel organization and management activities […] and, as a matter of principle, avoid making unnecessary, specific references to specific personal conditions relating to individual employees, especially those concerning health conditions, selecting the information that is indispensable, relevant, and not excessive from time to time” (see, in particular, points 5.1 of the aforementioned Guidelines).

Furthermore, the Hospital’s argument that “the operating procedures of an organization with a small number of administrative staff [must] necessarily include the assignment/pro-unit of a plurality of responsibilities” cannot be considered sufficient to exclude the data controller’s liability. As clarified by the Guarantor on numerous occasions and as reported above, the scope of access to employees’ personal data, especially if related to health and with a view to preventing the improper circulation of information pertaining to the individual employment relationship of each data subject among colleagues, must be strictly limited to those individuals who, within the overall organizational structure and within individual offices, are actually authorized to process such data for the performance of their work activities.

4. Conclusions.

In light of the above considerations, it is noted that the statements made by the data controller during the investigation – the veracity of which may be held accountable pursuant to Article 2(1) of the Code – are inaccurate. 168 of the Code, although worthy of consideration, do not overcome the concerns notified by the Office with the notice initiating the proceedings and are insufficient to allow the dismissal of this proceeding, since none of the cases provided for by Article 11 of the Guarantor Regulation No. 1/2019 apply.

Given that the violation of the aforementioned provisions occurred as a result of a single act (the same processing or related processing), Article 83, paragraph 1, of the Code applies. 3 of the Regulation, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violations, relating to Articles 5, paragraph 1, letters a) and c), 6, and 9, paragraph 2, letter b) of the Regulation, and Article 2-ter of the Code, are subject to the sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to Articles 58, paragraph 2, letter i), and 83 of the Regulation, as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] corrective measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case.” Within this framework, “the [Garante] Panel shall adopt the injunction order, by which it shall also order the publication of the injunction, in full or in extract, on the Guarantor’s website pursuant to Article 166, paragraph 7, of the Code, with regard to the application of the additional administrative sanction (Article 16, paragraph 1, of the Guarantor Regulation No. 1/2019).
In this regard, taking into account Article 83, paragraph 1, of the Guarantor Regulation, the Guarantor shall: 3 of the Regulation, in this case, violation of the aforementioned provisions is subject to the application of the administrative pecuniary sanction provided for in Article 83, paragraph 5, of the Regulation.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the factors set out in Article 83, paragraph 2, of the Regulation.

Considering that:

With specific regard to the nature, severity, and duration of the violation, it must be emphasized that the processing was carried out with reference to the personal data of a single worker (Article 83, paragraph 2, letter a), of the Regulation);

The processing involved highly sensitive information, including the complainant’s health data (see Article 83, paragraph 2, letter g), of the Regulation).

That said, it is believed that, for the purposes of quantifying the fine, the following circumstances should be taken into consideration:

The hospital cooperated well with the Authority during the investigation (Article 83, paragraph 2, letter f), of the Regulation);

There are no previous relevant violations committed by the Hospital (Article 83, paragraph 2, letter e), of the Regulation).

Finally, it is noted that the conditions set forth in Article 17 of Regulation No. 1/2019 are met.

NOW CONSIDERING ALL THE ABOVE, THE DATA PROTECTION AUTHORITY

ORDER

ORDERS

– pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Guarantor Regulation No. 1/2019, the publication of the injunction order on the Guarantor’s website;

– pursuant to Article 154-bis, paragraph 3 of the Code and Article 37 of the Guarantor Regulation No. 1/2019, the publication of this order on the Authority’s website;

Rome, January 16, 2026

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE SECRETARY GENERAL
Montuori
</pre>

OLG Dresden – Az. 4 U 196/25

VDAI (Lithuania) – Nr. 3R-206 (2.13-1 E)