Garante per la protezione dei dati personali (Italy) – 10213894

{{DPAdecisionBOX

|Jurisdiction=Italy
|DPA-BG-Color=background-color:#095d7e;
|DPAlogo=LogoIT.png
|DPA_Abbrevation=Garante per la protezione dei dati personali
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)

|Case_Number_Name=10213894
|ECLI=

|Original_Source_Name_1=Garante per la protezione dei dati personali
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10213894
|Original_Source_Language_1=Italian
|Original_Source_Language__Code_1=IT
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|Type=Complaint
|Outcome=Upheld
|Date_Started=16.01.2025
|Date_Decided=
|Date_Published=16.01.2026
|Year=
|Fine=600
|Currency=EUR

|GDPR_Article_1=Article 5(1)(c) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1c
|GDPR_Article_2=Article 5(1)(a) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1a
|GDPR_Article_3=Article 6 GDPR
|GDPR_Article_Link_3=Article 6 GDPR
|GDPR_Article_4=Article 57(1)(f) GDPR
|GDPR_Article_Link_4=Article 57 GDPR#1f
|GDPR_Article_5=Article 58(2)(i) GDPR
|GDPR_Article_Link_5=Article 58 GDPR#2i
|GDPR_Article_6=Article 83(1) GDPR
|GDPR_Article_Link_6=Article 83 GDPR#1
|GDPR_Article_7=Article 83(2) GDPR
|GDPR_Article_Link_7=Article 83 GDPR#2
|GDPR_Article_8=Article 83(5) GDPR
|GDPR_Article_Link_8=Article 83 GDPR#5
|GDPR_Article_9=
|GDPR_Article_Link_9=
|GDPR_Article_10=
|GDPR_Article_Link_10=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=Article 154
|National_Law_Link_1=https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2003-06-30;196%2521vig=
|National_Law_Name_2=Article 157
|National_Law_Link_2=https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2003-06-30;196%2521vig=
|National_Law_Name_3=Article 166
|National_Law_Link_3=https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2003-06-30;196%2521vig=
|National_Law_Name_4=
|National_Law_Link_4=
|National_Law_Name_5=
|National_Law_Link_5=

|Party_Name_1=Associazione Turistica Pro Loco di Cittareale
|Party_Link_1=https://www.cittareale.it/proloco.asp
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=ligialagev
|
}}

A tourist association was fined €600 for publicly disclosing the names of 23 members who had jointly requested access to financial records.

== English Summary ==

=== Facts ===
Some members of the Pro Loco Tourist Association of Cittareale (the controller) filed a complaint with the DPA, providing written evidence that the controller had included the names of 23 members (including the complainants) in the convocation notice for the association’s general assembly, held on 26 July 2024. These members had jointly requested access to the association’s financial statements and minutes from the past five years. The convocation notice was publicly posted on municipal notice boards and on the association’s website.

On 16th January 2025, the DPA sent a request for information to the controller, asking it to provide details on the purposes, legal basis, and expected duration of the publications. The request was duly delivered on 22 January 2025, but the controller did not respond. As of 1st July 2025, the DPA confirmed through its own searches that the assembly minutes were still publicly available online.

On 4th July 2025, the DPA notified the controller of the violation of Article 157 of the Italian Data Protection Code and, regarding the underlying processing, of violations of Articles 5(1)(a), 5(1)(c) and 6 GDPR.

The controller eventually replied on 8th July 2025, arguing that the publication was necessary to ensure broad participation, particularly among elderly members without access to digital tools. It maintained that the data involved was non-sensitive and low-risk, that the members had already made their names known by signing the joint request, and that it had promptly removed the notice upon learning of the complaint.

=== Holding ===
First, the DPA held that the controller publicly disclosed the names of 23 members by including them in a convocation notice posted on public notice boards and on its website. The DPA noted that this disclosure exceeded what was necessary for the purpose of convening the assembly: the controller could have referred to the existence of a joint request from a group of members (including the total number of signatories) without revealing individual identities. Since no appropriate legal basis under [[Article 6 GDPR|Article 6 GDPR]] was established, and the data subjects had not consented to the disclosure, the DPA found a violation of Articles 5(1)(a) and 5(1)(c) and 6 GDPR.

Second, the DPA found that the controller failed to respond to its request for information sent on 16th January 2025, despite it having been duly delivered. The DPA held that this constituted a violation of Article 157 of the Italian Data Protection Code, which grants the DPA the power to require controllers to provide information and documents.

Taking into account several mitigating factors (including the absence of prior violations, the episodic nature of the breach, the fact that no special category data was involved, the non-profit and local nature of the association, and its commitment to adopting stricter measures going forward ) the DPA fined the controller €600 for the combined violations.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

<pre>
Provision of January 16, 2026 [10213894]

Provision of January 16, 2026

Register of Provisions
No. 7 of January 16, 2026

THE ITALIAN DATA PROTECTION AUTHORITY

IN today’s meeting, attended by Professor Pasquale Stanzione, President, Dr. Agostino Ghiglia and Guido Scorza, members, and Dr. Luigi Montuori, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”);

SEEN Legislative Decree No. 30 June 2003 196 (Personal Data Protection Code, hereinafter “Code”), as amended by Legislative Decree No. 101 of August 10, 2018, containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679”;

SEEN Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Italian Data Protection Authority, approved by Resolution No. 98 of April 4, 2019, in gpdp.it, web doc. No. 9107633 (hereinafter “Regulation No. 1/2019”);

SEEN the documentation in the file;

SEEN the observations made by the Secretary General pursuant to Article 15 of Regulation No. 1/2000;

REPORTER: Prof. Pasquale Stanzione;

WHEREAS

1. The Report Received and the Initiation of the Sanctioning Procedure

1.1. Some members of the Pro Loco di Cittareale Tourist Association (hereinafter, the “data controller” or the “Association”) have complained, providing evidence in the documents, that the Association included in the body of the notice convening the members’ meeting (dated July 26, 2024, first call), making it public by posting it in public municipal spaces and online (via the Association’s website), the identifying information of 23 members, including the reporting parties, who had submitted a joint request to inspect the Association’s financial statements and minutes for the last five years.

1.2. With the note dated January 16, 2025 (ref. 5155), formulated pursuant to Article 157 of Legislative Decree No. 101 of June 30, 2003, the Association has notified the following: 196 (Personal Data Protection Code, hereinafter “Code”), the Office invited the Association to provide all information useful for assessing the case, with particular reference to the purposes, legality of the processing, and the expected duration of the aforementioned publications.

1.3. As of July 1, 2025, summary research conducted by the Office confirmed the continued publication of the minutes of the same members’ meeting online at https://….

1.4. Since the aforementioned request for information made by the Office on January 16, 2025, remained unanswered, despite having been duly delivered, the party was notified by letter dated July 4, 2025 (ref. no. 94936) of the violation of Article 157 of the Code and, with regard to the reported processing, of Articles 5, paragraph 1, letters a) and c), and 6 of the Regulation.

The same communication also notified, pursuant to Article 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the corrective measures referred to in Article 58, paragraph 2, and—if deemed applicable—the sanctions referred to in Article 83 of the Regulation.

1.5. The Association, the data controller, having been informed of its right to submit written defenses or documents in relation to the proceedings against it (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of November 24, 1981), submitted its observations in a letter dated July 8, 2025, in which it stated that the notice had “been posted on several municipal noticeboards and published on the Association’s website with the aim of ensuring maximum dissemination among members. In an area like Cittareale, characterized by a high percentage of elderly members lacking technological tools (email or other modern means of communication), this method was deemed necessary to guarantee the right to participation and respect the democratic principles that govern association life. The Association’s intention was to act with the utmost respect for the principles of inclusiveness and democratic participation, without any intent to violate current legislation.”

With more specific reference to the disputed facts, the Association emphasized that:

The published personal data “consisted exclusively of first and last names, membership status, and information regarding the request for access to financial statements. This information, which was non-sensitive and poses a very low privacy risk, was strictly connected to the democratic management of the Association and transparency towards members.”

The Association’s website, where the notice was published, is consulted primarily by members themselves and does not represent a platform for widespread public dissemination. Likewise, the posting on municipal noticeboards occurred in a local context and with access limited to the close community of Cittareale.

The members who signed the request for “inspection of the financial statements” had already published their names to various addresses, effectively contributing to a dissemination that the Association, in good faith, did not deem further harmful. Therefore, the publication of the notice was made with the presumption that the information was already accessible to interested parties and that this would not cause further harm to members.

Finally, the Association stated that it “promptly removed [the notice] from both the website and municipal noticeboards as soon as the report became known, as a further demonstration of its willingness to comply with regulatory provisions and protect members’ personal data,” expressing its commitment to “adopt more stringent measures in the future, such as anonymizing personal data in public notices and implementing more confidential communication channels, consistent with the limited resources available.”

2. The legal framework of the processing performed and the outcome of the investigation

2.1. All processing of personal data—in this case, the processing of published member identification data—must be carried out in compliance with applicable data protection legislation, and in particular, the provisions of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter, the “Regulation”) and Legislative Decree no. 196 of 30 June 2003 (Italian Personal Data Protection Code, hereinafter, the “Code”).

The processing of personal data must be carried out, among other things, in compliance with the principles of “lawfulness, fairness, transparency” and “data minimization,” according to which personal data must be “processed lawfully, fairly, and in a transparent manner in relation to the data subject” and must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed” (Article 5, paragraph 1, letters a) and c) of the Regulation).

Even within the association, to fully implement the principles of personal data protection, the personal data of members may be processed and, where relevant, disclosed, unless there is another legal basis pursuant to Article 6 of the Regulation, when and to the extent necessary to fulfill the obligations arising from the membership, consistent with the purposes pursued by the association itself, as identified in the articles of association, the bylaws, and any other appropriate resolutions adopted pursuant to the association’s internal operating rules. The existence of this circumstance has not been proven in this case, nor is it apparent that the data subjects whose data were disclosed have given their consent to this processing (see, on this point, Decision No. 239 of June 30, 2022, web doc. No. 9803345; Decision No. 340 of October 20, 2022, web doc. No. 9831323; Decision No. 20 of January 11, 2023, web doc. No. 9868111).

2.2. The processing of personal data carried out in this case by the Association, up until the corrective measures referred to in the aforementioned defense note, did not comply with the above-mentioned regulatory framework because it was carried out in a manner that did not comply with the aforementioned principles of “lawfulness, fairness, and transparency,” as well as data “minimization,” in violation of Articles 5, paragraph 1, and 6, of the GDPR. 1, letters a) and c), and 6 of the Bylaws.

With specific reference to the reported case, consisting of the publication of the identification data of members requesting access to the financial statements, it must be considered that the dissemination of such data (including through the association’s website and on notice boards located throughout the area) exceeds the purpose of the publication relating to the convocation of the meeting and violates the provisions of art. 5, paragraph 1, letters a) and c) of the Bylaws. The Association is entitled, in any case, even if it wishes to pursue the goal of maximum transparency in its actions, to account for the request made by a group of members (including indicating their total number), without disclosing the identity of the individual applicants.

2.3. From a different perspective, it has also been established that the Association, in response to the request for information formulated by the Authority pursuant to Article 157 of the Code, duly delivered on January 22, 2025, failed to provide any response, thus violating Article 157 of the Code, a provision that grants the Guarantor, in exercising its powers, “the power to request the data controller, the data processor, the data controller’s or data processor’s representative, the interested party, or even third parties to provide information and produce documents, including those relating to the contents of databases.” Failure to comply with this provision is sanctioned by Article 157 of the Code. 166, paragraph 2 of the Code, as also stated in the same request for information sent by the Office (in this regard, see Cass., Sez. Civ. II, ord. 12.6.2018, no. 15332, which clarifies that the sanction for failure to comply with the obligation to cooperate highlights “the Legislator’s interest in encouraging cooperation for the prompt intervention of the public body responsible for the protection of personal rights of eminent constitutional importance”).

3. Unlawfulness of Processing

3.1. In light of the above considerations, the processing carried out by the Association must be considered unlawful as it violates Articles 5, paragraph 1, letters a), c), and 6 of the Regulation. This is due to both the violation of the principle of relevance and non-excessiveness with respect to the alleged disclosure of personal data, and the lack of an appropriate legal basis pursuant to Article 6 of the Regulation for the described disclosure of personal data.
The violation established in the terms set out in the reasons cannot be considered “minor” (see recital 148 of the Regulation), so that, having established the unlawfulness of the conduct described above, an injunction must be issued pursuant to Article 58, paragraph 2, letter i) of the Regulation for the application of an administrative pecuniary sanction.

3.2. Furthermore, as stated above, Article 157 of the Code must also be considered a violation due to the failure to cooperate with the Data Protection Authority during the investigations related to the reported facts.

4. Injunction Order

The Data Protection Authority, pursuant to Article 58, paragraph 2, letter i) of the Regulation and Article 166 of the Code, has the power to impose an administrative fine pursuant to Article 83, paragraph 5, of the Regulation, by issuing an injunction order (Article 18 of Law No. 689 of 24 November 1981) in relation to the processing of personal data carried out by the data controller.

With reference to the elements listed in Article 83, paragraph 5, 2 of the Regulation for the purposes of applying the administrative fine and quantifying it, given that the fine must be “effective, proportionate, and dissuasive in each individual case” (Article 83, paragraph 1, of the Regulation), the following circumstances were taken into account as mitigating factors in this case:

a. the lack of specific prior history of violations of personal data protection legislation against the data controller;

b. the episodic nature of the violation;

c. the fact that the personal data affected by the violation, while allowing third parties to become aware of the membership of the members whose data were disclosed, did not involve the special categories of personal data referred to in Article 9 of the Regulation;

d. the nature of the processing, carried out within an association, non-profit, on a territorial basis, and of primarily local interest;

e. the Association’s commitment to adopt more stringent measures in future public notices.

Based on the above factors, assessed as a whole, and the principles of effectiveness, proportionality, and dissuasiveness set forth in Article 83, paragraph 1, of the Regulation, it is deemed appropriate to set the total fine at €600.00 (six hundred euros) for both the violation of Articles 5, paragraph 1, letters a), c), and 6 of the Regulation and Article 157 of the Code, non-compliance with which is sanctioned pursuant to Articles 166, paragraph 2 of the Code and the aforementioned Article 83, paragraph 5 of the Regulation.

THEREAFTER, THE AUTHORITY

declares, pursuant to Articles 57, paragraph 1, letter f), and 83 of the Regulation, the unlawfulness of the processing described above, carried out by the data controller identified in the preamble (in point 1), in violation of Articles 5, paragraph 1, and 6 of the Regulation. 1, letters a), c), and 6 of the Regulation;

ORDERS

the data controller to pay the sum of €600.00 (six hundred) as an administrative fine for the violations indicated in the grounds, both in relation to the unlawful dissemination of personal data and in relation to the failure to cooperate with the Authority when requesting information;

ORDERS

the Association to pay the sum of €600.00 (six hundred), according to the procedures indicated in the attachment, within 30 days of notification of this order, under penalty of the adoption of the resulting enforcement measures pursuant to Article 27 of Law No. 689/1981.

It is hereby stated that, pursuant to Article 166, paragraph 8, of the Code, the offender retains the right to settle the dispute by paying—again according to the methods indicated in the attachment—an amount equal to half the fine imposed within the deadline set out in Article 10, paragraph 3, of Legislative Decree No. 150 of September 1, 2011, for filing an appeal as indicated below.

ORDERS

pursuant to Article 154-bis, paragraph 3, of the Code and Article 37 of the Guarantor’s Regulation No. 1/2019, in consideration of the unlawful widespread circulation of members’ personal data in the manner described and due to the failure to cooperate with the Authority in the ways referred to, the publication of this provision on the Guarantor’s website;

pursuant to Article 17 of the Guarantor’s Regulation No. 1/2019, the recording of violations and measures adopted pursuant to Article 58, paragraph 2 of the Regulation, in the Authority’s internal register provided for by Article 57, paragraph 1, letter u), of the Regulation.

Pursuant to Article 78 of the Regulation, Articles 152 of the Code, and Article 10 of Legislative Decree No. 150 of September 1, 2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of notification of the provision itself, or within sixty days if the appellant resides abroad.

Rome, January 16, 2026

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE SECRETARY GENERAL
Montuori
</pre>