In Italy, the Garante, the Italian supervisory authority, issued a decision on January 27, 2021, imposing a fine of EUR 50,000 on a hospital that had been charged with a breach of data protection requirements for health data (Decision in Italian).
The case concerned data of a patient who had specifically ordered in a special form not to inform third parties about her planned abortion and to use a separate telephone number for contacting her. This form was not included in the patient’s file. A nurse subsequently called the patient at the landline number stored in the patient file. To the husband, who answered the call, she gave the type of ward where the patient was admitted, but no other information about the patient’s medical condition. The guarantor nevertheless evaluated this information as a health record within the meaning of Art. 4 No. 15 GDPR.
The buses were determined according to the following criteria, among others:
- Negative effects on the patient’s private life
- Disclosure of health data
- special protection of data on abortions
- Lack of technical and organizational security measures
- apparently exemplary cooperation of the hospital in the investigation.
As a “complementary sanction”, the publication of the decision on the Garante’s website was ordered (“la sanzione accessoria della pubblicazione sul sito del Garante”).
Naming and shaming is a deliberate ancillary sanction of Italian data protection law. Art. 166 Par. 7 of the Privacy code provides for this:
7. nell’adozione dei provvedimenti sanzionatori nei casi di cui al comma 4 si osservano, in quanto applicabili, gli articoli da […]; nei medesimi casi può essere applicata la sanzione amministrativa accessoria della pubblicazione dell’ordinanza-ingiunzione, per intero o per estratto, sul sito internet del Garante.
When adopting sanction measures in the cases referred to in paragraph 4 of this Article, Article […] shall be observed to the extent that it is applicable; in the same cases, it may be as an accessory administrative sanction, the publication of the cease-and-desist order in whole or in part on the Guarantor’s Website.]
The same provision, moreover, provides that 50% of the proceeds of the fine shall be allocated to the fund that finances the activities of the Garante (Art. 156 of the Codice).