Azienda ospedaliera di Perugia

€40,000

Non-compliance with general data processing principles

Fecha de la decisión

7 de abril de 2022

Autoridad

Italian Data Protection Authority (Garante)

IT

Sector

Health Care

País

IT

Ley

GDPR

Estado

FINAL

Descripción

The Italian DPA (Garante) has fined Azienda ospedaliera di Perugia EUR 40,000. During an investigation at the healthcare facility, the DPA found multiple GDPR violations. The DPA's investigation took place as part of a series of inspections dealing with the processing of data in the context of whistleblower systems at employers. The healthcare facility used an open source-based whistleblowing web application. However, the application was accessed through systems that were not properly configured. This made it possible to record and store users' browsing data, thus identifying those users and, as such, potential whistleblowers. With respect to the processing of personal data, the health facility had failed to inform the employees in advance. In addition, the DPA found that the healthcare facility had not conducted a data protection impact assessment and had not registered the processing in the register of processing activities. Thus, no sufficient assessment of the risks to the rights and freedoms of the data subjects had been carried out. '

Citas legales

Art. 5 (1)Art. 13Art. 14Art. 25Art. 30Art. 32Art. 35

Problemas e infracciones

Non-compliance with general data processing principles
Ver documento oficial
Volver a la base de datos de multas
Multa anterior
Dutch Supervisory Authority for Data Protection (A...
Siguiente multa
Data Protection Authority of Hamburg (HmbBfDI) - C...

Manténgase al día sobre la aplicación de las normas de protección de la intimidad

Respetamos su intimidad. Un correo electrónico al mes, sin spam, darse de baja en cualquier momento.