ASST di Lodi

Opis

The Italian DPA (Garante) has imposed a fine of EUR 1,000 on ASST di Lodi. The healthcare facility had reported a data breach to the DPA pursuant to Art. 33 GDPR. A patient had provided two contacts for their medical affairs. The facility had been explicitly authorized to obtain medical information of the patient from these two persons in case of emergency. In the context of an important diagnostic examination of the patient, the two authorized contacts were not reachable, so a healthcare facility employee asked a family member they personally knew for the information. During its investigation, the DPA found that the healthcare facility processed the data subject's information without the data subject's consent and, therefore, without a valid legal basis. In addition, the DPA concluded that the healthcare facility had not taken appropriate technical and organizational measures to protect personal data in order to prevent such incidents.