Italy: Issued Injunction Order to Hospital Company for Patient Data Disclosure Constituting GDPR and Italian Data Protection Code Violation

On 26 January 2023, the Italian Data Protection Authority (DPA) issued an injunction order against Hospital Company Bianchi Melacrino Morelli for disclosing a patient’s medical records to another individual, thus failing to comply with the European General Data Protection Regulation (GDPR) and with the Italian Data Protection Code. The DPA found that the company had violated several provisions of the GDPR and the Italian Data Protection Code and imposed an administrative fine on the company. The DPA also ordered the company to take several corrective measures, including the suspension of the online sending of medical reports, the request to destroy personal data obtained by an unauthorized third party, and the implementation of adequate measures to ensure the protection of personal data. The DPA finally ordered the company to inform all its directors of the violation and to carry out an extraordinary training activity for all directors of its operating units to ensure the complete application of the company’s security measures.