The Italian Data Protection Authority, Garante Privacy, continues to be rigorous in its enforcement actions against non-compliance issues within data protection. Recently, the authority imposed a significant fine of 678,897 euros on Illumia Spa, a utility provider, for unlawful promotional practices that breached personal data regulations. This enforcement is part of the ongoing crackdown on unsolicited telemarketing, a persistent issue affecting consumers’ privacy rights.
Key Takeaways:
– Violation Scope and Penalties: Illumia was found lacking an adequate legal basis for making promotional calls, exhibiting insufficient control measures across their telemarketing chain, and being late in implementing appropriate technical and organizational measures as per the EU Regulations. Given these infractions and the extent of the violations, the substantial penalty was justified by Garante Privacy, considering Illumia’s revenue and the extensive network of agencies involved.
– Guidelines on Health Certificates: In another significant decision, the authority penalized a healthcare company 17,000 euros for mishandling employee absence certificates. Health-related data, including the specific department or doctor’s specialization, were improperly disclosed, violating the principles of data minimization and privacy by design. Organizations are reminded that such data must be limited to what is strictly necessary for the intended purpose.
– Clinics’ Patient Data Access: Garante Privacy has published FAQs concerning the accessibility of personal data in medical records. Following complaints regarding denied free access to the first copy of such records, the authority reiterated that healthcare entities must provide it at no charge, ensuring transparency and correctness of data as stipulated by the Court of Justice of the European Union.
– Data Breach Enforcement: A university hospital faced a 25,000 euro penalty after a ransomware attack exposed deficiencies in system security. Outdated software and inadequate alert systems were a significant part of the problem. This case underlines the necessity for healthcare institutions to uphold robust cybersecurity standards, including updated software, 24/7 alert systems, and multi-factor authentication to mitigate potential data breaches.
The Garante’s actions underscore the critical importance of maintaining strict compliance with data protection regulations across industries. Data protection officers, legal practitioners, and compliance experts should take these cases as a reminder to routinely audit and enhance their organizational data privacy and security measures to avoid regulatory repercussions.
For further information, visit the original source link at [Garante Privacy](https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10086101)..