Details:
| Summary | The Italian DPA has imposed a fine of EUR 20,000 on the Region of Lombardy. In the context of the sale of company shares held by the region, personal data of employees of the companies were unlawfully disclosed. Employees discovered that when they entered their first name and surname in a search engine, a link appeared to the draft contract between the Region and the acquiring company, containing personal data such as income information, employment information, etc. of employees. |
| Link: | link |
| Related articles: | Art.5 GDPR, Art. 6 (1) c), e) GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy |
| Type: | Insufficient legal basis for data processing |
| Fine: | EUR 20,000 |
| Sector | Public Sector and Education |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/