The Italian Data Protection Authority imposed a €300.000 fine on the INPS (National Institute for Social Security) because during the investigations to check those who petitioned the ‘covid Bonus’ (€1.000/mo per certain workers affected) it violated #GDPR.
The investigations were, in particular, concerning parliamentarians or regional/local public officers 🙈 following a press scandal
– lawfulness, fairness and transparency: art. 5(1)(a)
It harvested from open sources the data of politicians and processed and cross-referenced it with those who requested the bonus, without having checked whether or not parliamentarians and regional or local administrators were entitled to this benefit
– data minimisation: art. 5(1)(c)
The INPS initiated checks aimed at recovering bonuses even on all those subjects who had their app been rejected for reasons independent from the office held.
– DPIA: art. 35
It hadn’t adequately assessed the risks associated w such delicate processing operations, considering that the whole majority of applicants really needed a social safety net.
– DPbDD (art. 25) and accountability (art. 5(2) and 24)
It hadn’t adequately designed the processing and was unable to demonstrate that it had carried out the checks in compliance w GDPR
0 comentarios