Background information

• Date of final decision: 09 October 2025
• National case
• Controller: Humanitas Mirasole s.p.a. 
• Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing), Article 33 (Notification of a personal data breach to the supervisory authority)
• Decision: Administrative fine
• Key words: Administrative fine, Sensitive data, Data security, Health records, Lawfulness of processing, Personal data breach

Summary of the Decision

Origin of the case  

In a hospital, a biological sample taken from a patient, which was to be sent to the pathology laboratory for histological examination, had been disposed of by mistake. The data subject also complained about the loss of a DVD containing an MRI scan performed at another hospital.

Key Findings 

The Italian SA found that the hospital had not adopted specific measures to ensure compliance with the principle of integrity and confidentiality of personal data and security obligations. The incident was caused by a material error due to a lack of communication between the surgeon and the operating theatre nurse. The company that manages the hospital had also failed to report the breach to the SA.

Decision

Given the seriousness of the incident, which exposed the woman to real risks to her health, and considering that the tissue specimen was non-replicable, the Italian SA imposed a fine of 50 000 EUR on the company as the data controller. A second fine of 20 000 EUR was imposed because the company had not notified the Italian SA of the data breach as required by the GDPR, but had merely warned the data subject and initiated the radiological follow-up phase.

For further information: Diritto di accesso, il Garante privacy sanziona una banca per 100mila euro. Cliente può accedere ai propri dati contenuti nelle registrazioni degli ordini telefonici