Human error is the data controller’s responsibility The Italian Data Protection Authority (“Garante”), in its 28 April 2022 injunction imposed a € 50,000 fine on the National Institute for Insurance against Accidents at Work (“INAIL” or the “Institute”) after three computer incidents. These incidents allowed users to access data relating to others.
INAIL, in its capacity as data controller, had notified the Data Protection Authority under art. 33 of the EU Regulation on personal data protection (the “Regulation”), three personal data breaches that occurred between 2019 and 2020. These breaches concerned the online service “Sportello Virtuale Lavoratori” (Virtual Workers’ Desk), which allows employees who have suffered an accident or are victims of occupational illnesses to view the progress of their files and measures issued by the Institute. The investigation initiated by the Data Protection Authority revealed that the “Sportello Virtuale Lavoratori” allowed some workers to accidentally consult the files of other workers and view personal information (e.g. first name, surname) and data relating to their health status (“sensitive data”). It was verified that one of the three reported violations was caused by a “human error” which, as stated in the order, “is
the data controller’s responsibility.”
Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore.