Categories: Insights, Case Law

Tag: compliance, GDPR, protezione dei dati personali


30 Sep 2020

Failure to take the measures provided for under the GDPR is comparable to the “fault on the organisation’s side” under Legislative Decree No. 231/2001

The Court of Cassation, with order No. 18292 issued on 3 September 2020, has pointed out that failure to arrange the relevant technical and organisational measures safeguarding the protection of the personal data of the data subject is comparable to the organisational fault linked to the failure to adopt an organisational model pursuant to Legislative Decree No. 231/2001.

The facts of the case

In the case at issue, a local authority lodged an appeal before the Court of Cassation against an injunction order of the Italian Data Protection Authority with which a sanction had been inflicted thereto for having published the personal data of one of its civil servants beyond the 15 day term provided for under article 124 TUEL (“Local Authorities Consolidation Act”) in the online municipal notice board.

Indeed, it was ascertained that the City had kept some decisions visible for more than one year, from which the following were clear (i) name and surname of the data subject, (ii) existence of litigation between the data subject and the City, (iii) family certificate and (iv) the circumstances that the data subject lived by herself, had made a request for paying the amount due by instalments and that the request had not been accepted.

To back its own position, the City objected that the fault for the failure to cancel the data of the data subject from the online municipal city board needed to be attributed to an outside consultant who had been instructed to configure the Internet Website in compliance with the laws and regulations currently in force.

The decision of the Court of Cassation

In rejecting the appeal, the Court of Cassation clarified that the employee’s data did not concern any “aspect of the organisation”, they did not amount to “indicators concerning the operating trend and the use of resources”, nor did they even represent “results of the activity related to the measurement and assessment carried out by the competent bodies”. Therefore, the respective publication beyond the term fixed by law could not be deemed to be lawful.

Then, in so far as the liability of the outside consultant is concerned, the Court of Cassation has specified that the Data Controller, pursuant to article 4 of Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “GDPR”) is the legal entity and not the legal representative or the director, therefore, standalone liability precisely on the legal entity’s side takes shape. This liability, the judges carry on, must be understood as “fault on the organisation’s side”, that is “reprimand arising out of the breach by the authority of the obligation to take the necessary organisational and operating precautions to prevent the perpetration of the breaches of the law”, “just like under Legislative Decree No. 231/2001 on liability of entities arising out of crime”.

In light of the foregoing, the Court of Cassation reached the conclusion that the delay in removing the published data from the online municipal notice board is “may be fully traced back to the scope of authority of the Entity and of its own apparatus”.

Conclusions

With the order under examination, the Court of Cassation finds an important similarity between the subject matter of the protection of personal data and that of liability of entities arising out of crime, by precisely comparing and making the failure to adopt adequate technical and organisational measures (under article 32 GDPR) equal to the so-called “fault on the organisation’s side” foreseen by Legislative Decree No. 231/2001.

Others Insights related:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…