The Italian supervisory authority (Garante) has fined medical centre Camedi S.R.L. €10,000 for violating the GDPR, following a complaint.
The Garante received a complaint from a Camedi patient who explained that he received periodic SMS reminders for medical examinations that he had never requested, and also found invoices on his tax return, issued to his tax code, for services that had never been provided to him. The patient indicated that he had repeatedly asked Camedi to resolve the problem, to no avail.
The Garante found that Camedi had mixed up the details of two patients with the same name in its database, resulting in the misattribution of the tax code and residential address when delivering certain invoices and sending automated SMS messages to the complainant instead of to the patient to whom they were addressed.
The Garante found that Camedi processed the data in breach, of the principles of accuracy, integrity, and confidentiality, by failing to record the data correctly in its database, and thus in breach of Articles 5(1)(d) and 5(1)(f) of the GDPR. Camedi processed health data without an adequate legal basis, in breach of Article 9 of the GDPR. Camedi, by disclosing personal health data to an unauthorised third party, breached Article 32 of the GDPR.
In light of the breaches found, the Garante imposed a fine of €10,000 on Camedi.