Naples police fined for illegal processing of sensitive data

Italy’s data protection authority (Garante) has imposed a fine of €12,000 following a complaint from a trade union organisation. The Naples Police Department collected names, addresses and mobile phone numbers from its employees in the context of SARS-CoV-2 virus infection, leading to the collection of sensitive data and identification of individuals tested for coronavirus. This data was then shared with the Naples Health Department.

Garante stated that, in the context of collecting personal data related to the prevention of the spread of SARS-CoV-2 among officers, the Police cannot collect data directly from the individuals concerned, even with the consent of the employees. This is due to the impossibility of considering the consent of employees as a valid legal premise to justify the processing of personal data due to the imbalance of power between employer and employee, especially when the employer is a public authority.