The Italian DPA announces EUR 300,000 fine for unlawful processing of data in the context of handling COVID-19 bonuses


On 9 March 2021, the Italian DPA (“Garante”) announced a fine of EUR 300,000 was imposed against the National Institute of Social Security (“INPS”) for failure to comply with data protection requirements in the context of the checks carried out by INPS regarding those who applied for COVID-19 bonuses.
In particular, Garante identified non-compliance with the lawfulness, transparency, accuracy, and accountability principles under GDPR, as well as with the requirement to carry out a data protection impact assessment.
The press release may be accessed here, and the decision here (both available only in Italian).