First GDPR fine issued by Italian Data Protection Authority

by | May 9, 2019

Italy’s first GDPR fine has been issued by the Garante, the Italian Data Protection Authority. Action was taken due to the failure to implement privacy security measures in the aftermath of a data breach on the “Rousseau” platform. The platform operates the websites of the Movimento 5 Stelle (Five Star Movement) political party.

A number of websites that are affiliated to Movimento 5 Stelle are run, via a data processor, through the Rousseau platform. Following a previous data breach during the summer of 2017, the Garante demanded that numerous security measures be implemented. This was in addition to the obligation to bring the privacy information notice up to date so as to provide additional transparency to the data processing that was being carried out.

In its report, the Garante noted its concerns regarding the Rousseau platform’s performance in implementing the following GDPR compliance measures:

  1. A vulnerability assessment was periodically performed on the platform, however there were issues concerning the use of a software which was no longer being updated by its supplier. This meant that the implementation of patches was proving to be both complicated and time-consuming.

  2. A lack of an adequate system designed at reinforcing passwords to be used in the creation of accounts and to avoid the risk of brute force attacks.

  3. A need for secure protocols and digital certificates to safeguard data during its transit and minimise the risk of users being drawn to bogus sites sites.

  4. Solutions aimed at improving the level of security of the storage of passwords were needed. This was because of the weak cryptographic algorithms.

  5. A requirement for auditing measures which would obligate the retention of the recording of the accesses and logs on the database of the Rousseau system to ensure the integrity of data.

The most relevant matter of the dispute appears to have been the failure to adopt adequate measures regulating the storage of log files concerning the activities performed by the platform’s IT support personnel. Some tracking of said activities was possible but it was incomplete and inadequate. Additionally, there was no system of recording of the operations in place.

Moreover, the Garante objected to the fact that system administrators had been using shared accounts with significant privileges in their operation of the platform. This allowed for the administrators to access special categories of private personal data, e.g. those on political opinion.

Finally, the Garante also ruled that the security measures designed to anonymize the activities performed through the e-voting system were inadequate.

Based on these findings, the Garante held that there had been a breach of article 32 of the GDPR on the Rousseau platform and it issued a €50,000 fine.

Interestingly, the fine was not issued against Movimento 5 Stelle, the data controller of the platform, but rather against the Rousseau association which is the data processor. In a break with precedent, the data protection authority did not find the data controller liable for the actions performed by the data processor. The judgement recognized that the data processor could be solely liable.

It is important to mention that the proceedings began before the introduction of the GDPR in May 2018. Nonetheless, the Italian data protection authority issued a fine under the GDPR given that the Rousseau platform had failed to adopt the security measures required under an order that had been issued after the 25th May 2018. Consequently, similar pending proceedings might face fines under the European Union’s General Data Protection Regulation.

Related GDRP Articles

GDPR Compliance Checklist


GDPR for US Companies

GDPR for Small Business

GDPR Email Requirements

GDPR Training

GDPR EU Representative

GDPR Requirements

GDPR Summary

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection. He is an expert on data privacy and GDPR. You can contact Eoin via LinkedIn

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy