🚨🇮🇹 Hard Drive Failure + Ignored Access Request = €2,000 Fine for Tirrenia Hospital Srl 🚑💾
Regulator: GPDP (Italian DPA)
Decision: 10139193, April 29, 2025
A patient submitted an access request (Art. 15 GDPR) via certified email (PEC)… but a hard drive crashed.
Result: the email inbox became inaccessible, the request wasn’t read within the legal timeframe (Art. 12 GDPR), and the patient escalated the matter to the Italian DPA (Garante).
💥 What did the Garante find?
-❌ No reply within one month → violation of Art. 12 + 15
-⚠️ Lack of preventive measures → negligence
-🙅 “Good faith” argument rejected: the technical failure could have been avoided through standard diligence (backups, webmail access, recovery plans)
💸 Sanction
€2,000 administrative fine
(Reduced due to: isolated incident, short delay, and immediate compliance afterward)
✅ Corrective Measures Implemented
1️⃣ Mail client now linked directly to the webmail (no more local PEC downloads)
2️⃣ Staff awareness + GDPR procedure reminders
3️⃣ Regular backup checks & disk redundancy review
📌 Key Lesson
Access to GDPR requests must be continuous.
A simple technical failure is not a valid excuse for delay.
Anticipate your Plan B (webmail, redundancy, monitoring) — or risk the fine.