Biological samples as personal data: a recent decision by the Italian Data Protection Authority

On 9 October 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) imposed an administrative fine of EUR 70,000 on a healthcare facility in the Milan area in connection with an incident involving the erroneous destruction of biological material. While the case attracted little media attention, it raises a number of issues of considerable legal relevance.

Briefly, a nurse employed by the hospital mistakenly disposed of, immediately after collection, a tissue sample taken from a patient during a surgical procedure and intended for histological examination, thereby irreversibly preventing the examination from being performed.

The patient subsequently lodged a complaint with the Garante, which, following its investigation, initiated enforcement proceedings against the hospital as data controller, alleging breaches of personal data security obligations and failure to notify a personal data breach to the supervisory authority.

In its defence, the hospital argued that the erroneous disposal of the tissue sample was due to a communication failure between the surgeon and the operating-room nurse, amounting to a mere human error and not to any deficiency in the technical or organisational measures adopted to safeguard data integrity.

As regards the failure to notify the incident, the hospital relied on a prospective assessment of the improbability of risks to the rights and freedoms of the data subject. In particular, it pointed to the remedial measures promptly adopted to mitigate the consequences of the impossibility of carrying out the histological examination—namely, informing the patient of the incident, the immediate activation of a radiological follow-up pathway and specialist consultations—as well as to the alleged absence of any potential harm to the confidentiality of personal data, which it considered inherently ensured by the immediate and irreversible destruction of the sample.

The Garante, however, found that these arguments were insufficient to warrant the discontinuation of the proceedings.

Proceeding from the premise that the erroneously disposed sample constituted personal data, and more specifically data concerning health, the Authority first held that the destruction of the material, and the resulting impossibility of performing the histological analysis, amounted to a breach of Articles 5(1)(f) and 32 GDPR, which impose security obligations aimed, inter alia, at ensuring the availability of personal data.

With regard to the failure to notify, the Garante further held that the inability to rely on the results of a histological examination of a non-replicable tissue sample had produced significant adverse effects for the complainant and that the incident therefore met the threshold requiring notification to the supervisory authority.

Taking into account all relevant circumstances, the Authority imposed administrative fines of EUR 50,000 and EUR 20,000 respectively for the two infringements.
It is not known whether the decision has been challenged before the courts.

The most legally significant aspect of the decision lies, however, in the qualification of the biological sample as personal data, a point that was not disputed by the data controller.

At a more general level, the question whether a biological sample as such may qualify as personal data, or whether personal data should instead be limited to the information relating to an individual that may be extracted from such material (including genetic, health-related or biometric data), has been the subject of sustained debate. A study commissioned by the EDPB and published in 2020 acknowledges that, “under data protection legislation, there is additional uncertainty about the precise status of human tissue or body material, more precisely (i) as a source of personal information rather than (ii) personal data itself”.

In essence, several arguments militate against the former position, which may be described as a “functional” approach, according to which biological samples would qualify as personal data in and of themselves.

First, Recital 35 GDPR provides that personal data concerning health include data revealing information about the past, present or future physical or mental health of a data subject, including “information resulting from tests or examinations carried out on a body part or bodily substance, including genetic data and biological samples”. A similar formulation appears in Recital 34 with respect to genetic data.
These provisions appear to refer primarily to the information resulting from tests or examinations, rather than to the biological sample as such.

This interpretation is consistent with the position adopted by the former Article 29 Working Party, which in its 4/2007 Opinion on the concept of personal data observed, with reference to biometric data, that “Human tissue samples (like a blood sample) are themselves sources out of which biometric data are extracted, but they are not biometric data themselves (as for instance a pattern for fingerprints is biometric data, but the finger itself is not). Therefore the extraction of information from the samples is collection of personal data, to which the rules of the Directive apply. The collection, storage and use of tissue samples themselves may be subject to separate sets of rules.”

A similar approach continues to be endorsed by the UK Information Commissioner’s Office, which states that “a genetic sample itself is not personal data until you analyse it to produce some data”, and that even the resulting genetic data qualify as personal data only insofar as they can be linked to an identifiable individual.

That said, denying that a biological sample constitutes personal data as such does not entail denying the need for appropriate security measures surrounding its collection and storage, including measures aimed at protecting personal data. Nor is it accidental that the Italian supervisory authority has issued specific prescriptions in this regard. Moreover, as we will see herein, biological samples may qualify as personal data even independently of a functional approach, where they are associated with an identified or identifiable individual. More generally, security measures are inherently preventive in nature and are therefore fully consistent with viewing biological samples as a potential source of special categories of personal data.

In the case at hand, the Garante did not need to engage in complex ontological distinctions between biological material and the personal information that might potentially be extracted from it. The factual circumstances allowed the Authority to adopt a more immediate line of reasoning, observing that “the collection of a sample from a part of the complainant’s body, in the context of a surgical procedure, when associated with her identity, reveals the provision of healthcare services” and therefore constitutes data concerning health.

The focus of the Authority’s reasoning thus lies not on the health-related information potentially contained in the biological sample—although this aspect was relevant for the assessment of the data breach—but rather on the information directly inferable from the association between the sample, the identity of the individual and the circumstances of its collection, all of which were available to the data controller. In substance, the relevant information consisted in the fact that the individual had received healthcare services.

This conclusion is doctrinally sound, given that data relating to the provision of healthcare services are, by definition, data concerning health within the meaning of Article 4(1)(15) GDPR. The same approach had already been adopted in an earlier decision of the Garante in 2023 and has also been endorsed by the Italian Supreme Court (Court of Cassation, judgment No. 8459 of 5 May 2020), which held that a slide containing a biological sample constitutes personal data insofar as it is accompanied by information enabling identification of the individual to whom it belongs.

In light of this case law and regulatory practice, the classification of biological samples as personal data appears, at least within the Italian legal system, to retain practical relevance only in residual scenarios, namely where the sample is held by a party who does not know its origin and does not have means reasonably likely to be used to associate it with an identified individual—for example, irreversibly anonymised samples or samples transferred for research purposes without information on their provenance. It goes without saying that, where unique identifiers such as genetic or biometric data are extracted from such samples, those identifiers must be regarded as personal data.

Finally, the decision is also noteworthy for the divergent assessment of the severity of the consequences of the data breach adopted by the data controller and by the supervisory authority, which led to different conclusions as to the obligation to notify.

Whereas the controller placed primary emphasis on the absence of risks to confidentiality, in particular the impossibility for unauthorised third parties to access personal data as a result of the incident, the Garante focused on the broader spectrum of adverse consequences for the data subject, in this case stemming from the unavailability of the sample for histological examination and diagnosis—consequences that could not be fully offset by the remedial measures adopted by the controller.

This approach is consistent with the GDPR, which does not confine the assessment of adverse effects of a personal data breach to infringements of confidentiality, but extends it to any significant economic or social damage that individuals may suffer, as clarified by Recital 85 GDPR.

Against this background, it is particularly significant that the definitive loss of personal data, even where it precludes any access by unauthorised third parties, is regarded as harmful in itself, constituting a breach of data availability that appropriate security measures are specifically intended to prevent.