DATA PROTECTION | The Italian DPA on GDPR and Wikipedia

On 9 May 2024, the Italian Data Protection Authority (DPA) issued a decision ruling that the processing of personal data carried out by Wikipedia, provided by a US-based nonprofit, falls under the scope of the GDPR. The decision arose from a complaint from an individual requesting the deletion of a biographical article regarding his judicial proceedings. Wikipedia argued that it was not established in the EU and did not offer a service to EU users, as it was a neutral host hosting information about “noteworthy” people. The DPA ruled instead that the service falls within the scope of the GDPR because a large number of its articles are aimed directly at the EU market or individuals from Member States. Indeed, the DPA noted that activities supporting and developing Wikipedia’s structure, such as content creation, verification of the adherence to guidelines and fundraising, are also conducted by users within the EU. Finally, the DPA rejected the request for deletion, stating that the processing of personal data for journalistic purposes is lawful if it respects the rights and dignity of individuals and the principle of essentiality of information. It also found it legitimate for the article to remain in the Wikipedia archive, recognising the importance of archives for the historical reconstruction of events.

Newsletter n. 97 – June 2024