In July 2022, the Italian Data Protection Authority (DPA) issued a €45,000 fine against the US company Senseonics Inc. for breach of the GDPR. More precisely, the company, which markets a glucose monitoring system for patients suffering from diabetes, sent an information email to approximately 2,000 recipients (Italian patients) mistakenly entering them in the CC field, instead of the BCC field. As a result, it decided to report the data breach to the Italian DPA under Article 33 GDPR: this report led to the opening of an investigation and the application of a sanction. The fact itself (CC’ing recipients instead of using BCC) is not particularly noteworthy (apart from the fact that it would be interesting to know exactly how much training had been given to the employee who made the mistake). What is really interesting is the development of the investigation and the many elements emerging from it with the consequent directions of the Data Protection Authority.