Garante per la protezione dei dati personali (Italy) - 10229191

Summary

Italy's data protection authority (Garante) determined that an airline company violated GDPR Articles 5, 6, 12, 13, and 28 by conducting a digital forensics investigation on a former board chairman's Microsoft Exchange, SharePoint, and OneDrive accounts without obtaining informed consent or maintaining a signed data processor agreement. The investigation created a forensic image spanning 21 months (July 2021–March 2023) and violated principles of purpose limitation, data minimisation, and storage limitation. The DPA rejected arguments that seniority or internal policies exempted the controller from GDPR obligations.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10229191: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 13:55, 17 April 2026 view sourceLigialagev (talk | contribs)34 editsm Tag: Visual edit← Older edit Latest revision as of 14:48, 17 April 2026 view source Ligialagev (talk | contribs)34 editsm Tag: Visual edit Line 92: Line 92: === Facts ====== Facts === The data subject served as chairman of the Board of Directors of an airline company(the controller), having been appointed by the Ministry of Economy and Finance on 18 June 2021. On 10 October 2022, an anonymous letter was delivered to a member of the controller's Board of Directors, containing a printed copy of an email exchange involving the data subject and two other company directors concerning the airline's privatisation process. Following this, on 20 October 2022, the Board of Directors revoked the data subject's operational powers, and on 16 November 2022, the shareholders' meeting revoked his appointment as chairman entirely.The data subject served as chairman of the Board of Directors of an airline company (the controller), having been appointed by the Ministry of Economy and Finance on 18 June 2021. On 10 October 2022, an anonymous letter was delivered to a member of the controller's Board of Directors, containing a printed copy of an email exchange involving the data subject and two other company directors concerning the airline's privatisation process. Following this, the Board of Directors revoked the data subject's operational powers, and the shareholders' meeting subsequently revoked his appointment as chairman entirely. On 16 November 2022, the controller disabled the data subject's corporate email account, though the account remained capable of receiving emails. On 17 November 2022, the controller activated a litigation hold on the account's contents. On 1st March 2023, the controller commissioned a processor to conduct an investigation. Using administrative credentials, the controller's IT contact accessed Microsoft's eDiscovery/Compliance portal and extracted data from the data subject's email account, SharePoint, and OneDrive. The processor created a forensic image of the data subject's entire Microsoft Exchange database, covering the period from at least July 2021 to 1 March 2023 (approximately 21 months). The processor then applied three keyword-based search criteria, defined by the controller, to the forensic image. The controller then commissioned a processor to conduct a digital forensics investigation. The processor extracted data from the data subject's email account, SharePoint, and OneDrive, creating a forensic image of the data subject's entire Microsoft Exchange database covering the period from at least July 2021 to March 2023 (approximately 21 months), before the anonymous tip. The processor then applied three keyword-based search criteria, defined by the controller, to the forensic image and produced a final report. On 24 March 2023, the processor finalised its report, and a copy of the relevant data was retained in its systems for one additional month before being deleted, with only the final report kept. On 8 March 2023, the data subject's email account was permanently deactivated, and on 8 November 2023 it was deleted from the controller's systems, though the email content was retained due to the ongoing litigation hold.On 6 July 2023, the data subject filed a complaint with the DPA. In its responses to the DPA's requests for information, the controller stated that the processor had been engaged under a designation agreement pursuant to Article 28 GDPR, but acknowledged that it had been unable to locate a signed copy of that document. On 6 July 2023, the data subject filed a complaint with the DPA. In its responses to the DPA's requests for information, the controller stated that the processor produced a draft designation agreement. However, the controller acknowledged that it had been unable to locate a signed copy of that document. === Holding ====== Holding === First, the DPA held that the controller failed to adequately inform the data subject before processing his personal data, in violation of Articles 5(1)(a), 12, and 13 GDPR. The controller argued that its internal privacy notice and IT usage policy had been published on its intranet and were known to the data subject given his role as chairman, pointing out that he had himself attached those documents to his complaint. The DPA rejected this argument. It noted that both documents were expressly directed at employees and collaborators, not board members, and that the controller had confirmed the data subject held a corporate appointment rather than an employment relationship. First, the DPA held that the controller failed to adequately inform the data subject before processing his personal data, in violation of Articles 5(1)(a), 12, and 13 GDPR. The controller argued that its internal privacy notice and IT usage policy had been published on its intranet and were known to the data subject given his role as chairman, pointing out that he had himself attached those documents to his complaint. The DPA rejected this argument. It noted that both documents were expressly directed at employees and collaborators, not board members, and that the controller had confirmed the data subject held a corporate appointment rather than an employment relationship. The controller had therefore not demonstrated that these documents applied to the data subject or that he had received them before the processing commenced. The DPA further found that, in any event, the processing activities described in those documents were themselves not compliant with GDPR principles, meaning the documents could not have satisfied the requirements of [[Article 13 GDPR]] regardless of whether the data subject had seen them. On this basis, the DPA found a violation of Articles 5(1)(a), 12, and 13 GDPR.The controller had therefore not demonstrated that these documents applied to the data subject or that he had received them before the processing started. The DPA further found that, in any event, the processing activities described in those documents were themselves not compliant with GDPR principles, meaning the documents could not have satisfied the requirements of [[Article 13 GDPR]] regardless of whether the data subject had seen them. On this basis, the DPA found a violation of Articles 5(1)(a), 12, and 13 GDPR. Second, the DPA held that the controller violated Articles 6 and 28 GDPR by failing to have a valid data processing agreement in place with the third-party digital forensics firm. The controller was unable to produce a signed copy of the designation agreement and acknowledged as much during the hearing.Second, the DPA held that the controller violated Articles 6 and 28 GDPR by failing to have a valid data processing agreement in place with the processor. The controller was unable to produce a signed copy of the designation agreement and acknowledged as much during the hearing. The DPA rejected the controller's argument that the unsigned document constituted a binding arrangement through the parties' conduct, holding that, without a formally executed agreement meeting the requirements of [[Article 28 GDPR]], the processing carried out by the forensics firm on the controller's behalf lacked a lawful basis under [[Article 6 GDPR]].The DPA rejected the controller's argument that the unsigned document constituted a binding arrangement through the parties' conduct, holding that, without a formally executed agreement meeting the requirements of [[Article 28 GDPR]], the processing carried out by the processor on the controller's behalf lacked a lawful basis under [[Article 6 GDPR]]. Third, the DPA found that the digital forensics investigation violated the principles of purpose limitation, data minimisation, and storage limitation under Article 5(1)(b), (c), and (e) G

Entities