Garante per la protezione dei dati personali (Italy) - 10229191

Summary

Italy's Data Protection Authority (Garante) issued a €190,000 fine to ITA Airways for unlawfully processing personal data of a former Board chairman. The airline failed to provide adequate privacy notices, lacked a valid data processing agreement with a third-party forensics firm, and violated data minimization and storage limitation principles by extracting and retaining excessive email and account data during a litigation hold investigation.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10229191: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 09:40, 13 April 2026 view source Ligialagev (talk | contribs)32 edits Tag: submission [1.0] (No difference) Latest revision as of 09:40, 13 April 2026 Garante per la protezione dei dati personali - 10229191 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 4(1) GDPR Article 4(7) GDPR Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 28 GDPR Article 29 GDPR Article 32 GDPR Article 58(2) GDPR Type: Complaint Outcome: Upheld Started: Decided: Published: 04.03.2026 Fine: 190.000 EUR Parties: ITA Airways National Case Number/Name: 10229191 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: Garante per la protezione dei dati personali (in IT) Initial Contributor: ligialagev The DPA fined an airline company €190,000 for unlawfully processing the personal data of a former member of its Board of Directors. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject served as chairman of the Board of Directors of an airline company(the controller), having been appointed by the Ministry of Economy and Finance on 18 June 2021. On 10 October 2022, an anonymous letter was delivered to a member of the controller's Board of Directors, containing a printed copy of an email exchange involving the data subject and two other company directors concerning the airline's privatisation process. Following this, on 20 October 2022, the Board of Directors revoked the data subject's operational powers, and on 16 November 2022, the shareholders' meeting revoked his appointment as chairman entirely. On 16 November 2022, the controller disabled the data subject's corporate email account, though the account remained capable of receiving emails. On 17 November 2022, the controller activated a litigation hold on the account's contents. On 1st March 2023, the controller commissioned a third-party digital forensics firm to conduct an investigation. Using administrative credentials, the controller's IT contact accessed Microsoft's eDiscovery/Compliance portal and extracted data from the data subject's email account, SharePoint, and OneDrive. The forensics firm created a forensic image of the data subject's entire Microsoft Exchange database, covering the period from at least July 2021 to 1 March 2023 (approximately 21 months). The forensics firm then applied three keyword-based search criteria, defined by the controller, to the forensic image. On 24 March 2023, the forensics firm finalised its report, and a copy of the relevant data was retained in its systems for one additional month before being deleted, with only the final report kept. On 8 March 2023, the data subject's email account was permanently deactivated, and on 8 November 2023 it was deleted from the controller's systems, though the email content was retained due to the ongoing litigation hold. On 6 July 2023, the data subject filed a complaint with the DPA. In its responses to the DPA's requests for information, the controller stated that the forensics firm had been engaged as a data processor pursuant to Article 28 GDPR and produced a draft designation agreement. However, the controller acknowledged that it had been unable to locate a signed copy of that document. Holding First, the DPA held that the controller failed to adequately inform the data subject before processing his personal data, in violation of Articles 5(1)(a), 12, and 13 GDPR. The controller argued that its internal privacy notice and IT usage policy had been published on its intranet and were known to the data subject given his role as chairman, pointing out that he had himself attached those documents to his complaint. The DPA rejected this argument. It noted that both documents were expressly directed at employees and collaborators, not board members, and that the controller had confirmed the data subject held a corporate appointment rather than an employment relationship. The controller had therefore not demonstrated that these documents applied to the data subject or that he had received them before the processing commenced. The DPA further found that, in any event, the processing activities described in those documents were themselves not compliant with GDPR principles, meaning the documents could not have satisfied the requirements of Article 13 GDPR regardless of whether the data subject had seen them. On this basis, the DPA found a violation of Articles 5(1)(a), 12, and 13 GDPR. Second, the DPA held that the controller violated Articles 6 and 28 GDPR by failing to have a valid data processing agreement in place with the third-party digital forensics firm. The controller was unable to produce a signed copy of the designation agreement and acknowledged as much during the hearing. The DPA rejected the controller's argument that the unsigned document constituted a binding arrangement through the parties' conduct, holding that, without a formally executed agreement meeting the requirements of Article 28 GDPR, the processing carried out by the forensics firm on the controller's behalf lacked a lawful basis under Article 6 GDPR. Third, the DPA found that the digital forensics investigation violated the principles of purpose limitation, data minimisation, and storage limitation under Article 5(1)(b), (c), and (e) GDPR. The forensic image covered the data subject's entire Microsoft Exchange database from the creation of his account (at least July 2021) to 1st March 2023, encompassing data from well before the anonymous tip was received on 10 October 2022. The controller argued that applying specific keyword searches to the forensic image after its creation was sufficient to comply with the minimisation principle. The DPA rejected this, holding that the access to and extraction of the entire database already constituted a processing operation in its own right, and that the subsequent filtering did not cure the initial over-collection. The DPA also dismissed the controller's argument that the data subject's seniority justified departing from ordinary data protection rules, emphasising that holding a senior corporate role does not extinguish an individual's right to data protection. On these grounds, the DPA imposed a fine of €190,000 on the controller and ordered it to cease processing the data contained in the database, except insofar as strictly necessary for the purposes of judicial defence. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. [web doc. no. 10229191] Measure of March 4, 2026 Register of Measures no. 151 of March 4, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Members, and Councillor Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter the "Code"); HAVING SEEN the complaint filed by Mr. XX pursuant to Article 77 of the Regulation against Italia Trasporto Aereo S.p.A.; HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by

Entities