Garante per la protezione dei dati personali (Italy) - 10229191
Italian DPA fines airline €190,000 for unlawful digital forensics on former board member.
Summary
Italy's Data Protection Authority (Garante) fined ITA Airways €190,000 for unlawfully processing personal data of a former Board member during a digital forensics investigation tied to the airline's privatization. The airline commissioned a processor to extract and search the executive's email, SharePoint, and OneDrive data covering 21 months without valid legal basis, proper consent documentation, or a signed Article 28 data processing agreement.
Full text
Help Garante per la protezione dei dati personali (Italy) - 10229191: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:48, 17 April 2026 view sourceLigialagev (talk | contribs)34 editsm Tag: Visual edit← Older edit Latest revision as of 08:07, 22 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators580 editsmTag: Visual edit Line 87: Line 87: }}}} The DPA fined an airline company €190,000 for unlawfully processing the personal data of a former member of its Board of Directors.The DPA fined an airline company €190,000 for unlawfully and excessively processing the personal data of a former member of its Board of Directors when performing a digital forensics investigation connected to the airline’s privatization process. == English Summary ==== English Summary == Line 96: Line 96: The controller then commissioned a processor to conduct a digital forensics investigation. The processor extracted data from the data subject's email account, SharePoint, and OneDrive, creating a forensic image of the data subject's entire Microsoft Exchange database covering the period from at least July 2021 to March 2023 (approximately 21 months), before the anonymous tip. The processor then applied three keyword-based search criteria, defined by the controller, to the forensic image and produced a final report.The controller then commissioned a processor to conduct a digital forensics investigation. The processor extracted data from the data subject's email account, SharePoint, and OneDrive, creating a forensic image of the data subject's entire Microsoft Exchange database covering the period from at least July 2021 to March 2023 (approximately 21 months), before the anonymous tip. The processor then applied three keyword-based search criteria, defined by the controller, to the forensic image and produced a final report. On 6 July 2023, the data subject filed a complaint with the DPA. In its responses to the DPA's requests for information, the controller stated that the processor had been engaged under a designation agreement pursuant to Article 28 GDPR, but acknowledged that it had been unable to locate a signed copy of that document.On 6 July 2023, the data subject filed a complaint with the DPA. In its responses to the DPA's requests for information, the controller stated that the processor had been engaged under a processing agreement pursuant to Article 28 GDPR, but acknowledged that it had been unable to locate a signed copy of that document. === Holding ====== Holding === Line 103: Line 103: The controller had therefore not demonstrated that these documents applied to the data subject or that he had received them before the processing started. The DPA further found that, in any event, the processing activities described in those documents were themselves not compliant with GDPR principles, meaning the documents could not have satisfied the requirements of [[Article 13 GDPR]] regardless of whether the data subject had seen them. On this basis, the DPA found a violation of Articles 5(1)(a), 12, and 13 GDPR.The controller had therefore not demonstrated that these documents applied to the data subject or that he had received them before the processing started. The DPA further found that, in any event, the processing activities described in those documents were themselves not compliant with GDPR principles, meaning the documents could not have satisfied the requirements of [[Article 13 GDPR]] regardless of whether the data subject had seen them. On this basis, the DPA found a violation of Articles 5(1)(a), 12, and 13 GDPR. Second, the DPA held that the controller violated Articles 6 and 28 GDPR by failing to have a valid data processing agreement in place with the processor. The controller was unable to produce a signed copy of the designation agreement and acknowledged as much during the hearing.Second, the DPA held that the controller violated Articles 6 and 28 GDPR by failing to have a valid data processing agreement in place with the processor. The controller was unable to produce a signed copy of the processing agreement and acknowledged as much during the hearing. The DPA rejected the controller's argument that the unsigned document constituted a binding arrangement through the parties' conduct, holding that, without a formally executed agreement meeting the requirements of [[Article 28 GDPR]], the processing carried out by the processor on the controller's behalf lacked a lawful basis under [[Article 6 GDPR]].The DPA rejected the controller's argument that the unsigned document constituted a binding arrangement through the parties' conduct, holding that, without a formally executed agreement meeting the requirements of [[Article 28 GDPR]], the processing carried out by the processor on the controller's behalf lacked a lawful basis under [[Article 6 GDPR]]. Latest revision as of 08:07, 22 April 2026 Garante per la protezione dei dati personali - 10229191 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 4(1) GDPR Article 4(7) GDPR Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 28 GDPR Article 29 GDPR Article 32 GDPR Article 58(2) GDPR Type: Complaint Outcome: Upheld Started: Decided: Published: 04.03.2026 Fine: 190.000 EUR Parties: ITA Airways National Case Number/Name: 10229191 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: Garante per la protezione dei dati personali (in IT) Initial Contributor: ligialagev The DPA fined an airline company €190,000 for unlawfully and excessively processing the personal data of a former member of its Board of Directors when performing a digital forensics investigation connected to the airline’s privatization process. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject served as chairman of the Board of Directors of an airline company (the controller), having been appointed by the Ministry of Economy and Finance on 18 June 2021. On 10 October 2022, an anonymous letter was delivered to a member of the controller's Board of Directors, containing a printed copy of an email exchange involving the data subject and two other company directors concerning the airline's privatisation process. Following this, the Board of Directors revoked the data subject's operational powers, and the shareholders' meeting subsequently revoked his appointment as chairman entirely. The controller then commissioned a processor to conduct a digital forensics investigation. The processor extracted data from the data subject's email account, SharePoint, and OneDrive, creating a forensic image of the data subject's entire Microsoft Exchange database covering the period from at least July 2021 to March 2023 (approximately 21 months), before the anonymous tip. The processor then applied three keyword-based search criteria, defined by the controller, to the forensic image and produced a final report. On 6 July 2023, the data subject filed a complaint with the DPA. In its responses to the DPA's requests for information, the controller stated that the processor had been engaged under a processing agreement pursuant to Article 28 GDPR, but acknowledged that it had been unable to locate a signed copy of that document. Holding First, the DPA held that the controller failed to adequately inform the data subject before processing his personal data, in violation of Articles 5(1)(a), 12, and 13 GDPR. The controller argued that its internal privacy notice and IT usage policy had been published on its intranet and were known to the data subject given his role as chairman, pointing out that he had himself attached those documen