Garante per la protezione dei dati personali (Italy) - 10230206
Italy's DPA fines two airlines €1.25M for unlawful employee data sharing during asset sale.
Summary
The Italian Data Protection Authority (Garante) issued a €1.25M penalty against Alitalia and ITA Airways for unlawfully sharing employee personal data during an asset transfer without proper legal basis or transparency. The violation included failure to respond to data subject access requests and unauthorized processing of employee records shared between the two airlines. The enforcement action addresses both the unlawful data transfer and breaches of transparency and access rights under GDPR.
Full text
Help Garante per la protezione dei dati personali (Italy) - 10230206: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:39, 25 March 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators888 editsm Tag: Visual edit← Older edit Latest revision as of 10:29, 25 March 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators526 editsmTag: Visual edit Line 11: Line 11: |Original_Source_Name_1=GPDP|Original_Source_Name_1=GPDP |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10230206|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10230206 |Original_Source_Language_1=Italian|Original_Source_Language_1=Italian |Original_Source_Language__Code_1=IT|Original_Source_Language__Code_1=IT Line 73: Line 73: }}}} The DPA fined two airline companies a total of €1.25M for unlawfully sharing employees' data between them in the context of a sale of assets, and for violations related to transparency and access rights.The DPA fined two airline companies a total of €1,250,000 for unlawfully sharing employees' data between them after one airline purchased assets from the other. Further, the DPA found transparency violations connected to the shared data. == English Summary ==== English Summary == Line 151: Line 151: <pre><pre> Measure of March 4, 2026 [10230206] Provision of March 4, 2026 [web doc. no. 10230206] Register of measures No. 152 of March 4, 2026 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA At today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia, members, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter, the “Regulation”); HAVING REGARD TO the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter referred to as the "Code"); HAVING REGARD TO the report submitted by Mr. XX against Italia Trasporto Aereo S.p.A. and Alitalia Società Aerea Italiana S.p.A. in A.S.; HAVING EXAMINED the documentation in the case file; HAVING REGARD TO the observations made by the Secretary General pursuant to Article 15 of the Garante's Regulation No. 1/2000; REPORTER: Dr. Agostino Ghiglia; PREMISED 1. The complaint against the companies and the preliminary investigation. On July 18, 2023, Mr. XX filed a report, pursuant to Article 144 of the Code, against Alitalia Società Aerea Italiana S.p.A. in A.S. (hereinafter, Alitalia) and Italia Trasporto Aereo (hereinafter, Ita) alleging violations of the Regulation and, in particular, with regard to Ita, the failure to respond appropriately to the request for access to data submitted by the complainant on June 17, 2023, as well as Ita's processing of Alitalia employee data, communicated by the latter, in violation of data protection regulations and, with regard to Alitalia, the failure to respond to the request for access to data submitted by the complainant on June 17, 2023, as well as the communication of Alitalia employee data to Ita in violation of data protection regulations. Considering the uniqueness of the report submitted to the Authority and the conduct complained of therein, the Authority adopts a single measure against the two companies, without prejudice the assessments regarding the responsibilities that have been adequately distinguished. On March 22, 2024, ITA, following the Office's request for information on February 13, 2024, sent its response and on that occasion stated that: "the Whistleblower [...] was an employee of Alitalia and legal representative of the trade union [...] and, in the latter capacity, was the author of several reports and other types of requests addressed to various institutions and authorities, aimed at obtaining a different classification of the contract for the sale of assets and contracts between Alitalia Società Aerea Italiana S.p.A. in A.S. (hereinafter, 'Alitalia SAI') and Alitalia Cityliner S.p.A. in A.S. on the one hand, and ITA on the other, dated October 14, 2021 (hereinafter, the 'Transfer')" (see note 22/03/2024 cited above, p. 1); "According to a specious interpretation of the agreement just mentioned [...] the Transfer would be a simulation of a genuine contract for the transfer of a business unit" (see note cited, p. 1); "also through the use of personal data protection legislation, attempts have been made and are still being made to obtain information useful for this purpose. This would, in fact, give rise to the need to apply Article 2112 of the Italian Civil Code and all the guarantees provided for therein, with particular regard to the continuation of the employment relationship with the transferee and the related preservation of all the rights deriving therefrom" (see note cited, pp. 1, 2); "the parties who signed the Transfer Agreement were able to negotiate very little with regard to the title, subject matter, and form of the legal transaction in question. This was noted in the regulations that established ITA (decree of the Minister of Economy and Finance in agreement with the Minister of Infrastructure and Transport, the Minister of Economic Development and the Minister of Labor and Social Policies of October 9, 2020, pursuant to and for the purposes of Article 79 of Decree Law No. 18 of March 17, 2020, converted, with amendments, by Law No. 27 of April 24, 2020, as amended by Article 202 of Decree Law N o . 34 of May 19 May 2020, converted, with amendments, by Law No. 77 of July 17, 2020, and Article 87 of Decree Law No. 104 of August 14, 2020) and the decision of the European Commission referred to in Article 79, paragraph 4-bis of Decree Law No. 18 of 2020, which provided for amendments and additions to the business plan initially formulated by the Company" (see note cited, p. 2); "it is also necessary to take into account the timing with which Alitalia ceased operations and ITA began operations" (see note cited, p. 2); "The need to quickly start the Company's operations was a critical factor in October 2021. ITA had only obtained the European Commission's approval for the transaction on October 10, 2021, and the start of flights was scheduled for October 15, 2021. In just five days, therefore, ITA had to urgently recruit a large pool of highly qualified resources to ensure the immediate operational readiness of the Company and to cope with the peak in activity expected during the Christmas period, which would begin immediately after the start of flight operations. Added to this was the duty to fulfill the tasks of guaranteeing a public service, having to ensure the free movement of persons as a higher necessity, which is also constitutionally guaranteed (see note cited above, p. 2). "the speed of the recruitment process also met the central requirement of social protection for those workers whom ITA hired from scratch from the Alitalia SAI pool and who, when applying, expressed their unequivocal willingness to participate in the selection process launched by the Company in its start-up phase" (see note cited, pp. 2, 3); "In such a context, therefore, the need arose to draw on a pool of candidates with specific characteristics. ITA needed to acquire qualified resources with regard to the aviation sector, also taking into account the related requirements in terms of qualifications, certifications, and knowledge of operating procedures" (see note cited above, p. 3); "For the purposes described above, as of August 26, 2021, through the portal called CV