Garante per la protezione dei dati personali (Italy) - 10233328

Summary

Italy's Data Protection Authority (Garante) issued a €50,000 fine against an employer for multiple GDPR violations related to employee data processing. The violations included unlawfully accessing workplace email contents during subject access requests, retaining inactive employee email account backups for five years without proper transparency, and storing email metadata logs for 12 months beyond what was legally justified under Italian labor law. The DPA clarified that workplace email is protected under Article 8 ECHR and that email backups are unsuitable for document retention as they require invasive sifting through personal communications.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10233328: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 09:48, 22 April 2026 view sourceCarloc (talk | contribs)695 edits Tag: submission [1.0] Revision as of 09:50, 22 April 2026 view source Carloc (talk | contribs)695 edits Tag: Visual editNewer edit → (One intermediate revision by the same user not shown)Line 99: Line 99: Overall, the DPA held that the controller violated Articles 5(1), 12, 13, 15, and 88 GDPR as well as Article 114 of the Italian data protection code. The DPA issued a €50,000 fine and ordered the controller to stop the infringements.Overall, the DPA held that the controller violated Articles 5(1), 12, 13, 15, and 88 GDPR as well as Article 114 of the Italian data protection code. The DPA issued a €50,000 fine and ordered the controller to stop the infringements. On the access request===== On the access request ===== First of all, the DPA clarified that the right to privacy, as sanctioned by Article 8 ECHR, also cover an invidual’s workplace email. For this reason, the controller had no grounds to pre-emptively sort out the contents of the data subject’s email account.First of all, the DPA clarified that the right to privacy, as sanctioned by Article 8 ECHR, also cover an invidual’s workplace email. For this reason, the controller had no grounds to pre-emptively sort out the contents of the data subject’s email account. Line 112: Line 112: On these grounds, the DPA held that the controller unlawfully violated Article 12 and 15 GDPR.On these grounds, the DPA held that the controller unlawfully violated Article 12 and 15 GDPR. On the storage of inactive email accounts===== On the storage of inactive email accounts ===== As mentioned above, the investigation also touched on the controller’s general handling of employees’ emails. During the procedure the DPA found that at the end of the employement relationship, the controller would first deactivate the email account and then back it up for five years.As mentioned above, the investigation also touched on the controller’s general handling of employees’ emails. During the procedure the DPA found that at the end of the employement relationship, the controller would first deactivate the email account and then back it up for five years. Line 119: Line 119: The DPA, however, held that backups of email accounts are not suitable systems for document retention, as they cannot guarantee that documents remain unaltered. Furthermore, the DPA noted that such backups required the controller to sift through employees’ personal communication in order to recover documents. In the DPA’s eyes, this practice was excessively invasive of employee’s privacy.The DPA, however, held that backups of email accounts are not suitable systems for document retention, as they cannot guarantee that documents remain unaltered. Furthermore, the DPA noted that such backups required the controller to sift through employees’ personal communication in order to recover documents. In the DPA’s eyes, this practice was excessively invasive of employee’s privacy. For these reasons, the DPA held that the controller violated Articles 5(1)(b), (c), and (e) GDPR. The DPA also found that the controller failed to inform employees that their inactive email accounts would be stored for five years., in violation of the controller’s transparency obligations under [[Article 13 GDPR|Article 13 GDPR]].For these reasons, the DPA held that the controller violated Articles 5(1)(b), (c), and (e) GDPR. The DPA also found that the controller failed to inform employees that their inactive email accounts would be stored for five years., in violation of the controller’s transparency obligations under [[Article 13 GDPR]]. On the metadata===== On the storage of email metadata ===== The DPA finally looked into the controller’s handling of email metadata. The investigation found that the controller stored metadata logs for 12 months. The controller claimed that the practice was needed to both ensure the security of the company’s information system, and to defend the controller’s rights against “abuses”.The DPA finally looked into the controller’s handling of email metadata. The investigation found that the controller stored metadata logs for 12 months. The controller claimed that the practice was needed to both ensure the security of the company’s information system, and to defend the controller’s rights against “abuses”. The DPA held that the controller held metadata for too long. Additionally, the DPA held that the controller violated [[Article 88 GDPR|Article 88 GDPR]] by processing metadata logs for purposes other than those, permitted under Italian labor law(!).The DPA held that the controller held metadata for too long. Additionally, the DPA held that the controller violated [[Article 88 GDPR]] by processing metadata logs for purposes other than those, permitted under Italian labor law(!). On these grounds, the DPA held that the controller violated Articles 5(1) and 88 GDPR as well as Article 114 of the Italian data protection code.On these grounds, the DPA held that the controller violated Articles 5(1) and 88 GDPR as well as Article 114 of the Italian data protection code. Line 134: Line 134: Under Article 4 of the Statute, any system, which may result in the remote surveillance of workers, must (with narrow exemptions) meet two requirements:Under Article 4 of the Statute, any system, which may result in the remote surveillance of workers, must (with narrow exemptions) meet two requirements: * First, the system must be implemented only for the purposes listed by the Statute itself (namely: organisational and production needs; workplace safety; and the protection of company assets) * Second, the system requires either an agreement with trade union representatives or an authorization from the National Labor Inspectorate. • First, it must be implemented only for the purposes listed by the Statute itself (namely: organisational and production needs; workplace safety; and the protection of company assets); • First, it must be implemented only for the purposes listed by the Statute itself (namely: organisational and production needs; workplace safety; and the protection of company assets); • Second, it requires either an agreement with trade union representatives or an authorization from the National Labor Inspectorate. • Second, it requires either an agreement with trade union representatives or an authorization from the National Labor Inspectorate. Revision as of 09:50, 22 April 2026 Garante per la protezione dei dati personali - 10233328 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR Article 88 GDPR Art. 114 d. lgs. 196/2003 Type: Complaint Outcome: Upheld Started: 20.06.2023 Decided: Published: Fine: 50,000 EUR Parties: ITAS Mutua S.p.a. National Case Number/Name: 10233328 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: cci The DPA fined an insurance company €50,000 for providing a former employee with an incomplete copy of the contents of his email account, and for violations related to the storage of metadata and the handling of inactive email accounts. Contents 1 English Summary 1.1 Facts 1.2 Holding 1.2.1 On the access request 1.2.2 On the storage of inactive email accounts 1.2.3 On the storage of email metadata 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The case involves an insurance company (the controller) and a former employee (the data subject). After the end of the employment relationship, the data subject informally asked the controller to access his nominative email. At first,

Entities