Garante per la protezione dei dati personali (Italy) - 10053224

From GDPRhub
Garante per la protezione dei dati personali - 10053224
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 13 GDPR
Article 88 GDPR
Article 114 of Italian Data Protection Code (Codice in materia di protezione dei dati personali)
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.07.2024
Published:
Fine: 80,000 EUR
Parties: Selectra S.p.A.
National Case Number/Name: 10053224
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (Italy) (in IT)
Initial Contributor: wp

The DPA fined a controller €80,000 for accessing data from its former employee’s mailbox in order to investigate the suspected disclosure of business secrets.

English Summary

Facts

An individual (the data subject) ceased a cooperation, as commercial agent, with Selectra S.p.A. (a controller).

The data subject filed a complaint with the Italian DPA (Garante). In the complaint, they argued the controller remained the data subject’s business email active and accessed its content.

In response, the controller explained they didn’t access the email box during a ongoing employment relationship. The mailbox backup was carried out automatically and the backup data was, by default, stored for three years after the termination of the employment or collaboration. In the case at hand, the controller decided to examine the suspected exposure of business secrets by employees, including the data subject. The controller outsourced that task to a third party to issue an expert opinion. The third party then accessed the backup data. The data subject was also involved in the court proceedings for alleged violation of the controller’s business secrets. Lastly, the controller indicated that the email mailbox was deactivated. Further on, the controller also ceased to use the backup software too.

Holding

The DPA upheld the complaint.

The controller failed to inform the data subject about the retention period regarding the backup data. This information was provided with the DPA during the proceedings, but was not included within the internal procedures. Furthermore, the internal procedure was also lacking in information about potential investigation of emails, backups or other data/devices and its potential reasons. As a result, the controller violated Article 5(1)(a) GDPR and Article 13 GDPR.

Additionally, the controller didn’t justify the reasons for storing the email backup for three years after the termination of the employment and the storage period of 6 months for email access logs. For the DPA, it was apparent that data stored within the backup system were used not only for purpose of IT security, as in the case at hand. The DPA found such a conduct violated the proportionality and necessity of the alleged processing purpose. The controller violated then Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 5(1)(e) GDPR

Moreover, the controller violated Article 114 of Italian Data Protection Code (Codice in materia di protezione dei dati personali) in conjunction with Article 88 GDPR. That was because the software used to backup data allowed the controller to check on employees’ activity and there was no safeguards required by Article 114 in place (for example agreement with the representatives of the workers).

Consequently, the controller was fined €80,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10053224]

Provision of 17 July 2024

Register of provisions
no. 472 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

HAVING SEEN the complaint submitted by Mr. XX pursuant to art. 77 of the Regulation, in which he complained about the unlawful processing of personal data by Seletra S.p.A.;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint submitted to the Authority and the start of the investigation.

With the complaint filed on 28/12/2021, Mr. XX complained of a violation of the personal data protection regulations implemented by Selectra S.p.A. (hereinafter “the Company”), with which he had a collaborative relationship as a commercial agent.

In particular, the complainant represented that, following the termination of the collaborative relationship on 24/02/2021, the Company had kept the individualized company email account assigned to him during the collaborative relationship (“XX”) active, accessing the content of all correspondence in transit on the aforementioned account which, in fact, was produced during a proceeding initiated before the Court of Venice.

With a note dated 14/03/2022, the Office formulated a request for information to the Company, pursuant to art. 157 of the Code, in order to acquire useful elements of evaluation regarding what was represented in the complaint.

The Company provided feedback with a note dated 04/13/2022 and, on that occasion, specified that:

- “Selectra has never accessed the [email] mailbox used by the complainant during the duration of the employment relationship”;

- “Selectra periodically performs a backup of the company email boxes, using the MailStore software. The execution of the backup in question does not require any access by company personnel, since it is performed automatically by the MailStore software. The backup of each company email box is kept for a maximum period of three years, after the termination of any employment or collaboration relationship”;

- “has initiated legal action against the current complainant and other individuals, […], following well-founded suspicions of theft of company secrets and further illicit acts perpetrated by the [complainant]”;

- “in order to protect its corporate secrets, Selectra has mandated the forensic engineering firm XX […] to carry out an expert assessment with the aim, among other things, of ascertaining any phenomena of exfiltration of secret corporate data by the [complainant], during the period of validity of the employment relationship”;

- “within this mandate, the XX firm acquired a forensic copy of the backup of the corporate email account [assigned to the complainant], directly from the MailStore application”;

- “the corporate email account [assigned to the complainant] was deactivated within three days following 05 March 2021, the date on which Selectra sent a specific directive to the IT department”;

- “the current status of the account is […] inactive”;

- “Selectra provided the [complainant] with a copy of the Privacy Policy and the company regulations on 15 March 2019”;

A copy of the “Information for external collaborators/representatives, also for sensitive/particular data pursuant to art. 13 of European Regulation 679/2016” and the document concerning “Equipment used by the worker to perform the work and the tools for recording access and attendance” were produced in the documents, both delivered to the complainant and signed by him on 03/15/2019.

In particular, the document “Equipment used by the worker to perform the work and the tools for recording access and attendance” specified that:

- “in the event of cessation of work activity or absence, [the Company reserves the right to] access the mailbox used during the employment relationship, to allow continuity of work (…)”;

- “the IT system records its accesses to the email boxes and to the management system, constantly processing log reports that are stored by the system for a period of at least 6 months”;

- “For the purposes of confidentiality protection, the undersigned informs pursuant to art. 13 of Eur. reg. 679/2016 and art. 4 of Law 300/1970 (Workers' Statute) that the tools described above are all potentially suitable for implementing remote monitoring of your work performance”;

- "in the event that it deems it strictly useful and/or strictly necessary, it may carry out random checks aimed at ascertaining the correctness of the service, as well as it may carry out checks aimed at verifying the regular use of the tools provided and the related systems and their regular functioning, also through tests with the warning referred to in art. 4 of Law 300/1970 (…) and that the information collected pursuant to paragraphs 1 and 2, art. 4, Law 300 of 20 May 1970, deriving from the tools to provide the service, will be used for all purposes related to the employment relationship (including sanctioning procedures)".

- "the processing carried out by Selectra [has] taken place in compliance with the principles of relevance and non-excess of data. The legal basis of the processing is given by Selectra's right to protect its rights in the face of a well-founded suspicion of massive theft of its data (including trade secrets and databases) […]";

- the Company “promptly deactivated the complainant’s email inbox, without ever accessing it directly, and stored the data and allowed an external consulting firm to examine it, exactly within the limits of the information provided to the complainant, with the methods […] indicated in the company regulations”.

2. The initiation of the procedure for the adoption of the Authority’s corrective measures.

On the basis of the statements made and the documentation produced during the investigation, the Office notified the Company of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code for the violation of arts. 5, par. 1, letters a), c) and e), 13 and 88 of the Regulation, art. 114 of the Code (note of 07/09/2022).

With the defensive briefs sent on 05/10/2022, pursuant to art. 18 of Law no. 689/1981 and art. 166 paragraph 6 of the Code, the Company represented that:

- “Mr. XX has never been an employee of Selectra, nor has the latter ever been his employer, since the parties had exclusively an agency contract pursuant to art. 1742 et seq. of the Civil Code”;

- therefore, “the entire accusation of alleged violation of the Code is irrelevant (…) since it is based by this Authority on the accusation that Selectra had processed personal data in violation of art. 114 of the Code (which refers to art. 4 of law 300/1970 as a condition for the lawfulness of the processing) (…)”;

- “It is also specified that the commercial agent was also external to the Selectra corporate structure in Bolzano or elsewhere; among other things, he did not even have his own office or personal computer (…), operating only outside and at his own independent company (…). It should also be noted that the commercial agent used the mailbox that Selectra had made available to him exclusively for strictly business-professional use (…) for different and personal uses completely unrelated to his activity as a commercial agent. Except to then complain if Selectra, after having discovered the unfair competition activities pursuant to art. 2589 no. 3 of the Civil Code and the theft of secret data (…), complained about the emergence of his personal emails that he had illegitimately passed through Selectra's email box (…);

- "Selectra has an interest in clarifying that all the processing carried out even towards its own employees (although the complainant had never been one, being a commercial agent external to the company) were inspired by principles of correctness as indicated in the Regulation".

With reference to the specific aspects of unlawfulness contested, the Company observed that:

- the back up on email boxes, performed using the Mail Store application, “is a technical security measure” arranged in compliance with art. 5, par. 1, letter f) of the Regulation “to guarantee the security and integrity of personal data processed from cyber attacks (…). The execution of the backup does not require any access by company personnel, while the maximum retention period of three years is a theoretical parameter that limits the maximum retention time and, consequently, the maximum time for which it is possible to recover data and/or information backwards in the event of a service failure or cyber attack”;

- with respect to the information provided to its employees and collaborators, this “specified the possibility for Selectra to access the content of email boxes for any proven business continuity needs (…). The purpose indicated in the information provided to [the complainant] is entirely legitimate, because it refers to company email boxes assigned to individuals other than employees. In fact, Selectra's sales agents do not have access to company management software (CRM, ERP, etc.) and manage their routine exclusively through email";

- "the need to ensure business continuity constitutes the purpose for which Selectra, exclusively through an appointed individual, could access the email box";

- "it must be reiterated that Selectra never accessed the company email boxes (...). The access performed by Studio XX, exclusively through the Mail Store application, occurred on data collected by Selectra for a specific and legitimate purpose of protection in the judicial sphere pursuant to art. 5, par. 1, letter b) and were processed lawfully, correctly and transparently pursuant to art. 5, par. 1, letter a), since the information provided to the complainant was crystal clear on this point";

- “pending the resolution of the complaint, Selectra has nevertheless decided to suspend the use of Mail Store and to undertake a process of reviewing its privacy policies with the aim of making them even more synoptic for the interested parties”.

3. The outcome of the investigation and the procedure for the adoption of corrective measures.

Following the examination of the statements made by the party during the proceedings, as well as the documentation acquired, it appears that the Company, as data controller, has carried out some processing operations that do not comply with the regulations on the protection of personal data. In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".

In particular, it emerged that the Company has commissioned a forensic engineering firm to carry out an investigation into the content of the complainant's email using the Mail Store application (installed on company PCs). The emails collected through the application (identified by the complainant as 34) were used in the context of legal proceedings initiated against the complainant before the Court of Venice.

It also emerged that the Company, based on the document “Equipment used by the worker to perform work and tools for recording access and attendance - Methods and limits of use”, (attached to the information given to the complainant as a collaborator and also addressed to the employees of the Company), processes the data relating to individualized company email accounts in violation of the data protection regulations.

3.1. Violation of Articles 5, paragraph 1, letter a) and 13 of the Regulation.

First of all, it should be noted that, regardless of the qualification of the relationship between the Company and the complainant, the processing of the personal data of the interested party is attributable to the Company which acted as data controller, according to the definition in art. 4, par. 1, no. 7 of the Regulation (“data controller: the natural or legal person,… who, individually or together with others, determines the purposes and means of the processing of personal data”).

Given the processing carried out, which mainly concerned the data contained in the email box, it was found that the information provided by the Company does not comply with data protection regulations, as it is unsuitable and incomplete in fully representing the characteristics and methods of the processing carried out, with particular reference to the retention periods of the data relating to the email and the methods and purposes with which the checks are carried out by the Company in its capacity as data controller.

In particular, from the examination of the documentation in the files, it appears that the information provided to the complainant provides, in a very general way, the retention of personal data solely to allow the completion of all the obligations connected to or deriving from the conclusion of the employment relationship, indicating as the retention period the term of 10 years in accordance with the provisions of articles 19 and 22 of Presidential Decree 600/1973.

Similarly, in the part of the document entitled "Equipment used by the worker to perform the work and tools for recording access and attendance", the interested party is informed of the processing of logs of access to email and management, which are retained "for a period of at least 6 months".

However, no information is provided regarding the back-up of the content of the individual email inbox, during the employment relationship, and the conservation of the related content, after the termination of the relationship with the Company, which, according to what was declared by the Company, is expected for 3 years (notes of 13/04/2022 and 05/10/2022).

The part of the document containing the instructions on the use of work tools also provides for the possibility for the Company to access the workers' email inbox, following the termination of the employment relationship or even in the event of absence, solely to ensure the continuity of the work performance.

In this regard, it is necessary to recall the constant orientation of this Authority which, in its provisions, has always stated that in order to ensure the ordinary performance and continuity of the company activity, it is necessary to prepare document management systems capable of archiving and storing documents "with methods suitable to guarantee the characteristics of authenticity, integrity, reliability, readability and retrievability prescribed by the applicable sector regulations". These characteristics cannot be found in email systems which, in fact, respond to other purposes (see, among others, provision no. 53 of 01/02/2018, web doc. no. 8159221 and provision no. 214 of 29/10/2020 web doc. 9518890).

In any case, it emerges from the analysis reported above that the information documents prepared by the Company do not provide any information regarding the investigations that it reserves the right to carry out on the contents stored on company devices nor the necessary clarifications on any legitimate, specific and non-generic reasons underlying such checks and the related methods, which must in any case comply with the principles of lawfulness, proportionality and graduality (see “Guidelines for electronic mail and internet”, provision 1 March 2007, no. 13, web doc no. 1387522).

In this regard, it is noted that the content of the information must comply with data protection regulations as it is not sufficient to inform the interested party of the essential characteristics of the processing, but it is also necessary that the information provided outlines processing operations that are lawful in themselves.

Therefore, the unlawfulness of the processing of personal data carried out by the Company must be confirmed through the information prepared which is unsuitable for the reasons set out. Among other things, it is recalled that the obligation to provide information is an expression of the principle of fairness of processing even in the context of collaborative relationships.

The conduct implemented, therefore, occurred in violation of Articles 5, par. 1, letter a) (principle of fairness) and 13 of the Regulation.

3.2. Violation of Article 5, par. 1, letter a), c) and e) and 88 of the Regulation and of Article 114 of the Code.

A further profile of unlawfulness that emerged from the investigation activity concerns the processing of the content of electronic mail that transits on company accounts, carried out by the Company by means of a software device called Mail Store.

Based on the statements made, it appears that through this device the Company backs up the content of the email boxes used by employees and collaborators, during the employment/collaboration relationship, retaining the content systematically and automatically for a period of three years, after the termination of the employment relationships.

The Company stated, in its defense briefs, that the purpose of this processing is to guarantee the security of the IT systems, pursuant to art. 5, par. 1, letter f), of the Regulation.

First of all, it should be noted that the Company, in light of the retention of the content of communications made by employees and collaborators via email for such an extended period (i.e. the entire duration of the employment relationship and three years after the termination of the relationship itself), has not indicated the specific reasons by virtue of which, also taking into account the specific characteristics of the systems used, it deemed it necessary to identify such a retention period for the security purposes of the aforementioned systems.

At the same time, the Company did not indicate the specific reasons why it deemed it necessary to retain the email and management access logs used by employees for the long retention period of 6 months (in this regard, see also what was specified by the Authority on the retention periods of email logs in the Provision of 6 June 2024, “Guideline document. Computer programs and services for managing email in the workplace and processing of metadata”, web doc. no. 10026277).

In any case, it is clear that the Mail Store software was used for purposes other than that of ensuring the security of the IT systems. In fact, in the specific case that is the subject of the complaint, the Company analyzed the emails present in the complainant’s account, verified their content and initiated the dispute.

The processing operations carried out by means of the aforementioned software (such as collection, storage, consultation) that have allowed the reconstruction of the activity of the interested party, are in conflict with the principles of lawfulness, data minimization and storage limitation (art. 5, par. 1, lett. a), c) and e) of the Regulation).

In fact, based on the regulations on the protection of personal data, in the context of employment/collaboration relationships, the owner can lawfully process personal data, as a rule, only if the processing is necessary for the management of the relationship itself or if it is necessary to fulfill specific obligations or tasks set by the applicable sector regulations (art. 6, par. 1, lett. a) and c) of the Regulation, with reference to the so-called common data), and in any case can process only the data that is adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed and for a period of time not exceeding the achievement of the purposes for which they are processed.

In this case, however, the systematic storage of emails, carried out for a considerable period of time (equal to three years following the termination of the employment relationship), as well as the systematic storage of access logs to email and the management system used by workers, do not comply with data protection regulations, as they are not proportionate and necessary to achieve the declared purposes of security of the IT network and continuity of business activity.

From another perspective, it emerges that the processing that the Company carries out as an employer on the data contained in the email boxes (for example following the storage of emails received and sent during work activity) assigned to its employees is suitable to allow a control activity on the workers' activity in violation of the provisions of art. 4 of Law no. 300 of 20/05/1970, a rule referred to in art. 114 of the Code (see among the latest provisions adopted by the Guarantor, provision no. 255 of 07/21/2022, web doc. no. 9809466, provision no. 137 of 04/15/2021, web doc no. 9670738, provision no. 214 of 10/29/2020, web doc. no. 9518890 and provision no. 353 of 09/29/2021, web doc. no. 9719914).
In fact, pursuant to art. 114 of the Code, compliance with the provision of art. 4 of the aforementioned law no. 300/1970 constitutes a condition of lawfulness of the processing of personal data carried out in the workplace, as it is one of the provisions of national law "most specific to ensure the protection of rights and freedoms with regard to the processing of personal data of employees in the context of employment relationships" identified by art. 88 of the Regulation (see art. 5, par. 1, letter a) and 88 of the Regulation).

Precisely with reference to the profiles of violation of art. 114 of the Code, it is noted that the software used by the Company (until the declared suspension of its use), precisely because of its characteristics (as described by the party and given the information released to workers), is suitable for carrying out a control of the work activity (on this point, see among others provision no. 303 of 13/07/2016, web doc no. 5408460).

In particular, the Company, through the aforementioned software, has carried out treatments that allow for the detailed reconstruction, even over time, of the activity of the employees, both through communications exchanged via e-mail and through the logs of the management software used to carry out the work activity.

Moreover, even if, hypothetically, such treatments were intended to achieve one of the purposes strictly indicated by art. 4, paragraph 1, law no. 300/1970 cit., it does not appear that the Company has activated the guarantee procedure provided for therein (agreement with the workers' representatives or, in their absence, authorization from the Labour Inspectorate).

Finally, it should be noted that with reference to access to e-mail, delegated to the forensic engineering firm and carried out according to the Company for the "specific and legitimate purpose of protection in the judicial field" (as indicated in the information), the Authority has had the opportunity to specify that the processing of personal data carried out for the purpose of protecting one's rights in court must refer to disputes already in progress or to pre-litigation situations, not to abstract and indeterminate hypotheses of possible defense or protection of rights (see provision no. 53 of 01/02/2018, web doc no. 8159221 and provision no. 255 of 21/07/2022, web doc no. 9809466).
In light of the above considerations, the unlawfulness of the conduct carried out must therefore be confirmed, which occurred in violation of the principles of lawfulness, minimization and limitation of storage (Article 5, paragraph 1, letters a), c) and e) of the Regulation) and of the sectoral regulations on remote controls (Article 88 of the Regulation and Article 114 of the Code).

4. Conclusions: unlawfulness of the processing. Corrective measures pursuant to Article 58, paragraph 2, of the Regulation.

For the above reasons, the Authority believes that the statements made by the data controller during the investigation do not allow the findings notified by the Office with the act initiating the procedure to be overcome with reference to Articles 5, paragraph 1, letters a), c) and e), 13 and 88 of the Regulation, Article 114 of the Code which are therefore unsuitable to allow the archiving of this proceeding, since, moreover, with reference to these profiles, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

It is recalled that, pursuant to art. 160-bis of the Code, “The validity, effectiveness and usability in judicial proceedings of acts, documents and provisions based on the processing of personal data that does not comply with provisions of law or Regulation remain governed by the relevant procedural provisions”.

Given the corrective powers attributed by art. 58, par. 2, of the Regulation, in light of the circumstances of the specific case:

- the prohibition of further processing of the data extracted through the Mail Store software is ordered (art. 58, par. 2, letter f) of the Regulation);

- the application of an administrative pecuniary sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i), of the Regulation).

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulation; Article 166, paragraph 7, of the Code).

At the end of the proceedings, it appears that Selectra S.p.A. has violated Articles 5, paragraph 1, letters a), c) and e), 13 and 88 of the Regulation, Article 114 of the Code.

Violation of the aforementioned provisions shall result in the application of the administrative pecuniary sanction provided for by Article 83, paragraph 5, letter i). a) and d) of the Regulation by adopting an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering that it is necessary to apply paragraph 3 of art. 83 of the Regulation which provides that “If, in relation to the same processing or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious infringement”, the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5, of the Regulation.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the general principles of processing and the obligation to provide information; in particular, the violations also concerned the sector regulations on remote controls with respect to a significant number of interested parties, considering that as of 31/12/2023 there were 151 employees in force at the Company;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same were taken into consideration, which did not comply with the data protection regulations in relation to a plurality of provisions;

c) the Company cooperated with the Authority during the proceedings by declaring that it had suspended the use of the software in order to comply with the indications that will be provided by the Authority;

d) the absence of specific precedents against the Company.

It is also believed that in this case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), the following are of relevance: first and foremost, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2022.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, that the administrative sanction of the payment of a sum equal to Euro 80,000.00 (eighty thousand) should be applied to Selectra S.p.A.

In this context, it is also believed, in consideration of the type of violations found that have concerned the general principles of processing that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019 exist.

GIVEN ALL THE ABOVE, THE GUARANTOR

determines the unlawfulness of the processing carried out by Selectra S.p.A. in the person of its legal representative, with registered office in Bolzano, Via Antonio Pacinotti no. 11, VAT no. 00123700213 pursuant to art. 143 of the Code, for the violation of art. 5, paragraph 1, letter a). a), c) and e), 13 and 88 of the Regulation and art. 114 of the Code;

ORDERS

pursuant to art. 58, par. 2, letter, f) of the Regulation to Selectra S.p.A. the prohibition of further processing of the data extracted through the Mail Store software;

ORDERS

pursuant to art. 58, par. 2, letter i), of the Regulation to pay the sum of Euro 80,000.00 (eighty thousand) as an administrative pecuniary sanction for the violations indicated in this provision;

ORDERS

also to the same Company to pay the aforementioned sum of Euro 80,000.00 (eighty thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981.

It is recalled that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code) remains intact;

ORDERS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation no. 1/20129, and believes that the conditions referred to in art. 17 of Regulation no. 1/2019 are met.

Requests the Company to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to provide feedback may result in the application of the administrative sanction provided for by art. 83, paragraph 5, letter e) of the Regulation.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of notification of the provision itself, or sixty days if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE SECRETARY GENERAL
Mattei

 

[web doc. no. 10053224]

Measure of 17 July 2024

Register of measures
no. 472 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

HAVING SEEN the complaint submitted by Mr. XX pursuant to art. 77 of the Regulation, in which he complained about the unlawful processing of personal data by Seletra S.p.A.;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint submitted to the Authority and the start of the investigation.

With the complaint filed on 28/12/2021, Mr. XX complained of a violation of the personal data protection regulations implemented by Selectra S.p.A. (hereinafter “the Company”), with which he had a collaborative relationship as a commercial agent.

In particular, the complainant represented that, following the termination of the collaborative relationship on 24/02/2021, the Company had kept the individualized company email account assigned to him during the collaborative relationship (“XX”) active, accessing the content of all correspondence in transit on the aforementioned account which, in fact, was produced during a proceeding initiated before the Court of Venice.

With a note dated 14/03/2022, the Office formulated a request for information to the Company, pursuant to art. 157 of the Code, in order to acquire useful elements of evaluation regarding what was represented in the complaint.

The Company provided feedback with a note dated 04/13/2022 and, on that occasion, specified that:

- “Selectra has never accessed the [email] mailbox used by the complainant during the duration of the employment relationship”;

- “Selectra periodically performs a backup of the company email boxes, using the MailStore software. The execution of the backup in question does not require any access by company personnel, since it is performed automatically by the MailStore software. The backup of each company email box is kept for a maximum period of three years, after the termination of any employment or collaboration relationship”;

- “has initiated legal action against the current complainant and other individuals, […], following well-founded suspicions of theft of company secrets and further illicit acts perpetrated by the [complainant]”;

- “in order to protect its corporate secrets, Selectra has mandated the forensic engineering firm XX […] to carry out an expert assessment with the aim, among other things, of ascertaining any phenomena of exfiltration of secret corporate data by the [complainant], during the period of validity of the employment relationship”;

- “within this mandate, the XX firm acquired a forensic copy of the backup of the corporate email account [assigned to the complainant], directly from the MailStore application”;

- “the corporate email account [assigned to the complainant] was deactivated within three days following 05 March 2021, the date on which Selectra sent a specific directive to the IT department”;

- “the current status of the account is […] inactive”;

- “Selectra provided the [complainant] with a copy of the Privacy Policy and the company regulations on 15 March 2019”;

A copy of the “Information for external collaborators/representatives, also for sensitive/particular data pursuant to art. 13 of European Regulation 679/2016” and the document concerning “Equipment used by the worker to perform the work and the tools for recording access and attendance” were produced in the documents, both delivered to the complainant and signed by him on 03/15/2019.

In particular, the document “Equipment used by the worker to perform the work and the tools for recording access and attendance” specified that:

- “in the event of cessation of work activity or absence, [the Company reserves the right to] access the mailbox used during the employment relationship, to allow continuity of work (…)”;

- “the IT system records its accesses to the email boxes and to the management system, constantly processing log reports that are stored by the system for a period of at least 6 months”;

- “For the purposes of confidentiality protection, the undersigned informs pursuant to art. 13 of Eur. reg. 679/2016 and art. 4 of Law 300/1970 (Workers' Statute) that the tools described above are all potentially suitable for implementing remote monitoring of your work performance”;

- "in the event that it deems it strictly useful and/or strictly necessary, it may carry out random checks aimed at ascertaining the correctness of the service, as well as it may carry out checks aimed at verifying the regular use of the tools provided and the related systems and their regular functioning, also through tests with the warning referred to in art. 4 of Law 300/1970 (…) and that the information collected pursuant to paragraphs 1 and 2, art. 4, Law 300 of 20 May 1970, deriving from the tools to provide the service, will be used for all purposes related to the employment relationship (including sanctioning procedures)".

- "the processing carried out by Selectra [has] taken place in compliance with the principles of relevance and non-excess of data. The legal basis of the processing is given by Selectra's right to protect its rights in the face of a well-founded suspicion of massive theft of its data (including trade secrets and databases) […]";

- the Company “promptly deactivated the complainant’s email inbox, without ever accessing it directly, and stored the data and allowed an external consulting firm to examine it, exactly within the limits of the information provided to the complainant, with the methods […] indicated in the company regulations”.

2. The initiation of the procedure for the adoption of the Authority’s corrective measures.

On the basis of the statements made and the documentation produced during the investigation, the Office notified the Company of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code for the violation of arts. 5, par. 1, letters a), c) and e), 13 and 88 of the Regulation, art. 114 of the Code (note of 07/09/2022).

With the defensive briefs sent on 05/10/2022, pursuant to art. 18 of Law no. 689/1981 and art. 166 paragraph 6 of the Code, the Company represented that:

- “Mr. XX has never been an employee of Selectra, nor has the latter ever been his employer, since the parties had exclusively an agency contract pursuant to art. 1742 et seq. of the Civil Code”;

- therefore, “the entire accusation of alleged violation of the Code is irrelevant (…) since it is based by this Authority on the accusation that Selectra had processed personal data in violation of art. 114 of the Code (which refers to art. 4 of law 300/1970 as a condition for the lawfulness of the processing) (…)”;

- “It is also specified that the commercial agent was also external to the Selectra corporate structure in Bolzano or elsewhere; among other things, he did not even have his own office or personal computer (…), operating only outside and at his own independent company (…). It should also be noted that the commercial agent used the mailbox that Selectra had made available to him exclusively for strictly business-professional use (…) for different and personal uses completely unrelated to his activity as a commercial agent. Except to then complain that Selectra, after having discovered the activities of unfair competition pursuant to art. 2589 no. 3 of the Civil Code and the theft of secret data (…), complained about the emergence of his personal emails that he had illegitimately passed through Selectra's email box (…);

- "Selectra has an interest in specifying that all the processing carried out even towards its own employees (although the complainant had never been one, being a commercial agent external to the company) were inspired by principles of correctness as indicated in the Regulation".

With reference to the specific aspects of unlawfulness contested, the Company observed that:

- the back up on email boxes, performed using the Mail Store application, “is a technical security measure” arranged in compliance with art. 5, par. 1, letter f) of the Regulation “to guarantee the security and integrity of personal data processed from cyber attacks (…). The execution of the backup does not require any access by company personnel, while the maximum retention period of three years is a theoretical parameter that limits the maximum retention time and, consequently, the maximum time for which it is possible to recover data and/or information backwards in the event of a service failure or cyber attack”;

- with respect to the information provided to its employees and collaborators, this “specified the possibility for Selectra to access the content of email boxes for any proven business continuity needs (…). The purpose indicated in the information provided to [the complainant] is entirely legitimate, because it refers to company email boxes assigned to individuals other than employees. In fact, Selectra's sales agents do not have access to company management software (CRM, ERP, etc.) and manage their routine exclusively through email";

- "the need to ensure business continuity constitutes the purpose for which Selectra, exclusively through an appointed individual, could access the email box";

- "it must be reiterated that Selectra never accessed the company email boxes (...). The access performed by Studio XX, exclusively through the Mail Store application, occurred on data collected by Selectra for a specific and legitimate purpose of protection in the judicial sphere pursuant to art. 5, par. 1, letter b) and were processed lawfully, correctly and transparently pursuant to art. 5, par. 1, letter a), since the information provided to the complainant was crystal clear on this point";

- “pending the resolution of the complaint, Selectra has nevertheless decided to suspend the use of Mail Store and to undertake a process of reviewing its privacy policies with the aim of making them even more synoptic towards the interested parties”.

3. The outcome of the investigation and the procedure for the adoption of corrective measures.

Following the examination of the statements made by the party during the proceedings, as well as the documentation acquired, it appears that the Company, as data controller, has carried out some processing operations that do not comply with the regulations on the protection of personal data. In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”.

In particular, it emerged that the Company commissioned a forensic engineering firm to carry out an investigation into the content of the complainant's email using the Mail Store application (installed on company PCs). The emails collected through the application (identified by the complainant as 34) were used in the context of legal proceedings initiated against the complainant before the Court of Venice.

It also emerged that the Company, based on the information provided in the document "Equipment used by the worker to perform work and tools for recording access and attendance - Methods and limits of use", (attached to the information provided to the complainant as a collaborator and also addressed to the Company's employees), processes the data relating to individualized company email accounts in violation of data protection regulations.

3.1. Violation of Articles 5, paragraph 1, letter a) and 13 of the Regulation.

First of all, it should be noted that, regardless of the qualification of the relationship between the Company and the complainant, the processing of the personal data of the interested party is attributable to the Company which acted as data controller, according to the definition in art. 4, par. 1, no. 7 of the Regulation (“data controller: the natural or legal person,… who, individually or together with others, determines the purposes and means of the processing of personal data”).

Given the processing carried out, which mainly concerned the data contained in the email box, it was found that the information provided by the Company does not comply with data protection regulations, as it is unsuitable and incomplete in fully representing the characteristics and methods of the processing carried out, with particular reference to the retention periods of the data relating to the email and the methods and purposes with which the checks are carried out by the Company in its capacity as data controller.

In particular, from the examination of the documentation in the files, it appears that the information provided to the complainant provides, in a very general way, the retention of personal data solely to allow the completion of all the obligations connected to or deriving from the conclusion of the employment relationship, indicating as the retention period the term of 10 years in accordance with the provisions of articles 19 and 22 of Presidential Decree 600/1973.

Similarly, in the part of the document entitled "Equipment used by the worker to perform the work and tools for recording access and attendance", the interested party is informed of the processing of logs of access to email and management, which are retained "for a period of at least 6 months".

However, no information is provided regarding the back-up of the content of the individual email inbox, during the employment relationship, and the conservation of the related content, after the termination of the relationship with the Company, which, according to what was declared by the Company, is expected for 3 years (notes of 13/04/2022 and 05/10/2022).

The part of the document containing the instructions on the use of work tools also provides for the possibility for the Company to access the workers' email inbox, following the termination of the employment relationship or even in the event of absence, solely to ensure the continuity of the work performance.

In this regard, it is necessary to recall the constant orientation of this Authority which, in its provisions, has always stated that in order to ensure the ordinary performance and continuity of the company activity, it is necessary to prepare document management systems capable of archiving and storing documents "with methods suitable to guarantee the characteristics of authenticity, integrity, reliability, readability and retrievability prescribed by the applicable sector regulations". These characteristics cannot be found in email systems which, in fact, respond to other purposes (see, among others, provision no. 53 of 01/02/2018, web doc. no. 8159221 and provision no. 214 of 29/10/2020 web doc. 9518890).

In any case, it emerges from the analysis reported above that the information documents prepared by the Company do not provide any information regarding the investigations that it reserves the right to carry out on the contents stored on company devices nor the necessary clarifications on any legitimate, specific and non-generic reasons underlying such checks and the related methods, which must in any case comply with the principles of lawfulness, proportionality and graduality (see “Guidelines for electronic mail and internet”, provision 1 March 2007, no. 13, web doc no. 1387522).

In this regard, it is noted that the content of the information must comply with data protection regulations as it is not sufficient to inform the interested party of the essential characteristics of the processing, but it is also necessary that the information provided outlines processing operations that are lawful in themselves.

Therefore, the unlawfulness of the processing of personal data carried out by the Company must be confirmed through the information prepared which is unsuitable for the reasons set out. Among other things, it is recalled that the obligation to provide information is an expression of the principle of fairness of processing even in the context of collaborative relationships.

The conduct implemented, therefore, occurred in violation of Articles 5, par. 1, letter a) (principle of fairness) and 13 of the Regulation.

3.2. Violation of Article 5, par. 1, letter a), c) and e) and 88 of the Regulation and of Article 114 of the Code.

A further profile of unlawfulness that emerged from the investigation activity concerns the processing of the content of electronic mail that transits on company accounts, carried out by the Company by means of a software device called Mail Store.

Based on the statements made, it appears that through this device the Company backs up the content of the email boxes used by employees and collaborators, during the employment/collaboration relationship, retaining the content systematically and automatically for a period of three years, after the termination of the employment relationships.

The Company has declared, in its defense briefs, that the purpose of this processing is to guarantee the security of the IT systems, pursuant to art. 5, par. 1, letter f), of the Regulation.

First of all, it should be noted that the Company, in light of the retention of the content of communications made by employees and collaborators via email for such an extended period of time (i.e. the entire duration of the employment relationship and three years after the termination of the relationship itself), has not indicated the specific reasons by virtue of which, also taking into account the specific characteristics of the systems used, it deemed it necessary to identify such a retention period for the security purposes of the aforementioned systems.

At the same time, the Company did not indicate the specific reasons why it deemed it necessary to retain the email and management access logs used by employees for the long retention period of 6 months (in this regard, see also what was specified by the Authority on the retention periods of email logs in the Provision of 6 June 2024, “Guideline document. Computer programs and services for managing email in the workplace and processing of metadata”, web doc. no. 10026277).

In any case, it is clear that the Mail Store software was used for purposes other than that of ensuring the security of the IT systems. In fact, in the specific case in question, the Company analyzed the emails present in the complainant’s account, verified their content and initiated the dispute.

The processing operations carried out by means of the aforementioned software (such as collection, storage, consultation) that have allowed the reconstruction of the activity of the interested party, are in conflict with the principles of lawfulness, data minimization and storage limitation (art. 5, par. 1, lett. a), c) and e) of the Regulation).

In fact, based on the regulations on the protection of personal data, in the context of employment/collaboration relationships, the owner can lawfully process personal data, as a rule, only if the processing is necessary for the management of the relationship itself or if it is necessary to fulfill specific obligations or tasks set by the applicable sector regulations (art. 6, par. 1, lett. a) and c) of the Regulation, with reference to the so-called common data), and in any case can process only the data that is adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed and for a period of time not exceeding the achievement of the purposes for which they are processed.

In this case, however, the systematic storage of emails, carried out for a considerable period of time (equal to three years following the termination of the employment relationship), as well as the systematic storage of access logs to email and the management system used by workers, do not comply with data protection regulations, as they are not proportionate and necessary to achieve the declared purposes of security of the IT network and continuity of business activity.

From another perspective, it emerges that the processing that the Company carries out as an employer on the data contained in the email boxes (for example following the storage of emails received and sent during work activity) assigned to its employees is suitable to allow a control activity on the workers' activity in violation of the provisions of art. 4 of Law no. 300 of 20/05/1970, a rule referred to in art. 114 of the Code (see among the latest provisions adopted by the Guarantor, provision no. 255 of 07/21/2022, web doc. no. 9809466, provision no. 137 of 04/15/2021, web doc no. 9670738, provision no. 214 of 10/29/2020, web doc. no. 9518890 and provision no. 353 of 09/29/2021, web doc. no. 9719914).
In fact, pursuant to art. 114 of the Code, compliance with the provision of art. 4 of the aforementioned law no. 300/1970 constitutes a condition of lawfulness of the processing of personal data carried out in the workplace, as it is one of the provisions of national law "most specific to ensure the protection of rights and freedoms with regard to the processing of personal data of employees in the context of employment relationships" identified by art. 88 of the Regulation (see art. 5, par. 1, letter a) and 88 of the Regulation).

Precisely with reference to the profiles of violation of art. 114 of the Code, it is noted that the software used by the Company (until the declared suspension of its use), precisely because of its characteristics (as described by the party and given the information released to workers), is suitable for carrying out a control of the work activity (on this point, see among others provision no. 303 of 13/07/2016, web doc no. 5408460).

In particular, the Company, through the aforementioned software, has carried out treatments that allow for the detailed reconstruction, even over time, of the activity of the employees, both through communications exchanged via e-mail and through the logs of the management software used to carry out the work activity.

Moreover, even if, hypothetically, such treatments were intended to achieve one of the purposes strictly indicated by art. 4, paragraph 1, law no. 300/1970 cit., it does not appear that the Company has activated the guarantee procedure provided for therein (agreement with the workers' representatives or, in their absence, authorization from the Labour Inspectorate).

Finally, it should be noted that with reference to access to e-mail, delegated to the forensic engineering firm and carried out according to the Company for the "specific and legitimate purpose of protection in the judicial field" (as indicated in the information), the Authority has had the opportunity to specify that the processing of personal data carried out for the purpose of protecting one's rights in court must refer to disputes already in progress or to pre-litigation situations, not to abstract and indeterminate hypotheses of possible defense or protection of rights (see provision no. 53 of 01/02/2018, web doc no. 8159221 and provision no. 255 of 21/07/2022, web doc no. 9809466).
In light of the above considerations, the unlawfulness of the conduct carried out must therefore be confirmed, which occurred in violation of the principles of lawfulness, minimization and limitation of storage (Article 5, paragraph 1, letters a), c) and e) of the Regulation) and of the sectoral regulations on remote controls (Article 88 of the Regulation and Article 114 of the Code).

4. Conclusions: unlawfulness of the processing. Corrective measures pursuant to Article 58, paragraph 2, of the Regulation.

For the above reasons, the Authority believes that the statements made by the data controller during the investigation do not allow the findings notified by the Office with the act initiating the procedure to be overcome with reference to Articles 5, paragraph 1, letters a), c) and e), 13 and 88 of the Regulation, Article 114 of the Code which are therefore unsuitable to allow the archiving of this proceeding, since, moreover, with reference to these profiles, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

It is recalled that, pursuant to art. 160-bis of the Code, “The validity, effectiveness and usability in judicial proceedings of acts, documents and provisions based on the processing of personal data that does not comply with provisions of law or Regulation remain governed by the relevant procedural provisions”.

Given the corrective powers attributed by art. 58, par. 2, of the Regulation, in light of the circumstances of the specific case:

- the prohibition of further processing of the data extracted through the Mail Store software is ordered (art. 58, par. 2, letter f) of the Regulation);

- the application of an administrative pecuniary sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i), of the Regulation).

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulation; Article 166, paragraph 7, of the Code).

At the end of the proceedings, it appears that Selectra S.p.A. has violated Articles 5, paragraph 1, letters a), c) and e), 13 and 88 of the Regulation, Article 114 of the Code.

Violation of the aforementioned provisions shall result in the application of the administrative pecuniary sanction provided for by Article 83, paragraph 5, letter i). a) and d) of the Regulation by adopting an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering that it is necessary to apply paragraph 3 of art. 83 of the Regulation which provides that “If, in relation to the same processing or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious infringement”, the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5, of the Regulation.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in the case in question, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the general principles of processing and the obligation to provide information; in particular, the violations also concerned the sector regulations on remote controls with respect to a significant number of interested parties, considering that as of 31/12/2023 there were 151 employees in force at the Company;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same were taken into consideration, which did not comply with the data protection regulations in relation to a plurality of provisions;

c) the Company cooperated with the Authority during the proceedings by declaring that it had suspended the use of the software in order to comply with the indications that will be provided by the Authority;

d) the absence of specific precedents against the Company.

It is also believed that, in this case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2022, are relevant.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply to Selectra S.p.A. the administrative sanction of the payment of a sum equal to Euro 80,000.00 (eighty thousand).

In this context, it is also believed, in consideration of the type of violations ascertained that concerned the general principles of processing which, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this provision should be published on the website of the Guarantor.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019 exist.

GIVEN ALL THE ABOVE, THE GUARANTOR

determines the unlawfulness of the processing carried out by Selectra S.p.A. in the person of its legal representative, with registered office in Bolzano, Via Antonio Pacinotti n. 11, P.I. 00123700213 pursuant to art. 143 of the Code, for the violation of arts. 5, par. 1, lett. a), c) and e), 13 and 88 of the Regulation and art. 114 of the Code;

ORDERS

pursuant to art. 58, par. 2, lett, f) of the Regulation to Selectra S.p.A. the prohibition of further processing of the data extracted through the Mail Store software;

ORDERS

pursuant to art. 58, par. 2, letter i), of the Regulation to pay the sum of €80,000.00 (eighty thousand) as an administrative pecuniary sanction for the violations indicated in this provision;

ORDERS

also the same Company to pay the aforementioned sum of €80,000.00 (eighty thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981.

It is recalled that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

ORDERS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation no. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019 exist.

Requests the Company to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to provide feedback may result in the application of the administrative sanction provided for by art. 83, par. 5, letter e) of the Regulation.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei