Garante per la protezione dei dati personali (Italy) - 9909235

From GDPRhub
Garante per la protezione dei dati personali - 9909235
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started: 20.08.2020
Decided: 27.04.2023
Published:
Fine: 40000 EUR
Parties: n/a
National Case Number/Name: 9909235
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: n/a

The Italian DPA issued a fine against a controller in the amount of €40,000 because it accessed the email accounts of three of its former employees in violation of Article 5(1) GDPR and Article 13 GDPR.

English Summary

Facts

GEICO S.p.A., the controller, was the employer of the three data subjects in this case. Two of the three data subjects resigned at the end of March 2019, the third data subject resigned at the end of May 2019. Their email accounts were deactivated shortly after their respective end of employment. However, the controller did not archive them, meaning they still had access to their email accounts and redirected them to a different account.

The data subjects noticed that someone was repeatedly accessing their email accounts even after termination of their employment contracts thanks to an automated security notification system. The data subjects claimed that this constituted a violation of the GDPR, as they had not been informed about such access and thus submitted a complaint to the Italian DPA.

The DPA asked for clarification on the matter from the controller. In its submissions, the controller argued that accessing the data subjects' e-mail accounts was necessary for gathering information for a separate lawsuit against them as they showed suspicious behaviour that could have potentially harmed the controller. The controller also explained that this was an exceptional circumstance and such processing was necessary in order to protect the controller’s rights in connection with the separate lawsuit. The controller also noted that the data subjects were informed in several communications about the company operating procedures and policies regarding - amongst others - IT tools and services. The controller stated that these policies were made known to the data subjects in these communications.

Holding

The DPA held that the controller breached the principle of fairness and transparency pursuant to Article 5(1)(a) GDPR as the disseminated communications did not include any information on the processing operations carried out by the controller after the end of employment. Additionally, third parties were made to believe that the accounts of the data subjects were no longer active, and their messages therefore no longer processed. The controller also failed to inform the data subjects about the modalities of processing and recipients of their personal data, in violation of Article 13 GDPR.

The controller failed to show evidence that the data subjects behaved in a suspicious manner warranting the controller’s conduct. Given these circumstances, the court decided that there was no indication of any specific, explicit and legitimate purpose for processing itself nor the duration thereof. Thus the DPA held that the controller acted contrary to the principle of purpose limitation under Article 5(1)(b) GDPR and the principle of data minimisation pursuant to Article 5(1)(c) GDPR. Further, the DPA found that the controller also violated Article 5(1)(e) GDPR by not specifying in its internal policies the duration of processing but leaving it to the person in charge of the institution, which is contrary to the principle of storage limitation.

The DPA also held that the controller's policy that e-mails of deactivated accounts are redirected to any accounts indicated by the person in charge and not to a clearly instructed person, is in breach of Article 5(1)(f) GDPR. As a matter of fact, such behaviour did not allow for the integrity and confidentiality of the data collected to be guaranteed.

Regarding the sanction, the DPA considered the nature and seriousness of the breach as relevant, as well as the constant cooperation of the controller and the absence of previous breaches. In light of this, the Italian DPA issued a fine to the controller in the amount of €40,000 pursuant to Article 83 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9909235]

Provision of 27 April 2023

Register of measures
n. 171 of 27 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

GIVEN the complaint presented pursuant to art. 77 of the Regulation by Messrs XX, XX and XX towards Geico S.p.A.;

EXAMINED the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER prof. Pasquale Stanzione;

PREMISE

1. The complaint against the company and the investigative activity.

With a complaint dated August 20, 2020, Messrs. XXX, XX and XX complained about alleged violations of the Regulation by Geico S.p.A. (hereinafter, the Company), with reference to the processing of personal data carried out through the email accounts (XX, XX and XX) assigned to the complainants in the context of the employment relationship with the Company.

With the complaint, in particular, it was complained that the Company kept the aforementioned email addresses active after the termination of the employment relationship and accessed their contents, at least until March 17, 2021 (as evidenced by the automatic security notifications from Google received by interested parties: see the complainants' reply memorandum dated 1/6/2021).

Part of the data thus processed was used in proceedings initiated by the Company before the competent ordinary judicial authority.

These processing operations on company email accounts would have been carried out by the Company, in the absence of information to the interested parties, pursuant to art. 13 of the Regulation.

The Company, in responding to the Office's request for information, with a note dated March 22, 2021, declared that:

to. "the disputed facts must be placed within the context of a much broader and more complex matter", in relation to which the Company has appealed to the competent judicial authority (Milan Court - Section specialized in business matters) against the complainants ( note 22/3/2021, p. 2);

b. "when GEICO became aware of the serious and irreparable danger in progress which risked compromising [...] the further continuation of its business activity, it was obliged to adopt extraordinary and exceptional measures with respect to its ordinary procedures for processing personal data ” (note cit., p. 5);

c. “The accounts [assigned to the complainants] were deactivated at the end of March 2019 (referring to complainants XX and XX) the day after the relationship was terminated. Regarding Mr.XX's account, it was deactivated in May 2019, the day after the termination of the relationship. Considering the serious illicit conduct carried out by the complainants [...] the usual "takeout" archiving activity was not carried out given the need to keep the evidentiary material contained in the respective boxes completely intact" (note cit., p. 5);

d. “access [to the accounts] was carried out [by the party's expert] exclusively for the protection of the rights [of the Company] in court” (cited note, p. 6);

And. "no facts or data relating to the private lives of others were discussed (or brought to court) (the emails in question were dealing exclusively with work and professional profiles)" (cit. note, p. 8).

With a subsequent note dated 15 February 2022, sent in response to a request for further information formulated by the Office, the Company declared that:

to. “the company operating procedures [...] have been made official through company communications by sector managers. In particular, IS6417 was made official to all employees [...] on 27 July 2015" (note 15/2/2022, p. 1-2);

b "all company procedures, including IS6188 (relating to Rules for the use of Corporate IT Tools and Services) and IS6417 (relating to OutBoarding Google Apps), were promptly and effectively disseminated [...] via communication transmitted to the XX domain" (note cit., p. 2);

c. again with reference to the specific methods with which the company policies relating to the correct use of the company email and the controls carried out by the Company were made known to the complainants, it was represented that, from the email of 2 March 2015 addressed by the function Human Resources also to one of the complainants, it emerges that "as per consolidated company practice [...], evidently well known to the complainants, all new hires are subjected to precise initial training and "induction" sessions, also in terms of [company] policy" ( note cit., p. 6);

d. “as demonstrated by the Assignment and Authorization Forms for the Transport of Personal Computers […] the complainants […] have accepted and signed the commitment to comply with the operational instruction «Rules for the use of company IT tools and services» IS6188 […]” ( note cit., p. 2-3);

And. “In a first phase, the accounts were suspended (deactivated) […] the day following the termination of the relationship” (note cit., p. 3);

f. “In relation to the automatic forward mechanism […] please refer to the procedure […] IS6417 (OutBoarding Google Apps)” (cit. note, p. 3);

g. “At the end of March 2019, the complainants communicated […] to the then president […] of their intention to resign. They also communicate that they want to set up a company for small-scale jobs. However, in the following days, contradictory behaviors were found [...], which generated [...] numerous suspicions" (note cit., p. 6);

h. "the processing carried out on the e-mail accounts of the complainants was therefore solely and exclusively motivated and aimed at the appropriate investigations and the strictly consequent and related defensive needs arising from the conduct of the complainants" (cit. note, p. 6);

the. “Annex 6 to the Report [of the party's expert] contained all the emails passed through the accounts in question. [...] from the emails in question it emerged [...] a casual use (when not in conflict with company policies) of the work account [of the complainants] for subscribing to mailing lists that are absolutely not pertinent to the work activity (e.g. attributable to sites such as Volagratis, Marriot hotel etc.)” (note cit., p. 7);

j. “access to the mailboxes and use of the emails found there and produced in court before the Court of Milan, was necessary, limited and limited to the acquisition there […]” (cit. note, p. 7).

2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On 28 June 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 5, par. 1, letter. a), b), c), e), f) and 13 of the Regulation.

With defense briefs sent on 29 July 2022, the Company declared that:

to. "the conduct and data processing of the three Complainants [...] must necessarily be considered in the factual context and in the temporal succession in which all the relevant facts took place in the context of the specific relationship between [the Company] and the [complainants]" ( note 7/29/2022, p. 1);

b. the complainants "for over ten years, have held top and managerial positions within [the Company], entrusting them, as an interface with customers and suppliers, with significant responsibilities regarding strategic sectors of the company" (note cit ., p. 1);

c. "The top and managerial role and the duration of the Complainants' employment relationship for over ten years at [the Company] made their resignations [made on 28/3/2019] - voluntary and concurrent - immediately suspect" (note cit. , p. 2);

d. the day following the resignation of two complainants (29/3/2019) the Company sent both of them a communication announcing the immediate termination of the employment relationship (from the date of the communication itself), recalling the content of the art. 2598 c.c. in matters of unfair competition; on the same date, "First indications of the theft of secrets and know-how, patent counterfeiting and unfair competition from the Complainants to the detriment of [the Company]" would also have emerged (cited note, p. 2 and Attachment 18);

And. on 4/18/2019, "proof of the theft of secrets and know-how, patent counterfeiting and unfair competition carried out by the Complainants to the detriment of [the Company]" emerged, consisting of an email sent by one of the complainants to a representative of a competing company, with a copy of the other two complainants (one of whom was still an employee of the Company at that time) (cited note, p. 2);

f. between 30/7 and 11/9 2019, "Technical-forensic investigation activity was carried out at [the Company by the party's expert]", who presented a first report on 18/10/2019 ( note cit., p. 3 and Attachment 27);

g. "the complained of treatments implemented [by the Company] were immediately motivated exclusively by defensive purposes and the pre-constitution of evidence in the context of judicial proceedings - civil and criminal - which [the Company] actually [...] initiated" ( note cit., p. 6);

h. the Company "had an interest - since its own competitiveness on the market and business continuity was at risk - to know any other subjects involved and which and how much information and data had been stolen" (note cit., p. 6);

the. “With reference to the duration of the complained of treatment […] for the entire duration of the precautionary proceedings (approximately 18 months, between first and second precautionary degree) and for the immediately subsequent one [the Company] necessarily had to remain in the availability of all the evidence of adversary violations" (note cit., p. 7);

j. “The chronology shown on page is incorrect. 5 of the Guarantor's provision of 06.28.2022 with reference to the date of assignment of the assignment [to the party's expert]" (cited note, p. 7);

k. "an internal regulation called "Operational Instruction - Rules for using Company IT Tools and Services IS 6188" has been in force for some time now [...], which came into force on 04.20.2015 and is well known to the Complainants as it was delivered in paper copy to each employee and made available in electronic format on the Company's corporate intranet" (note cit., p. 8);

L. "admitted and not granted that [the Company] has processed personal data - illicitly passed on, given the current policies [...], on the mailboxes and company devices of today's Complainants (moreover, little more than the name and surname of the Complainants and some registrations – unauthorized – to travel newsletters…), this processing was done exclusively to have proof of the illicit acts” (cited note, p. 10);

m. “when GEICO became aware of the ongoing danger, which risked seriously and irreparably compromising the further continuation of its […] entrepreneurial and commercial activity and competitiveness on the market, it was obliged to adopt rapid, extraordinary and exceptional compared to its ordinary procedures for processing personal data, in a situation of imminent, concrete and completely unusual danger for the company" (note cit., p. 15);

n. some proceedings are currently pending against the complainant before the ordinary judicial authorities, activated by the Company for his protection;

or. the Company has finally provided all the elements referred to in the art. 83, par. 2 of the Regulation.

During the hearing, held on November 22, 2022, the Company finally declared that:

to. “following receipt of the complaint before the Guarantor filed by the Complainants, the Company, on 20 June 2020, adopted a new policy referring, in particular, to the use of company tools, including email, which took into account all the findings contained in the Guarantor's note";

b. “the Company has completed the activity of adapting to the regulations on the protection of personal data through the introduction of the figure of privacy contacts for each function as well as the establishment of a Privacy Committee and a Strategic Privacy Committee [...] as well as the 'adoption and/or updating of policies relating to the privacy of both employees and customers';

c. "With regards to the corporate communication methods, and in particular the "operational instructions" in force at the time of the facts which are the subject of the complaint, it should be noted that in 2015 a company intranet system was not yet active and the communication took place through the invitation addressed employees to join a company community";

d. “the complaint arises from an attempt by former employees to invalidate the evidence collected by the Company and used in pending proceedings in both civil and criminal proceedings. The Company acted exclusively to protect its rights in court. The Guarantor is therefore asked to take into account the general principle of self-defence, in the context of the balancing of the rights and interests underlying the event that gave rise to the complaint".

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

3.1 Outcome of the investigation.

Upon examination of the declarations made to the Authority during the proceedings as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, relating to the complainants, which are not compliant with the relevant regulations of protection of personal data.

In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".

On the merits, it emerged that the Company kept the accounts, assigned to the complainants during the employment relationship, active for a significant period of time (at least until 17 March 2021), following deactivation and simultaneous redirection of the same to a different company address , starting from the day following the termination of the employment relationship (i.e., respectively, on 29 March 2019 for two complainants and 20 May 2019 for the third).

The aforementioned accounts were then closed, albeit on an unspecified date, as communicated by the Company to the Authority on 15 February 2022.

This involved the carrying out of personal data processing activities, referring to the complainants and contained in the electronic correspondence present in the company account, in light of the definitions of "personal data" and "processing", contained in the art. 4, no. 1 and 2 of the Regulation, which also include data relating to work activity.

Furthermore, the Company itself declared that it had found and viewed communications of an extra-work nature relating to mailing lists to which the complainants were apparently registered.

In this regard, it is recalled that, in accordance with the constant orientation of the European Court of Human Rights, the protection of private life also extends to the workplace, considering that, precisely during the performance of work and/or professional activities, reports where the worker's personality is expressed (see articles 2 and 41, paragraph 2, Constitution).

Also taking into account that the boundary line between the work/professional sphere and the strictly private sphere cannot always be clearly traced, the Court deems art applicable. 8 of the European Convention on Human Rights aimed at protecting private life without distinguishing between the private sphere and the professional sphere (see Niemietz v. Allemagne, 16.12.1992 (rec. no. 13710/88), spec. par. 29; Copland v. UK, 04.03.2007 (rec. no. 62617/00), spec. par. 41; Bărbulescu v. Romania [GC], 5.9.2017 (rec. no. 61496/08), spec. par. 70 -73; Antović and Mirković v. Montenegro, 28.11. 2017 (rec. no. 70838/13), spec. par. 41-42).

Therefore, data processing carried out using information technology in the context of the employment relationship must comply with respect for fundamental rights and freedoms as well as the dignity of the interested party, to protect workers and third parties (see Recommendation CM/Rec (2015) 5 of the Committee of Ministers to the Member States on the processing of personal data in the employment context, especially point 3).

With reference to the management of company accounts after the termination of the employment relationship, which constitutes the subject of the complaint and the investigation activity of the Authority in the specific case, it also appears that the Company has carried out data processing with regard to all former employees or former collaborators who were assigned company accounts at the time in the terms described in the policy in force at the time of the facts (see, below, the provision of redirection "to another company user upon recommendation of the service manager", contained in " OutBoarding Google APPS”, IS6417).

3.2 Violation of articles. 5, par. 1, letter. a) and 13 of the Regulation.

On the basis of the preliminary findings, it does not appear, first of all, that the Company has informed the complainants about the possibility for it to carry out the described treatments.

It emerged, in fact, that neither the information model for employees (dated 25.5.2018; see Attachment 5, company note dated 22/3/2021) nor the "Rules for the use of corporate IT tools and services", IS6188 (dated 20/4/2015; see All 7, note cit.) contain information elements relating to the possibility for the Company to carry out, after the termination of the employment relationship, treatments of the type of those actually carried out in the case subject to the complaint.

In particular, with regard to the "Rules for the use of corporate IT tools and services", point 8.6 simply refers to what is established in another policy (which is not specifically indicated), while the information model says nothing about the correct management of email accounts.

Unlike what is claimed in the defense briefs, this document contains the provision of some prohibitions, without however indicating any type of controls prepared for their compliance. The indication, present in the document, that "IT Service personnel may at any time proceed with the removal of any file or application that they deem to be dangerous for security both on PCs and on network drives" refers in fact to a different case ( for purposes and methods) from that implemented by the Company.

As regards, however, the document "OutBoarding Google APPS", IS6417 (dated 15/7/2015; see Annex 4, note from the Company cit.) this provides that "email is a company service and all messages, once the collaboration ceases, they will be forwarded to another company user upon notification by the service manager" and defines the "operating methods" for the "redirection of mail, its saving and automatic forwarding messages".

Given that from the examination of the document in question it is not possible to identify which messages, once the collaboration ceases, will be forwarded to another user (whether only those received following the termination of the relationship or whether also those received previously), nor in relation for which specific purposes the account continues to operate through redirection (as will be highlighted later), it also emerged that these instructions were included in a list of documents, relating to the IT area, qualified as "official", through communication of the Corporate Initiatives & Improvement manager sent on 27 July 2015.

On 11 March 2015, the Company sent to all employees, including complainants (via transmission to the XX domain), an email message in which it was made known that, starting from the previous 2 March, "all the information relating to official quality documentation and all communications of common interest" will be included in the "Quality Community", to which employees are invited to register (see Annex 3 of Annex 11, company note 15/2/2022).

These communications (dated 11 March and 27 July 2015) do not have any specific information content and are not suitable for representing to employees, even if only in summary form, at least the object and content of the policies contained in the Quality Community.

This is despite the fact that some salient elements should have been adequately highlighted by the Company, at least in relation to the document in question ("OutBoarding Google APPS", IS6417), given the consequences for the interested parties that this procedure entails.

Furthermore, it does not appear that the information relating to the presence of documentation and communications within the aforementioned section was sent again to employees after July 2015, also in order to underline the importance of examining (or re-examining) the content of the documents reported in the Community.

Nor could the actual knowledge of the procedures relating to the management of e-mail, after the termination of the employment relationship, have been achieved with the inclusion, in the document relating to the "Assignment and Authorization of transport of personal computers", among the notes, of the proposition: "The goods have been assigned to you for service reasons [...], for use comply with the Operational Instruction IS 6188" (see Annex 13, Company note 15/2/2022, relating to the forms signed by the complainants in June 2015), also considering that the last mentioned Instruction, as already noted above, does not contain specific information on the company policy relating to the management of e-mail after the termination of the employment relationship.

Nor is it possible to attribute specific informative value in this regard only to the "Induction training for new hires" sessions (see Annex 15, note cit.), also given that the item "Instructions" (without further specifications and considering that the specific Instructions mentioned above - IS6417 and IS6188 - are not mentioned among the reference documents of the various sessions) appears in a single training session lasting 1 hour, together with numerous other items.

The Guarantor has repeatedly reiterated that the employer has the duty to indicate to its employees and collaborators, in any case, clearly and in detail, what methods of use of the tools made available are considered correct and if, in what extent and with what methods controls are carried out which must in any case comply with the principles of lawfulness (also with regard to the sector regulations regarding remote controls), proportionality and graduality (see Guidelines of the Guarantor for electronic mail and internet, Provision . 1/3/2007, n. 13, in Official Gazette n. 58 of 10/3/2007, web doc. n. 1387522).

What the Company represented on this point during the proceedings is not suitable to prove the fulfillment required by the rules.

In any case, it is acknowledged that the Company, during the proceeding, has adopted a new policy (revised on 6/21/2022) relating to the use of company IT tools and services.

In relation to the content of these documents, the Company is invited, pursuant to art. 57, par. 1, letter. d) of the Regulation, to take into account what has been established by the Authority regarding the processing of data relating to employees' e-mail and web browsing, also with regard to the application of the regulations regarding remote controls and the prohibition of investigations on the opinions referred to in the articles. 114 and 113 of the Code (in relation to art. 88 of the Regulation), most recently with the provisions of 1 December 2022, n. 409 (web doc. n. 9833530), 13 May 2021, n. 190 (web doc. n. 9669974) and 15 April 2021, n. 137 (web doc. no. 9670738).

The Company therefore failed to inform the complainants about the specific processing method, which was specifically carried out through the persistent activation of company email accounts, for a significant period of time after the termination of the employment relationship, and the redirection of the same on a different company account, with consequent access to external data and the content of messages received, in violation of the provisions of the art. 13 of the Regulation.

In this regard, it is noted that, in the context of an employment relationship, the obligation to inform the worker is an expression of the general principle of correctness of processing (art. 5, par. 1, letter a) of the Regulation).

3.3 Violation of the art. 5, par. 1, letter. b), c), e) and f) of the Regulation.

It therefore emerged that the individualized company accounts assigned to the complainants during the employment relationship were kept active by redirecting them to a different company account for a significant period of time - starting, respectively, from 29 March and from 20 May 2019 at least until 17 March 2021 - with consequent processing of the personal data contained therein by the Company, precisely as a result of the redirection, already before the assignment of the task to the party's expert (which appears to have been conferred by the company on 22/7/2019: see "Forensic technical report", defense briefs 28/6/2022, Attachment 27).

As regards the purposes of the processing and its methods, during the proceedings the Company did not produce any evidence referring to the specific elements which, immediately after the resignation of the complainants, would have caused the emergence of "numerous suspicions" regarding the correctness of the actions of the complainants themselves, with the consequent decision to adopt "extraordinary measures [...] with respect to [...] ordinary procedures for processing personal data", a circumstance which would have entailed "from the beginning" the carrying out of treatments aimed at the "specific purpose defense for judicial purposes" (see Company note 15/2/2022, p. 5).

In its defense briefs, the Company declared in this regard that the sole circumstance that the complainants (actually two of them, given that the third terminated his employment relationship approximately two months after them) had resigned despite the employment relationship long-standing and the top role held, would have made the resignation "immediately suspicious" (see memoirs 29/7/2022, p. 2).

In reality, the resignation of the two complainants could not constitute, in itself, evidence of "suspicious" conduct, as it was an event that can ordinarily occur in a company structure, especially since in this case the complainants themselves had informed the company the intention to start a new entrepreneurial activity.

The assignment of the task to a firm specialized in forensic investigations, the examination of the results of the investigation and the initiation of proceedings in the jurisdiction, cited in this regard by the Company, are subsequent to the adoption by the Company of measures aimed at verifying, also by proceeding backwards in the examination of the electronic correspondence stored, whether already during the employment relationship the complainants had proceeded to carry out activities with a view to hypothetical illicit conduct, whether other employees were involved in such activities and whether they received the e-mail addresses further useful elements to corroborate the Company's suspicions (see "Technical Forensic Report", cit., p. 9: the Company "has entrusted the undersigned with an investigation integration, of a digital forensic type, in order to to verify whether these subjects, before their resignation, had stolen documentation or company secrets or databases" and defense briefs 29/7/2022, p. 6).

The Company has also not indicated the specific reasons on the basis of which the processing - consisting in the apprehension of the content of the messages received - continued for a significant period of time (approximately two years), among other things beyond the activation of proceedings before the competent judicial authority, also considering that, based on the documentation produced in the documents, the date on which the accounts were closed does not emerge (see Company note 15/2/2022, p. 3).

Therefore, the processing operations carried out by the Company on the company email accounts of the complainants, in the absence of indication of any specific, explicit and legitimate purpose pursued, were carried out in violation of the principle of data minimization (art. 5, par. 1 , letter c) of the Regulation), limitation of purposes (art. 5, par. 1, letter b) of the Regulation) and limitation of storage (art. 5, par. 1, letter e) of the Regulation) (in a compliant sense, see, in relation to specific cases, previous decisions of the Authority, most recently: Provision of 21 July 2022, no. 255, web doc. no. 9809466; Provision of 29 September 2021, no. 353, doc . web no. 9719914; Provision of 16 December 2021, no. 440, web doc. 9739653).

Furthermore, more generally, the Company has set up, in general terms and starting from 2015, its own policy regarding the management of corporate email after the termination of the employment relationship, through what is established in the aforementioned document "OutBoarding Google APPS" , IS6417, dated 15 July 2015 and "officialised" on 27 July 2015 (see Annex 10, company note 15.2.2022).

With the aforementioned document, the Company has established that "all messages, once the collaboration has ceased, will be forwarded to another company user upon notification by the service manager".

Furthermore, "The head of the organization informs the IT office to whom to forward the terminated employee's mail and defines the time period. It is the responsibility of the IT office to provide for the redirection of mail, its saving and automatic forwarding messages with the necessary indications" (point 3).

The “Automatic Forwarding Message” model is defined as follows: “We inform you that Eng. Mario Rossi is no longer part of our organization, and therefore this email address is no longer active. For any communication you can contact Eng. Mario Bianchi at the address [...]" (point 3). Furthermore, "the Google services administrator will forward the terminated employee's mail by accessing his Gmail profile and entering the message forwarding account in the "Settings/Account Forwarding" tab, adding "keep the copy of GeicoSpa mail in the Inbox ”. In the "General" tab you will apply the above message by enabling the "automatic responder" for the time communicated by the manager of the organization to which the former employee or former collaborator referred" (point 4).

Therefore, based on the procedure formalized by the Company and in use until the adoption of the new version of the document (6/21/2022), at the time of termination of the employment relationship, the company accounts of former employees and former collaborators, "on report from the service manager", were "suspended/deactivated" and redirected to a different company user account, with the consequent possibility for the users themselves to access the content of the "suspended" account.

This persistent activity of the company account was foreseen with a systematic nature and without any reference to specific purposes pursued by the former employer (in particular, as declared in relation to the facts subject to the complaint, to pursue any purposes of protecting its rights to the occurrence of risk situations).

Furthermore, the duration of the processing carried out through redirection is not specified, given that the relevant definition lies with the "entity manager" (not better identified), just as the same "manager" is responsible for establishing the processing time. activation of the automatic reply message.

In this last regard, it is also noted that this message, intended for third parties who send their own email communication to the account of the former employee or collaborator, in representing that "this email address is no longer active", leads one to believe that the communication received on the account of a person who is no longer part of the organization is not brought to the attention of the company (also given that a different account is indicated to send "any communication" to the same), while instead the communication, as seen, it is redirected (and therefore visible) to another employee, other than the user, to whom the (individualized) email account had been assigned.

This procedure does not comply with the principles regarding the protection of personal data.

In particular, the systematic persistent activity of the company account assigned at the time, even after the termination of the employment relationship, through redirection to the account of another company employee, in the absence of the indication of any specific, explicit and legitimate purpose pursued, does not comply with the principle of data minimization (art. 5, par. 1, letter c) of the Regulation) and purpose limitation (art. 5, par. 1, letter b) of the Regulation).

Furthermore, the fact that the duration of the aforementioned processing is not identified on the basis of what is deemed appropriate in relation to the purposes pursued, but rather left to the decision of the "entity manager", does not comply with the principle of limitation of conservation (art. 5, par. 1, letter e) of the Regulation).

The provision that the user to whom the account of the former employee and collaborator should be redirected is not identified on the basis of specific functions assigned and instructions received but rather on the basis of the indications of the "entity manager" does not allow the integrity and the confidentiality of the data collected (as established by art. 5, par. 1, letter f) of the Regulation).

Finally, it is not compliant with the principle of correctness (art. 5, par. 1, letter a) of the Regulation) the indication, to third party senders of messages directed to the account of the former employee or collaborator, in the terms set out above , that "the email address is no longer active", leading the aforementioned third parties to believe that the messages are not being processed by the Company.

It is also acknowledged with reference to this conduct, in any case, that the Company, during the proceedings, has adopted a new policy (revised on 6/21/2022) also relating to the management of company email after the termination of the employment relationship.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company and in particular the processing of data via company email and the processing carried out on the basis of mutual designations as data controller is in fact illicit, in the terms set out above, in relation to the articles. 5, par. 1, letter. a), b), c), e), f), and 13 of the Regulation.

The violation ascertained within the terms set out in the justification cannot be considered "minor", taking into account the nature and seriousness of the violation itself, the degree of responsibility, and the way in which the supervisory authority became aware of the violation (see cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, a pecuniary administrative sanction is imposed pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).

Finally, we remind you that pursuant to art. 160-bis of the Code "The validity, effectiveness and usability in judicial proceedings of deeds, documents and provisions based on the processing of personal data that does not comply with legal or regulatory provisions remain governed by the relevant procedural provisions".

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings it appears that Geico S.p.A. has violated the articles. 5, par. 1, letter. a), b), c), e), f) and 13 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, l. 11.24.1981, n. 689).

Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is stated that , in this case, the following circumstances were considered:

a) in relation to the nature and severity of the violation, the nature of the violation was considered relevant and concerned the general principles of processing (in particular the principles of correctness, purpose limitation, minimization, limitation of storage and integrity and confidentiality) and the obligation to disclose; the duration of the violation was also considered, which lasted for approximately two years (art. 83, par. 2, letter a) of the Regulation);

b) with regard to the degree of cooperation with the Supervisory Authority, it was considered that the Company constantly cooperated with the Guarantor during the procedure (art. 83, par. 2, letter f) of the Regulation);

c) in favor of the Company, the absence of previous violations regarding the protection of personal data was also taken into account (art. 83, par. 2, letter e) of the Regulation).

It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the financial statements for the year 2021.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply against Geico S.p.A. the administrative sanction of payment of a sum equal to 40,000 (forty thousand) euros.

In this framework it is also considered, in consideration of the type of violations ascertained which concerned the general principles of processing (in particular the principles of correctness, limitation of purposes, minimization, limitation of conservation and integrity and confidentiality) and the obligation to information, which pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THE WHEREAS, THE GUARANTOR

notes the unlawfulness of the processing carried out by Geico S.p.A., in the person of its legal representative, with registered office in Via Pelizza da Volpedo109/111, Cinisello Balsamo (MI), VAT no. 00688580968, pursuant to art. 143 of the Code, for the violation of articles. 5, par. 1, letter. a), b), c), e), f) and 13 of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter. i) of the Regulation to Geico S.p.A., to pay the sum of 40,000 (forty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

ORDERS

therefore to the same Company to pay the aforementioned sum of 40,000 (forty thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 27 April 2023

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei

[doc. web no. 9909235]

Provision of 27 April 2023

Register of measures
n. 171 of 27 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

GIVEN the complaint presented pursuant to art. 77 of the Regulation by Messrs XX, XX and XX towards Geico S.p.A.;

EXAMINED the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER prof. Pasquale Stanzione;

PREMISE

1. The complaint against the company and the investigative activity.

With a complaint dated August 20, 2020, Messrs. XXX, XX and XX complained about alleged violations of the Regulation by Geico S.p.A. (hereinafter, the Company), with reference to the processing of personal data carried out through the email accounts (XX, XX and XX) assigned to the complainants in the context of the employment relationship with the Company.

With the complaint, in particular, it was complained that the Company kept the aforementioned email addresses active after the termination of the employment relationship and accessed their contents, at least until March 17, 2021 (as evidenced by the automatic security notifications from Google received by interested parties: see the complainants' reply memorandum dated 1/6/2021).

Part of the data thus processed was used in proceedings initiated by the Company before the competent ordinary judicial authority.

These processing operations on company email accounts would have been carried out by the Company, in the absence of information to the interested parties, pursuant to art. 13 of the Regulation.

The Company, in responding to the Office's request for information, with a note dated March 22, 2021, declared that:

to. "the disputed facts must be placed within the context of a much broader and more complex matter", in relation to which the Company has appealed to the competent judicial authority (Milan Court - Section specialized in business matters) against the complainants ( note 22/3/2021, p. 2);

b. "when GEICO became aware of the serious and irreparable danger in progress which risked compromising [...] the further continuation of its business activity, it was obliged to adopt extraordinary and exceptional measures with respect to its ordinary procedures for processing personal data ” (note cit., p. 5);

c. “The accounts [assigned to the complainants] were deactivated at the end of March 2019 (referring to complainants XX and XX) the day after the relationship was terminated. Regarding Mr.XX's account, it was deactivated in May 2019, the day after the termination of the relationship. Considering the serious illicit conduct carried out by the complainants [...] the usual "takeout" archiving activity was not carried out given the need to keep the evidentiary material contained in the respective boxes completely intact" (note cit., p. 5);

d. “access [to the accounts] was carried out [by the party's expert] exclusively for the protection of the rights [of the Company] in court” (cited note, p. 6);

And. "no facts or data relating to the private lives of others were discussed (or brought to court) (the emails in question were dealing exclusively with work and professional profiles)" (cit. note, p. 8).

With a subsequent note dated 15 February 2022, sent in response to a request for further information formulated by the Office, the Company declared that:

to. “the company operating procedures [...] have been made official through company communications by sector managers. In particular, IS6417 was made official to all employees [...] on 27 July 2015" (note 15/2/2022, p. 1-2);

b "all company procedures, including IS6188 (relating to Rules for the use of Corporate IT Tools and Services) and IS6417 (relating to OutBoarding Google Apps), were promptly and effectively disseminated [...] via communication transmitted to the XX domain" (note cit., p. 2);

c. again with reference to the specific methods with which the company policies relating to the correct use of the company email and the controls carried out by the Company were made known to the complainants, it was represented that, from the email of 2 March 2015 addressed by the function Human Resources also to one of the complainants, it emerges that "as per consolidated company practice [...], evidently well known to the complainants, all new hires are subjected to precise initial training and "induction" sessions, also in terms of [company] policy" ( note cit., p. 6);

d. “as demonstrated by the Assignment and Authorization Forms for the Transport of Personal Computers […] the complainants […] have accepted and signed the commitment to comply with the operational instruction «Rules for the use of corporate IT tools and services» IS6188 […]” ( note cit., p. 2-3);

And. “In a first phase, the accounts were suspended (deactivated) […] the day following the termination of the relationship” (note cit., p. 3);

f. “In relation to the automatic forward mechanism […] please refer to the procedure […] IS6417 (OutBoarding Google Apps)” (cit. note, p. 3);

g. “At the end of March 2019, the complainants communicated […] to the then president […] of their intention to resign. They also communicate that they want to set up a company for small-scale jobs. However, in the following days, contradictory behaviors were found [...], which generated [...] numerous suspicions" (note cit., p. 6);

h. "the processing carried out on the e-mail accounts of the complainants was therefore solely and exclusively motivated and aimed at the appropriate investigations and the strictly consequent and related defensive needs arising from the conduct of the complainants" (cit. note, p. 6);

the. “Annex 6 to the Report [of the party's expert] contained all the emails passed through the accounts in question. [...] from the emails in question it emerged [...] a casual use (when not in conflict with company policies) of the work account [of the complainants] for subscribing to mailing lists that are absolutely not pertinent to the work activity (e.g. attributable to sites such as Volagratis, Marriot hotel etc.)” (note cit., p. 7);

j. “access to the mailboxes and use of the emails found there and produced in court before the Court of Milan, was necessary, limited and limited to the acquisition there […]” (cit. note, p. 7).

2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On 28 June 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 5, par. 1, letter. a), b), c), e), f) and 13 of the Regulation.

With defense briefs sent on 29 July 2022, the Company declared that:

to. "the conduct and data processing of the three Complainants [...] must necessarily be considered in the factual context and in the temporal succession in which all the relevant facts took place in the context of the specific relationship between [the Company] and the [complainants]" ( note 7/29/2022, p. 1);

b. the complainants "for over ten years, have held top and managerial positions within [the Company], entrusting them, as an interface with customers and suppliers, with significant responsibilities regarding strategic sectors of the company" (note cit ., p. 1);

c. "The top and managerial role and the duration of the Complainants' employment relationship for over ten years at [the Company] made their resignations [made on 28/3/2019] - voluntary and concurrent - immediately suspect" (note cit. , p. 2);

d. the day following the resignation of two complainants (29/3/2019) the Company sent both of them a communication announcing the immediate termination of the employment relationship (from the date of the communication itself), recalling the content of the art. 2598 c.c. in matters of unfair competition; on the same date, "First indications of the theft of secrets and know-how, patent counterfeiting and unfair competition from the Complainants to the detriment of [the Company]" would also emerge (cited note, p. 2 and Attachment 18);

And. on 4/18/2019, "proof of the theft of secrets and know-how, patent counterfeiting and unfair competition carried out by the Complainants to the detriment of [the Company]" emerged, consisting of an email sent by one of the complainants to a representative of a competing company, with a copy of the other two complainants (one of whom was still an employee of the Company at that time) (cited note, p. 2);

f. between 30/7 and 11/9 2019, "Technical-forensic investigation activity was carried out at [the Company by the party's expert]", who presented a first report on 18/10/2019 ( note cit., p. 3 and Attachment 27);

g. "the complained of treatments implemented [by the Company] were immediately motivated exclusively by defensive purposes and the pre-constitution of evidence in the context of judicial proceedings - civil and criminal - which [the Company] actually [...] initiated" ( note cit., p. 6);

h. the Company "had an interest - since its own competitiveness on the market and business continuity was at risk - to know any other subjects involved and which and how much information and data had been stolen" (cit. note, p. 6);

the. “With reference to the duration of the complained of treatment […] for the entire duration of the precautionary proceedings (approximately 18 months, between first and second precautionary degree) and for the immediately subsequent one [the Company] necessarily had to remain in the availability of all the evidence of adversary violations" (note cit., p. 7);

j. “The chronology shown on page is incorrect. 5 of the Guarantor's provision of 06.28.2022 with reference to the date of assignment of the assignment [to the party's expert]" (cited note, p. 7);

k. "an internal regulation called "Operational Instruction - Rules for using Company IT Tools and Services IS 6188" has been in force for some time now [...], which came into force on 04.20.2015 and is well known to the Complainants as it was delivered in paper copy to each employee and made available in electronic format on the Company's corporate intranet" (note cit., p. 8);

L. "admitted and not granted that [the Company] has processed personal data - illicitly passed on, given the current policies [...], on the mailboxes and company devices of today's Complainants (moreover, little more than the name and surname of the Complainants and some registrations – unauthorized – to travel newsletters…), this processing was done exclusively to have proof of the illicit acts” (cited note, p. 10);

m. “when GEICO became aware of the ongoing danger, which risked seriously and irreparably compromising the further continuation of its […] entrepreneurial and commercial activity and competitiveness on the market, it was obliged to adopt rapid, extraordinary and exceptional compared to its ordinary procedures for processing personal data, in a situation of imminent, concrete and completely unusual danger for the company" (note cit., p. 15);

n. some proceedings are currently pending against the complainant before the ordinary judicial authorities, activated by the Company for his protection;

or. the Company has finally provided all the elements referred to in the art. 83, par. 2 of the Regulation.

During the hearing, held on November 22, 2022, the Company finally declared that:

to. “following receipt of the complaint before the Guarantor filed by the Complainants, the Company, on 20 June 2020, adopted a new policy referring, in particular, to the use of company tools, including email, which took into account all the findings contained in the Guarantor's note";

b. “the Company has completed the activity of adapting to the regulations on the protection of personal data through the introduction of the figure of privacy contacts for each function as well as the establishment of a Privacy Committee and a Strategic Privacy Committee [...] as well as the 'adoption and/or updating of policies relating to the privacy of both employees and customers';

c. "With regards to the corporate communication methods, and in particular the "operational instructions" in force at the time of the facts which are the subject of the complaint, it should be noted that in 2015 a company intranet system was not yet active and the communication took place through the invitation addressed employees to join a company community";

d. “the complaint arises from an attempt by former employees to invalidate the evidence collected by the Company and used in pending proceedings in both civil and criminal proceedings. The Company acted exclusively to protect its rights in court. The Guarantor is therefore asked to take into account the general principle of self-defence, in the context of the balancing of the rights and interests underlying the event that gave rise to the complaint".

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

3.1 Outcome of the investigation.

Upon examination of the declarations made to the Authority during the proceedings as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, relating to the complainants, which are not compliant with the relevant regulations of protection of personal data.

In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".

On the merits, it emerged that the Company kept the accounts, assigned to the complainants during the employment relationship, active for a significant period of time (at least until 17 March 2021), following deactivation and simultaneous redirection of the same to a different company address , starting from the day following the termination of the employment relationship (i.e., respectively, on 29 March 2019 for two complainants and 20 May 2019 for the third).

The aforementioned accounts were then closed, albeit on an unspecified date, as communicated by the Company to the Authority on 15 February 2022.

This involved the carrying out of personal data processing activities, referring to the complainants and contained in the electronic correspondence present in the company account, in light of the definitions of "personal data" and "processing", contained in the art. 4, no. 1 and 2 of the Regulation, which also include data relating to work activity.

Furthermore, the Company itself declared that it had found and viewed communications of an extra-work nature relating to mailing lists to which the complainants were apparently registered.

In this regard, it is recalled that, in accordance with the constant orientation of the European Court of Human Rights, the protection of private life also extends to the workplace, considering that, precisely during the performance of work and/or professional activities, reports where the worker's personality is expressed (see articles 2 and 41, paragraph 2, Constitution).

Also taking into account that the boundary line between the work/professional sphere and the strictly private sphere cannot always be clearly traced, the Court deems art applicable. 8 of the European Convention on Human Rights aimed at protecting private life without distinguishing between the private sphere and the professional sphere (see Niemietz v. Allemagne, 16.12.1992 (rec. no. 13710/88), spec. par. 29; Copland v. UK, 04.03.2007 (rec. no. 62617/00), spec. par. 41; Bărbulescu v. Romania [GC], 5.9.2017 (rec. no. 61496/08), spec. par. 70 -73; Antović and Mirković v. Montenegro, 28.11. 2017 (rec. no. 70838/13), spec. par. 41-42).

Therefore, data processing carried out using information technology in the context of the employment relationship must comply with respect for fundamental rights and freedoms as well as the dignity of the interested party, to protect workers and third parties (see Recommendation CM/Rec (2015) 5 of the Committee of Ministers to the Member States on the processing of personal data in the employment context, especially point 3).

With reference to the management of company accounts after the termination of the employment relationship, which constitutes the subject of the complaint and the investigation activity of the Authority in the specific case, it also appears that the Company has carried out data processing with regard to all former employees or former collaborators who were assigned company accounts at the time in the terms described in the policy in force at the time of the facts (see, below, the provision of redirection "to another company user upon recommendation of the service manager", contained in " OutBoarding Google APPS”, IS6417).

3.2 Violation of articles. 5, par. 1, letter. a) and 13 of the Regulation.

On the basis of the preliminary findings, it does not appear, first of all, that the Company has informed the complainants about the possibility for it to carry out the described treatments.

It emerged, in fact, that neither the information model for employees (dated 25.5.2018; see Attachment 5, company note dated 22/3/2021) nor the "Rules for the use of corporate IT tools and services", IS6188 (dated 20/4/2015; see All 7, note cit.) contain information elements relating to the possibility for the Company to carry out, after the termination of the employment relationship, treatments of the type of those actually carried out in the case subject to the complaint.

In particular, with regard to the "Rules for the use of corporate IT tools and services", point 8.6 simply refers to what is established in another policy (which is not specifically indicated), while the information model says nothing about the correct management of email accounts.

Unlike what is claimed in the defense briefs, this document contains the provision of some prohibitions, without however indicating any type of controls prepared for their compliance. The indication, present in the document, that "IT Service personnel may at any time proceed with the removal of any file or application that they deem to be dangerous for security both on PCs and on network drives" refers in fact to a different case ( for purposes and methods) from that implemented by the Company.

As regards, however, the document "OutBoarding Google APPS", IS6417 (dated 15/7/2015; see Annex 4, note from the Company cit.) this provides that "email is a company service and all messages, once the collaboration ceases, they will be forwarded to another company user upon notification by the service manager" and defines the "operating methods" for the "redirection of mail, its saving and automatic forwarding messages".

Given that from the examination of the document in question it is not possible to identify which messages, once the collaboration ceases, will be forwarded to another user (whether only those received following the termination of the relationship or whether also those received previously), nor in relation for which specific purposes the account continues to operate through redirection (as will be highlighted later), it also emerged that these instructions were included in a list of documents, relating to the IT area, qualified as "official", through communication of the Corporate Initiatives & Improvement manager sent on 27 July 2015.

On 11 March 2015, the Company sent to all employees, including complainants (via transmission to the XX domain), an email message in which it was made known that, starting from the previous 2 March, "all the information relating to official quality documentation and all communications of common interest" will be included in the "Quality Community", to which employees are invited to register (see Annex 3 of Annex 11, company note 15/2/2022).

These communications (dated 11 March and 27 July 2015) do not have any specific information content and are not suitable for representing to employees, even if only in summary form, at least the object and content of the policies contained in the Quality Community.

This is despite the fact that some salient elements should have been adequately highlighted by the Company, at least in relation to the document in question ("OutBoarding Google APPS", IS6417), given the consequences for the interested parties that this procedure entails.

Furthermore, it does not appear that the information relating to the presence of documentation and communications within the aforementioned section was sent again to employees after July 2015, also in order to underline the importance of examining (or re-examining) the content of the documents reported in the Community.

Nor could the actual knowledge of the procedures relating to the management of e-mail, after the termination of the employment relationship, have been achieved with the inclusion, in the document relating to the "Assignment and Authorization of transport of personal computers", among the notes, of the proposition: "The goods have been assigned to you for service reasons [...], for use comply with the Operational Instruction IS 6188" (see Annex 13, Company note 15/2/2022, relating to the forms signed by the complainants in June 2015), also considering that the last mentioned Instruction, as already noted above, does not contain specific information on the company policy relating to the management of e-mail after the termination of the employment relationship.

Nor is it possible to attribute specific informative value in this regard only to the "Induction training for new hires" sessions (see Annex 15, note cit.), also given that the item "Instructions" (without further specifications and considering that the specific Instructions mentioned above - IS6417 and IS6188 - are not mentioned among the reference documents of the various sessions) appears in a single training session lasting 1 hour, together with numerous other items.

The Guarantor has repeatedly reiterated that the employer has the duty to indicate to its employees and collaborators, in any case, clearly and in detail, what methods of use of the tools made available are considered correct and if, in what extent and with what methods controls are carried out which must in any case comply with the principles of lawfulness (also with regard to the sector regulations regarding remote controls), proportionality and graduality (see Guidelines of the Guarantor for electronic mail and internet, Provision . 1/3/2007, n. 13, in Official Gazette n. 58 of 10/3/2007, web doc. n. 1387522).

What the Company represented on this point during the proceedings is not suitable to prove the fulfillment required by the rules.

In any case, it is acknowledged that the Company, during the proceeding, has adopted a new policy (revised on 6/21/2022) relating to the use of company IT tools and services.

In relation to the content of these documents, the Company is invited, pursuant to art. 57, par. 1, letter. d) of the Regulation, to take into account what has been established by the Authority regarding the processing of data relating to employees' e-mail and web browsing, also with regard to the application of the regulations regarding remote controls and the prohibition of investigations on the opinions referred to in the articles. 114 and 113 of the Code (in relation to art. 88 of the Regulation), most recently with the provisions of 1 December 2022, n. 409 (web doc. n. 9833530), 13 May 2021, n. 190 (web doc. n. 9669974) and 15 April 2021, n. 137 (web doc. no. 9670738).

The Company therefore failed to inform the complainants about the specific processing method, which was specifically carried out through the persistent activation of company email accounts, for a significant period of time after the termination of the employment relationship, and the redirection of the same on a different company account, with consequent access to external data and the content of messages received, in violation of the provisions of the art. 13 of the Regulation.

In this regard, it is noted that, in the context of an employment relationship, the obligation to inform the worker is an expression of the general principle of correctness of processing (art. 5, par. 1, letter a) of the Regulation).

3.3 Violation of the art. 5, par. 1, letter. b), c), e) and f) of the Regulation.

It therefore emerged that the individualized company accounts assigned to the complainants during the employment relationship were kept active by redirecting them to a different company account for a significant period of time - starting, respectively, from 29 March and from 20 May 2019 at least until 17 March 2021 - with consequent processing of the personal data contained therein by the Company, precisely as a result of the redirection, already before the assignment of the task to the party's expert (which appears to have been conferred by the company on 22/7/2019: see "Forensic technical report", defense briefs 28/6/2022, Annex 27).

As regards the purposes of the processing and its methods, during the proceedings the Company did not produce any evidence referring to the specific elements which, immediately after the resignation of the complainants, would have caused the emergence of "numerous suspicions" regarding the correctness of the actions of the complainants themselves, with the consequent decision to adopt "extraordinary measures [...] with respect to [...] ordinary procedures for processing personal data", a circumstance which would have entailed "from the beginning" the carrying out of treatments aimed at the "specific purpose defense for judicial purposes" (see Company note 15/2/2022, p. 5).

In its defense briefs, the Company declared in this regard that the sole circumstance that the complainants (actually two of them, given that the third terminated his employment relationship approximately two months after them) had resigned despite the employment relationship long-standing and the top role held, would have made the resignation "immediately suspicious" (see memoirs 29/7/2022, p. 2).

In reality, the resignation of the two complainants could not constitute, in itself, evidence of "suspicious" conduct, as it was an event that can ordinarily occur in a company structure, especially since in this case the complainants themselves had informed the company the intention to start a new entrepreneurial activity.

The assignment of the task to a firm specialized in forensic investigations, the examination of the results of the investigation and the initiation of proceedings in the jurisdiction, cited in this regard by the Company, are subsequent to the adoption by the Company of measures aimed at verifying, also by proceeding backwards in the examination of the electronic correspondence stored, whether already during the employment relationship the complainants had proceeded to carry out activities with a view to hypothetical illicit conduct, whether other employees were involved in such activities and whether they received the e-mail addresses further useful elements to corroborate the Company's suspicions (see "Technical Forensic Report", cit., p. 9: the Company "entrusted the undersigned with an investigation integration, of a digital forensic type, in order to to verify whether these subjects, before their resignation, had stolen documentation or company secrets or databases" and defense briefs 29/7/2022, p. 6).

The Company has also not indicated the specific reasons on the basis of which the processing - consisting in the apprehension of the content of the messages received - continued for a significant period of time (approximately two years), among other things beyond the activation of proceedings before the competent judicial authority, also considering that, based on the documentation produced in the documents, the date on which the accounts were closed does not emerge (see Company note 15/2/2022, p. 3).

Therefore, the processing operations carried out by the Company on the company email accounts of the complainants, in the absence of indication of any specific, explicit and legitimate purpose pursued, were carried out in violation of the principle of data minimization (art. 5, par. 1 , letter c) of the Regulation), limitation of purposes (art. 5, par. 1, letter b) of the Regulation) and limitation of storage (art. 5, par. 1, letter e) of the Regulation) (in a compliant sense, see, in relation to specific cases, previous decisions of the Authority, most recently: Provision of 21 July 2022, no. 255, web doc. no. 9809466; Provision of 29 September 2021, no. 353, doc . web no. 9719914; Provision of 16 December 2021, no. 440, web doc. 9739653).

Furthermore, more generally, the Company has set up, in general terms and starting from 2015, its own policy regarding the management of corporate email after the termination of the employment relationship, through what is established in the aforementioned document "OutBoarding Google APPS" , IS6417, dated 15 July 2015 and "officialised" on 27 July 2015 (see Annex 10, company note 15.2.2022).

With the aforementioned document, the Company has established that "all messages, once the collaboration has ceased, will be forwarded to another company user upon notification by the service manager".

Furthermore, "The head of the organization informs the IT office to whom to forward the terminated employee's mail and defines the time period. It is the responsibility of the IT office to provide for the redirection of mail, its saving and automatic forwarding messages with the necessary indications" (point 3).

The “Automatic Forwarding Message” model is defined as follows: “We inform you that Eng. Mario Rossi is no longer part of our organization, and therefore this email address is no longer active. For any communication you can contact Eng. Mario Bianchi at the address [...]" (point 3). Furthermore, "the Google services administrator will forward the terminated employee's mail by accessing his Gmail profile and entering the message forwarding account in the "Settings/Account Forwarding" tab, adding "keep the copy of GeicoSpa mail in the Inbox ”. In the "General" tab you will apply the above message by enabling the "automatic responder" for the time communicated by the manager of the organization to which the former employee or former collaborator referred" (point 4).

Therefore, based on the procedure formalized by the Company and in use until the adoption of the new version of the document (6/21/2022), at the time of termination of the employment relationship, the company accounts of former employees and former collaborators, "on report from the service manager", were "suspended/deactivated" and redirected to a different company user account, with the consequent possibility for the users themselves to access the content of the "suspended" account.

This persistent activity of the company account was foreseen with a systematic nature and without any reference to specific purposes pursued by the former employer (in particular, as declared in relation to the facts subject to the complaint, to pursue any purposes of protecting its rights to the occurrence of risk situations).

Furthermore, the duration of the processing carried out through redirection is not specified, given that the relevant definition lies with the "entity manager" (not better identified), just as the same "manager" is responsible for establishing the processing time. activation of the automatic reply message.

In this last regard, it is also noted that this message, intended for third parties who send their own email communication to the account of the former employee or collaborator, in representing that "this email address is no longer active", leads one to believe that the communication received on the account of a person who is no longer part of the organization is not brought to the attention of the company (also given that a different account is indicated to send "any communication" to the same), while instead the communication, as seen, it is redirected (and therefore visible) to another employee, other than the user, to whom the (individualized) email account had been assigned.

This procedure does not comply with the principles regarding the protection of personal data.

In particular, the systematic persistent activity of the company account assigned at the time, even after the termination of the employment relationship, through redirection to the account of another company employee, in the absence of the indication of any specific, explicit and legitimate purpose pursued, does not comply with the principle of data minimization (art. 5, par. 1, letter c) of the Regulation) and purpose limitation (art. 5, par. 1, letter b) of the Regulation).

Furthermore, the fact that the duration of the aforementioned processing is not identified on the basis of what is deemed appropriate in relation to the purposes pursued, but rather left to the decision of the "entity manager", does not comply with the principle of limitation of conservation (art. 5, par. 1, letter e) of the Regulation).

The provision that the user to whom the account of the former employee and collaborator should be redirected is not identified on the basis of specific functions assigned and instructions received but rather on the basis of the indications of the "entity manager" does not allow the integrity and the confidentiality of the data collected (as established by art. 5, par. 1, letter f) of the Regulation).

Finally, it is not compliant with the principle of correctness (art. 5, par. 1, letter a) of the Regulation) the indication, to third party senders of messages directed to the account of the former employee or collaborator, in the terms set out above , that "the email address is no longer active", leading the aforementioned third parties to believe that the messages are not being processed by the Company.

It is also acknowledged with reference to this conduct, in any case, that the Company, during the proceedings, has adopted a new policy (revised on 6/21/2022) also relating to the management of company email after the termination of the employment relationship.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company and in particular the processing of data via company email and the processing carried out on the basis of mutual designations as data controller is in fact illicit, in the terms set out above, in relation to the articles. 5, par. 1, letter. a), b), c), e), f), and 13 of the Regulation.

The violation ascertained within the terms set out in the justification cannot be considered "minor", taking into account the nature and seriousness of the violation itself, the degree of responsibility, and the way in which the supervisory authority became aware of the violation (see cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, a pecuniary administrative sanction is imposed pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).

Finally, we remind you that pursuant to art. 160-bis of the Code "The validity, effectiveness and usability in judicial proceedings of deeds, documents and provisions based on the processing of personal data that does not comply with legal or regulatory provisions remain governed by the relevant procedural provisions".

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings it appears that Geico S.p.A. has violated the articles. 5, par. 1, letter. a), b), c), e), f) and 13 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, l. 11.24.1981, n. 689).

Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is stated that , in this case, the following circumstances were considered:

a) in relation to the nature and severity of the violation, the nature of the violation which concerned the general principles of processing (in particular the principles of correctness, purpose limitation, minimization, storage limitation and integrity and confidentiality) was considered relevant and the obligation to disclose; the duration of the violation was also considered, which lasted for approximately two years (art. 83, par. 2, letter a) of the Regulation);

b) with regard to the degree of cooperation with the Supervisory Authority, it was considered that the Company constantly cooperated with the Guarantor during the procedure (art. 83, par. 2, letter f) of the Regulation);

c) in favor of the Company, the absence of previous violations regarding the protection of personal data was also taken into account (art. 83, par. 2, letter e) of the Regulation).

It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the financial statements for the year 2021.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply against Geico S.p.A. the administrative sanction of payment of a sum equal to 40,000 (forty thousand) euros.

In this framework it is also considered, in consideration of the type of violations ascertained which concerned the general principles of processing (in particular the principles of correctness, limitation of purposes, minimization, limitation of conservation and integrity and confidentiality) and the obligation to information, which pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THE WHEREAS, THE GUARANTOR

notes the unlawfulness of the processing carried out by Geico S.p.A., in the person of its legal representative, with registered office in Via Pelizza da Volpedo109/111, Cinisello Balsamo (MI), VAT no. 00688580968, pursuant to art. 143 of the Code, for the violation of articles. 5, par. 1, letter. a), b), c), e), f) and 13 of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter. i) of the Regulation to Geico S.p.A., to pay the sum of 40,000 (forty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

ORDERS

therefore to the same Company to pay the aforementioned sum of 40,000 (forty thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 27 April 2023

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei