Garante per la protezione dei dati personali (Italy) - 10110927
From GDPRhub
| Garante per la protezione dei dati personali - 10110927 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR Article 17 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 8000 EUR |
| Parties: | Sicurnet Liguria |
| National Case Number/Name: | 10110927 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | ligialagev |
The DPA fined a company €8,000 for keeping a former employee's email account activated after the termination of the employment and for failing to respond to access and deletion requests.
English Summary
Facts
The data subject is an employee of Sicurnet Liguria s.r.l., the controller. After their employment relationship with the controller terminated on 30 September 2021, the data subject sent two requests to the controller on 7 and 9 June 2022, asking for the deletion of his company email account, pursuant to Article 17 GDPR. In the request of 9 June 2022, the data subject also asked to receive any messages received from 1 October 2021, including those not strictly related to their previous work activities.
The controller did not respond to these requests. Thus, the data subject advanced complaint before the DPA.
Only after the DPA's intervention on 9 March 2023, the controller replied on 8 June 2023, stating that the account had been deactivated. The controller claimed it had not processed any personal data of the data subject and that the inclusion of the data subject's initials in the email address was not a relevant element for the application of the GDPR.
In further communications with the DPA, the controller admitted that, after the employment termination, it kept the data subject's email account active and implemented an automatic system to forward incoming emails to a different, constantly-monitored company address. The controller could not specify the exact date when the account was finally deleted, but acknowledged it remained active at least until the data subject's requests in June 2022, approximately nine months after employment termination.
Holding
The DPA found multiple violations of the GDPR by the controller.
First, the DPA held that the controller violated Articles 12, 15, and 17 GDPR by failing to respond to the data subject's requests to exercise his rights. The controller did not provide any response within the one-month time frame established by Article 12(3) GDPR, nor did it communicate to the data subject any reasons for denying the requests as required by Article 12(4) GDPR. The DPA referenced the EDPB Guidelines 1/2022 on data subject rights, specifically on the right of access, which state that when refusing to comply with an access request, controllers must inform the data subject of the reasons without delay and no later than one month after receiving the request, including information about the possibility to lodge a complaint with a supervisory authority.
Second, the DPA found that by maintaining the data subject's personalized email account active after employment termination and forwarding incoming communications to another company email address, the controller violated the principles of purpose limitation (Article 5(1)(b) GDPR), data minimization (Article 5(1)(c) GDPR), and storage limitation (Article 5(1)(e) GDPR). The DPA emphasized that, contrary to the controller's claims, the treatment of a personalized email account and access to all incoming and outgoing communications inevitably constitutes processing of personal data beyond just the surname in the email address.
Third, the DPA found that the controller violated the principles of fairness (Article 5(1)(a) GDPR) and transparency (Article 13 GDPR) by failing to provide adequate information to the data subject about the processing of his email account. The company's internal regulations contained no references to the use of email accounts or procedures for closing/deleting accounts when an employee leaves the service.
Based on these violations the DPA imposed a fine of €8,000 on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10110927]
Provision of 16 January 2025
Register of provisions
no. 8 of 16 January 2025
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;
HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);
HAVING SEEN the complaint submitted pursuant to art. 77 of the Regulation by Mr. XX against Sicurnet Liguria s.r.l.;
HAVING EXAMINED the documentation in the files;
HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;
REPORTER Prof. Pasquale Stanzione;
WHEREAS
1. The complaint against the Company and the investigative activity.
By complaint dated 29 July 2022, Mr. XX represented to this Authority that he had sent to Sicurnet Liguria S.r.l. (hereinafter, the Company), on 7 June 2022 and 9 June 2022, a request to exercise the right to cancel the XX company email account, pursuant to art. 17 of the Regulation considering that the employment relationship with the same ceased on 30 September 2021 and that he had not received any response from the Company.
In the request dated 9 June 2022, he was also asked to "receive any email messages received from 1 October 2021 to today that are not strictly related to my previous work activity".
On 8 June 2023, the Company, following an invitation to join sent by the Department on 9 March 2023, also sent its response to the complainant.
On that occasion, he stated that:
“the account [assigned to the complainant] has been deactivated for some time and, consequently, is no longer active” (see note 8/6/2023 cit., p. 1);
“in his complaint, the [complainant] makes an express reference to the «company email address» […] this is because the email address indicated above had been prepared by Sicurnet Liguria s.r.l. for the purpose of providing its customers with a reference within the company, with which to relate for any need arising from the collaboration: the management of this address was entrusted to the [complainant] who, always in the name and on behalf of Sicurnet Liguria s.r.l. used it exclusively for purposes relating to the business activity of the same company that employed him, which is not aware that the [complainant] used it for personal purposes” (see note cit., p. 1,2);
“subsequent to the termination of the employment relationship with the [complainant], Sicurnet Liguria s.r.l. needed to manage the email address for the sole purpose of collecting communications received from various customers, for the time necessary to manage them through a different address” (see note cit., p. 2);
“during this period no email was ever sent from the email address indicated above; the postponement of its closure was necessary because all customers who over the years had dealings with Sicurnet Liguria s.r.l. through the [complainant] as a collaborator/employee of the company, had that address as a point of reference; this element, in addition to being a logical consequence of the relationships that develop between customers and the company, necessarily led to a non-immediate cancellation of the account since, also for reasons of prevention, the communications that arrived at the aforementioned address after the termination of the employment relationship with the [complainant], were found by another email address with which customers were advised to update their personal details and it was also communicated to replace it with a new email address belonging to another employee, to date, still working in the structure of Sicurnet Liguria s.r.l.” (see note cit., p. 3);
the Company “did not process any personal data of the [complainant] either before or after the termination of the employment relationship; the indication of the initial of the name and surname of the same [complainant] on the «name» of the email address does not constitute a relevant element for the purposes of applying the [data protection] legislation, given that the hosting «sicurnetliguria.it» demonstrates the creation and use of the email box for the exclusive purposes of the company” (see note cit., p. 3, 4).
On 28 July 2023, following a request for information, pursuant to art. 157 of the Code, formulated by the Department on 28 June 2023, the Company further represented that:
with regard to the specific reasons on the basis of which the Company did not provide feedback within the terms set out in art. 12 of the Regulation to the requests for the exercise of rights, presented by the complainant on 7 June 2022 and 9 June 2022, “the working relationship between Sicurnet Liguria s.r.l. and the [complainant] was interrupted, by decision of the same [complainant], suddenly. Sicurnet Liguria s.r.l. had the need to reorganize its structure also to acquire the necessary knowledge of the elements pertaining to the relationships with the numerous customers who were managed through the [complainant]; these tasks required efforts made in the necessary time. Furthermore, Sicurnet Liguria s.r.l. had the need to study in depth the legal aspects inherent to the relationship with the [complainant], also in relation to distinct circumstances unrelated to the employment contract” (see note 07/28/2023 cit., p. 1);
“with regard to the cancellation of the account in question, it is unfortunately not possible to trace the exact date of its elimination” (see note cit., p. 2);
“after the termination of the employment relationship with the [complainant], the email account was used only to check the correspondence received. This was necessary to manage the numerous communications received from various customers and suppliers” (see note cit., p. 3);
“when the [complainant]’s email inbox was deactivated, a function was activated in the general management panel of the domain’s mailbox called “non-existent recipients” through which all incoming emails were automatically forwarded to a specific email address that was constantly monitored” (see note cit., p. 3);
“Sicurnet Liguria s.r.l. could also have adopted the additional option that provides for the sender to receive a notification that the message was addressed to a non-existent recipient; however, this option was not implemented because it would have resulted in the rejection of the messages with consequent failure to receive them” (see note cit., p. 3);
“the communications that arrived at the email with the initials of the [complainant] were found by another email address with an invitation to update the address books/personal data and to refer to other email addresses and other operators/collaborators of Sicurnet Liguria s.r.l. for any further requests” (see note cit., p. 3, 4);
“there is a company regulation that the [complainant], when he worked for Sicurnet Liguria s.r.l., also signed, however, there is no reference to the use of the email account and, consequently, there is no regulation regarding the company's email addresses with the related hypotheses of closure/cancellation of accounts when a collaborator ceases his service” (see note cit., p. 4);
“the email address [assigned to the complainant] had been prepared by Sicurnet Liguria s.r.l. in order to provide its customers with a reference within the company” (see note cit., p. 4).
On 23 September 2023, the complainant presented his counter-arguments in which he represented that:
- “my requests for clarification (7 and 9 June 2022) reached Sicurnet Liguria approximately 9 months after my last day of work (30 September 2021), a reasonable amount of time, I believe, for any possible reorganization”;
- “the emails addressed to [the email address assigned to me] were probably diverted to another company email address, but the sender did not receive any communication with an “invitation to update the address books/personal data and refer to …””.
2. The initiation of the proceedings and the Company’s arguments.
On 13 November 2023, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 5, paragraph 1, letters a), b), c), e), 12, 13, 15, 17 of the Regulation.
On 13 December 2023, the Company presented its defence papers and on that occasion highlighted that:
“the reasons why the email address [assigned to the complainant] was not immediately deactivated after the termination of the working relationship with the [complainant] were those limited to the management of customer relations, for the time necessary to provide the same customers with an alternative address” (see note 13/12/2023, p. 2);
“it was necessary to collect all the references of the customers who had interacted with the company through the address [assigned to the complainant], before being able to manage them and communicate to them an alternative address” (see note cit., p. 2);
“these purposes cannot but be considered «adequate, pertinent and limited», according to the letter and spirit of the rule contained in article 5 co.I, letter c of the regulation, given that the employment relationship between Sicurnet Liguria s.r.l. and the [complainant] was interrupted, by decision of the [complainant], suddenly and the company, in the absence of any collaboration with the same [complainant], had the need to be aware of and manage the communications collected by the same former employee” (see note cit., p. 2);
“the processing had exclusive regard to contents pertaining to the company’s activity” (see note cit., p. 2);
“there are no elements from which to deduce that there was, by Sicurnet Italia s.r.l., a use of the email address for purposes other than those indicated” (see note cit., p. 3);
“the processing of personal data for purposes other than those for which the personal data were initially collected is permitted if compatible with the purposes for which the personal data were initially collected. In this case, no separate legal basis is required other than that which allowed the collection of personal data” (see note cit., p. 3);
“in this case, during the employment relationship between the parties, it is common ground that the [complainant] gave his consent to the use of an e-mail address bearing his surname for business purposes; those same needs constituted the reason for using the mailbox for the time necessary to transfer the collected data” (see note cit., p. 3);
“these elements were communicated to the [complainant] with the note sent to the Guarantor Authority on 8 June 2023, in which the [complainant] was included in copy” (see note cit., p. 3);
“therefore, the conduct of Sicurnet Liguria s.r.l. also complied with Article 13 of the Regulation and Article 5 letter. a) and b)” (see note cit., p. 3);
“the conduct adopted by Sicurnet Liguria s.r.l. was motivated by objective needs to avoid damage to its business activity, with consequent economic losses that would have arisen from the failure to manage the data collected by the [complainant] during the duration of the employment relationship” (see note cit., p. 4);
“these elements cannot but be considered relevant by the Authority for the purposes of archiving the proceedings or, alternatively, for the application of the sanction to the minimum extent permitted by the regulation” (see note cit., p. 4).
3. Outcome of the proceedings.
3.1 Facts ascertained and observations on the legislation on the protection of personal data.
: Following the examination of the statements made to the Authority during the proceedings, as well as the documentation acquired, it appears that the Company, as the data controller, has carried out some processing operations relating to the complainant that are not compliant with the regulations on the protection of personal data, with regard to the processing of the company email address assigned to the complainant during the employment relationship.
In particular, the Company has not responded to a repeated request to exercise the rights presented by the complainant and, furthermore, has arranged for incoming communications received after the termination of the employment relationship to be forwarded to another constantly monitored email address of the Company, on the email address assigned to the complainant, which has been kept active for a significant period of time.
In this regard, it should be noted that, unless the act constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”.
Art. 5, par. 1, letter a), of the Regulation provides that data must be processed, among other things, fairly (principle of fairness).
Art. 5, par. 1, letters b) and c) of the Regulation provides that personal data are “collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes” (principle of purpose limitation) and that they are “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (principle of data minimization).
Art. 5, par. 1, letter e) of the Regulation provides that personal data are “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed” (principle of storage limitation).
Art. 13 of the Regulation provides that the controller is required to provide the data subject with all the information relating to the essential characteristics of the processing before it begins.
Art. 12 of the Regulation, to be read also in conjunction with the provisions relating to the specific rights recognized by the law to the data subject, provides that “the controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language […]. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means” (paragraph 1). It is also provided that “the controller shall facilitate the exercise of the data subject’s rights under Articles 15 to 22” (paragraph 2).
Paragraph 3 of the same article specifies that “the controller shall provide the data subject with information on action taken on a request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. That period may be extended by two more months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject”.
According to paragraph 4 of art. 12 of the Regulation, the data controller, if it does not comply with the request of the data subject, "shall inform the data subject without delay and at the latest within one month of receiving the request of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy".
Art. 15 of the Regulation provides that "the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the […] information" indicated in the same article (par. 1) and that "the controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form” (paragraph 3).
Article 17 of the Regulation provides that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where […] the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”.
3.2 Confirmed infringements.
3.2.1 Infringement of Articles 12, 15 and 17 of the Regulation.
Based on the elements acquired during the investigation and subsequent assessments by the Office, it is established that the Company has not provided any feedback to the request to exercise the rights, submitted by the complainant on 7 June 2022 (right to cancellation) and reiterated on 9 June 2022, with the integration of the request to access incoming communications on the individualized company email address following the termination of the employment relationship (right of access).
In this regard, the Company, during the investigation, limited itself to making a generic reference to unspecified organizational needs that arose following the termination of the employment relationship with the complainant, without further arguing the absence of any feedback to the requests submitted by the interested party.
It is emphasized, in particular, that the Company not only did not allow the complainant to exercise the rights requested, but did not even communicate to him any denial, pursuant to art. 12 par. 4 of the Regulation, with the indication of the specific reasons why it could not have acted on the request submitted.
As specified in the matter of right of access by the EDPB Guidelines 1/2022 on the rights of data subjects - Right of access adopted on 28 March 2023, to which minor amendments were made on 30 May 2024, “where controllers refuse, in whole or in part, to act on a request for access pursuant to Article 15, paragraph 4, GDPR, they must inform the data subject of the reasons without delay and at the latest within one month of receiving the request (Article 12, paragraph 4, GDPR). The reasons must relate to the concrete circumstances in order to allow data subjects to assess whether they intend to oppose the refusal, and must include information on the possibility of lodging a complaint with a supervisory authority (Article 77 GDPR) and of bringing a judicial remedy (Article 79 GDPR)” (see par. 6.2, par. 174).
The data controller, therefore, following a request to exercise the rights presented by the interested party to whom the data in the request refers, must provide feedback to the same either in the sense of accepting the request (art. 12 par. 3 of the Regulation) or containing an indication of the reasons for the refusal and the right to lodge an appeal with the Guarantor or a complaint with the ordinary judicial authority.
The conduct of the Company is therefore in conflict with arts. 12, 15 and 17 of the Regulation. Violation of the aforementioned provisions makes the administrative sanctions provided for by art. 83, par. 5, letter b), of the Regulation applicable.
3.2.2 Violation of art. 5, par. 1, letter b), c), e) of the Regulation.
Furthermore, the Company, in keeping active, after the termination of the employment relationship (which occurred on 09/30/2021), the account assigned to the complainant during the employment relationship itself (“XX”), activated an automatic system for forwarding incoming emails to another constantly monitored Company email address, thus taking note of the aforementioned communications. In this regard, in fact, the Company declared that incoming emails to the email address in question were provided with feedback “from another email address” (see note 07/28/2023, pp. 3,4).
The account assigned to the complainant was kept active, for a significant period of time, although not defined as the Company stated that it was unable to identify the precise date of its cancellation (in any case it remained active, and, at least - an element not contested in the documents - until the presentation of the request to exercise the rights of the complainant of 7 June 2022, reiterated and integrated on 9 June 2022, given that with the same the complainant, among other things, requested the cancellation of the account still active).
In this regard, it is emphasized that, despite what the Company claims regarding the absence of personal data relating to the complainant, in the context of the processing of the individualized email address assigned to the same, the conduct of the Company has entailed the performance of processing activities of personal data, relating to the complainant, which cannot be considered limited to the data relating to the surname alone: access to the individualized email account and to all incoming and outgoing communications contained therein inevitably determine a processing of personal data of the assignee of the account.
This in light of the definitions of "personal data" and "processing", pursuant to art. 4, n. 1 and 2 of the Regulation, which necessarily also include data relating to work activity (for "personal data" it must be understood "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"; for "processing" it must be understood "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or alteration, erasure or alteration, erasure or removal, erasure or removal by automated means ... cancellation or destruction”).
In this regard, it is specified that the exchange of electronic correspondence − whether or not unrelated to work activity − on an individualized company account constitutes a processing operation that allows certain personal information relating to the interested party to be known (see "Guidelines of the Guarantor for electronic mail and the Internet", in the Official Journal no. 58 of 10/3/2007, spec. point 5.2, letter b), and that the Guarantor has already deemed compliant with the principles on the protection of personal data that, after the termination of the employment relationship, the owner removes the account, after deactivating it and adopting automatic systems aimed at informing third parties and providing them with alternative addresses relating to his professional activity, also taking suitable measures to prevent the display of incoming messages during the period in which this automatic system is in operation (see, among many, Provv.ti 1 December 2023, no. 602, web doc. no. 9978536; 4 December 2019, no. 216, web doc. 9215890; 1 February 2018, no. 53, web doc. no. 8159221, point 3.4.).
The systematic persistent activity of the company account, assigned to the complainant at the time, even after the termination of the employment relationship and for a significant period of time, during which the Company activated a system for forwarding incoming communications to another email address, in the absence of any specific, explicit and legitimate purpose pursued, violates the principle of data minimization (Article 5, paragraph 1, letter c) of the Regulation) and purpose limitation (Article 5, paragraph 1, letter b) of the Regulation) as well as storage limitation (Article 5, paragraph 1, letter e) of the Regulation).
With regard to the violation of the principle of minimization, it is emphasized that the Company, with the conduct described, did not limit itself to processing data that was adequate, pertinent and limited to what was necessary with respect to the purposes for which they were processed (as required by art. 5, par. 1, letter c), of the Regulation).
The same purpose declared by the Company ("management of customer relations") could have been pursued with processing methods compliant with data protection regulations, as they were less invasive of the complainant's sphere of confidentiality and this confirms the non-necessity of the processing carried out.
Again with reference to the purpose declared by the Company, it is noted that the same (in theory certainly lawful), cannot be considered, in this case, given the manner in which it was pursued, an element such as to make the processing (i.e. forwarding incoming communications to another Company account) compliant with the law.
In fact, the Company accessed the conversations received on the email address assigned to the complainant; with regard to the latter, it is also specified that the content of the email messages, as well as the external data of the communications themselves and the attached files, concern forms of correspondence supported by guarantees of confidentiality also protected by the Constitution (articles 2 and 15 of the Constitution). The protection of the same, therefore, is recognized by the legal system in favor of the recipient of the communications.
With regard to the violation of the principle of limitation of conservation, it is noted that the Company has kept the email account in question active, accessing it from the termination of the employment relationship (30/09/2021) until, at least, the submission of the request to exercise the rights of the complainant of 7 June 2022, reiterated and integrated on 9 June 2022 therefore for a considerable period of time.
Furthermore, with regard to the Company's statement that "in this case, during the employment relationship between the parties, it is common ground that the [complainant] gave his consent to the use of an e-mail address bearing his surname for purposes related to business activities; those same needs constituted the reason for using the mailbox for the time necessary to transfer the collected data" (see note 13/12/2023, p. 3), it is noted that this reference to the complainant's consent as an element to legitimise the infringement of the data subject's right to protection of personal data cannot be shared nor does it appear to be conferring.
In this regard, it is noted, first of all, that the Company has not provided evidence of consent given by the complainant in this sense and formally acquired by the data controller; furthermore and in any case, precisely because of the imbalance of power between the employer and the employee, it is unlikely, except in specific cases to be identified on a case-by-case basis, that the employee will freely give his/her consent to the employer (see in this regard the Guidelines on consent under the Regulation adopted by the EDPB on 4 May 2020 according to which, in recalling Opinion 2/2017 on data processing at the workplace, pages 6-7, “the Committee considers it problematic for the employer to process the personal data of current or future employees on the basis of consent, as this is unlikely to be given freely. For most processing activities carried out at the workplace, the legitimate basis cannot and should not be the employee's consent (Article 6, paragraph 1, letter a)) given the nature of the relationship between employer and employee”). This is especially true if giving consent would lead to a diminutio of the scope of the protections recognized to the data subject in terms of personal data protection.
Finally, with reference to the reference made by the Company to the decision of the Court of Justice of the European Union, Section III, 2 March 2023, no. 268 (see note 13/12/2023, p. 3), we limit ourselves to observing that such reference is not relevant given the object of the decision itself.
In light of the above analytically represented, it therefore emerges that the Company's conduct was implemented in violation of the provisions of art. 5, par. 1, letters b), c) and e) of the Regulation.
3.2.3 Violation of Articles 5, paragraph 1, letter a) and 13 of the Regulation.
It was also found that the processing carried out by the Company on the individualized company email account assigned to the complainant was carried out in the absence of adequate information.
As stated by the Company itself, not even the existing company regulation contained, within it, references to the use of the email account "and, consequently, there is no discipline regarding the company's email addresses with the related hypotheses of closure/cancellation of accounts when a collaborator ceases his/her service" (see note 28/07/2023, cit., p. 4).
Nor can it be considered suitable compliance with the provisions of art. 13 of the Regulation, as instead claimed by the Company (see note 12/13/2023, p. 3), the response to the invitation to adhere of the Guarantor of 9 March 2023 which would have been provided in copy to the complainant, on 8 June 2023, in the context of the administrative procedure opened before the Authority following the complaint.
This is because, the obligation to provide suitable information, if personal data are collected from the interested party, must be fulfilled "at the time in which the personal data are obtained".
It is clear, however, that this did not occur in the case in question, considering that some information requested regarding the processing carried out by the Company was provided, only following the submission of the complaint and only following the opening of the investigation by the Authority.
In this regard, it is emphasized that the rationale of what is provided by art. 13 of the Regulation is to provide the interested parties, prior to the start of the processing of their personal data, clear and specific information on such processing: therefore, in order for the provisions of the aforementioned article to be considered as complied with, it is necessary that the information provided with the information fully describes the processing.
Therefore, the Company has violated the provisions of art. 13 of the Regulation - which constitutes a corollary of the principle of transparency pursuant to art. 5, par. 1, letter a), of the Regulation - according to which the data controller is required to provide the interested party in advance with all information relating to the essential characteristics of the processing (see Provision 1 March 2007, no. 13 "Guidelines for electronic mail and the Internet" cit.).
The Company's conduct was also implemented in a manner that was not in accordance with the provisions of art. 5, par. 1, letter a), of the Regulation. a), of the Regulation since, in the context of the employment relationship, the obligation to inform the employee is also an expression of the general principle of fairness.
4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act initiating the procedure to be overcome and that they are therefore unsuitable to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.
The processing of personal data carried out by the Company and in particular the processing carried out, after the termination of the employment relationship, on the email account assigned to the complainant, among other things, in the absence of appropriate information, and the absence of response to the request to exercise the rights is in fact unlawful, in the terms set out above, in relation to Articles 5, paragraph 1, letters a), b), c), e), 12, 13, 15, 17 of the Regulation.
It is noted that the email address subject to processing was finally deleted by the Company, albeit on a date not indicated by the Company itself.
The violation, ascertained in the terms set out in the reasons, cannot be considered "minor", taking into account the nature and gravity of the violation itself which concerned, among other things, the general principles of processing, as well as the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
The Authority also considered that the level of severity of the infringement is medium, in light of all the factors relevant to the specific case, and in particular the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected by the damage and the level of damage suffered.
The Authority also took into account the criteria relating to the intentional or negligent character of the infringement and the categories of personal data affected by the infringement as well as the manner in which the supervisory authority became aware of the infringement (see Article 82, paragraph 2, and Recital 148 of the Regulation)
5. Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulation; Article 166, paragraph 7, of the Code).
The infringement of Articles 5, paragraph 1, letter c), a), b), c), e), 12, 13, 15, 17 of the Regulation entails the application of the administrative sanction provided for by art. 83 of the Regulation.
The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Sicurnet Liguria S.r.l., which has been found to be unlawful, in the terms set out above.
Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that “if, in relation to the same processing or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement”, the total amount of the fine is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5.
With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (Article 83, paragraph 1 of the Regulation), it is represented that, in the case in question, the following circumstances were taken into account:
the significant seriousness of the violation, in fact this also involved cases punished more severely due to the interest protected by the violated rules (concerning the principles of correctness, minimization, limitation of storage and limitation of purpose; the right to information; the exercise of the rights of the interested parties);
the seriousness of the violation, which involved the use of the individualized company email address following the termination of the employment relationship;
the duration of the violation;
the number of interested parties involved in the violations ascertained, equal to one;
with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the objective elements of the Company's conduct and the degree of responsibility of the same were taken into consideration, as it violated the obligation of diligence, provided for by the law, and did not comply with the data protection regulations, in relation to a plurality of provisions; indeed, the Company, during the proceedings, repeatedly stated that the processing relating to the individualized company email address assigned to a worker does not involve the processing of personal data other than the surname of the interested party. Despite the public online availability of the numerous provisions of the Authority and the rulings of the case law on the matter
It is also believed that the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the abbreviated financial statement for the year 2023 (last available), are relevant in this case, due to the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (art. 83, par. 1, of the Regulation).
In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply to Sicurnet Liguria S.r.l. the administrative sanction of the payment of a sum equal to Euro 8,000 (eight thousand/00).
In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019, this chapter containing the injunction order should be published on the website of the Guarantor.
This is in consideration of the specific characteristics of the case under consideration, in particular considering the conduct of the Company which during the investigation confirmed its belief that it was not processing the complainant's personal data in the context of the processing of the individualized company email account assigned to the complainant. From this circumstance emerges the lack of basic essential knowledge regarding the processing of personal data by the Company.
GIVEN ALL THE ABOVE, THE GUARANTOR
pursuant to articles 57, par. 1, letter f) and 83, of the Regulation, notes the unlawfulness of the processing carried out by Sicurnet Liguria S.r.l. in the person of its legal representative, with registered office in Via Fieschi 20/1 (GE), C.F. 01426730998 in the terms set out in the reasons, for the violation of articles 5, par. 1, letter a), b), c), e), 12, 13, 15, 17 of the Regulation;
ORDERS
pursuant to art. 58, par. 2, letter i) of the Regulation to the same Sicurnet Liguria S.r.l., to pay the sum of Euro 8,000 (eight thousand/00) as an administrative pecuniary sanction for the violations indicated in this provision.
ORDERS
therefore Sicurnet Liguria S.r.l. to pay the aforementioned sum of Euro 8,000 (eight thousand/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right for the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.
ORDERS
pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;
pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website;
pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, January 16, 2025
THE PRESIDENT
Stanzione
THE REPORTER
Stanzione
THE GENERAL SECRETARY
Mattei
[web doc. no. 10110927]
Provision of January 16, 2025
Register of provisions
no. 8 of January 16, 2025
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN TODAY'S MEETING, which was attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the councilor Fabio Mattei, secretary general;
SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”);
SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);
SEEN the complaint submitted pursuant to art. 77 of the Regulation by Mr. XX against Sicurnet Liguria s.r.l.;
EXAMINED the documentation in the files;
SEEN the observations formulated by the Secretary General pursuant to art. 15 of the regulation of the Guarantor no. 1/2000;
REPORTER Prof. Pasquale Stanzione;
WHEREAS
1. The complaint against the Company and the investigation activity.
With a complaint dated 29 July 2022, Mr. XX represented to this Authority that he had sent to Sicurnet Liguria S.r.l. (hereinafter, the Company), on 7 June 2022 and 9 June 2022, a request to exercise the right to cancel the XX company email account, pursuant to art. 17 of the Regulation considering that the employment relationship with the same ceased on 30 September 2021 and that he had not received any feedback from the Company.
In the request dated 9 June 2022, he was also asked to "receive any email messages received from 1 October 2021 to today that are not strictly related to my previous work activity".
On 8 June 2023, the Company, following an invitation to join sent by the Department on 9 March 2023, also sent its response to the complainant.
On that occasion, it declared that:
“the account [assigned to the complainant] has long been deactivated and, consequently, is no longer active” (see note 8/6/2023 cit., p. 1);
“in his complaint, the [complainant] makes an express reference to the «company email address» […] this is because the email address indicated above had been prepared by Sicurnet Liguria s.r.l. for the purpose of providing its customers with a reference within the company, with which to deal with any needs arising from the collaboration: the management of this address was entrusted to the [complainant] who, always in the name and on behalf of Sicurnet Liguria s.r.l. used it exclusively for purposes related to the business activity of the same company that employed him, which is not aware that the [complainant] used it for personal purposes” (see note cit., p. 1,2);
“subsequent to the termination of the employment relationship with the [complainant], Sicurnet Liguria s.r.l. needed to manage the email address for the sole purpose of collecting communications received from various customers, for the time necessary to manage them through a different address” (see note cit., p. 2);
“during this period no email was ever sent from the email address indicated above; the postponement of its closure was necessary because all customers who over the years had dealings with Sicurnet Liguria s.r.l. through the [complainant] as a collaborator/employee of the company had this address as their point of reference; this element, in addition to being a logical consequence of the relationships that develop between customers and the company, necessarily led to a non-immediate cancellation of the account since, also for reasons of prevention, the communications that arrived at the aforementioned address after the termination of the employment relationship with the [complainant], were found by another email address with which customers were advised to update their personal details and it was also communicated to replace it with a new email address belonging to another employee, to date, still working in the structure of Sicurnet Liguria s.r.l.” (see note cit., p. 3);
the Company “did not process any personal data of the [complainant] either before or after the termination of the employment relationship; the indication of the initial of the name and surname of the same [complainant] on the «name» of the email address does not constitute a relevant element for the purposes of applying the [data protection] legislation, given that the hosting «sicurnetliguria.it» demonstrates the creation and use of the email box for the exclusive purposes of the company” (see note cit., p. 3, 4).
On 28 July 2023, following a request for information, pursuant to art. 157 of the Code, formulated by the Department on 28 June 2023, the Company further represented that:
with regard to the specific reasons on the basis of which the Company did not provide feedback within the terms set out in art. 12 of the Regulation to the requests for the exercise of rights, presented by the complainant on 7 June 2022 and 9 June 2022, “the working relationship between Sicurnet Liguria s.r.l. and the [complainant] was interrupted, by decision of the same [complainant], suddenly. Sicurnet Liguria s.r.l. had the need to reorganize its structure also to acquire the necessary knowledge of the elements pertaining to the relationships with the numerous customers who were managed through the [complainant]; these tasks required efforts made in the necessary time. Furthermore, Sicurnet Liguria s.r.l. had the need to study in depth the legal aspects inherent to the relationship with the [complainant], also in relation to distinct circumstances unrelated to the employment contract” (see note 07/28/2023 cit., p. 1);
“with regard to the cancellation of the account in question, it is unfortunately not possible to trace the exact date of its elimination” (see note cit., p. 2);
“after the termination of the employment relationship with the [complainant], the email account was used only to check the correspondence received. This was necessary to manage the numerous communications received from various customers and suppliers” (see note cit., p. 3);
“when the [complainant]’s email inbox was deactivated, a function was activated in the general management panel of the domain’s mailbox called “non-existent recipients” through which all incoming emails were automatically forwarded to a specific email address that was constantly monitored” (see note cit., p. 3);
“Sicurnet Liguria s.r.l. could also have adopted the additional option that provides for the sender to receive a notification that the message was addressed to a non-existent recipient; however, this option was not implemented because it would have resulted in the rejection of the messages with consequent failure to receive them” (see note cit., p. 3);
“the communications that arrived at the email with the initials of the [complainant] were found by another email address with an invitation to update the address books/personal data and to refer to other email addresses and other operators/collaborators of Sicurnet Liguria s.r.l. for any further requests” (see note cit., p. 3, 4);
“there is a company regulation that the [complainant], when he worked for Sicurnet Liguria s.r.l., also signed, however, there is no reference to the use of the email account and, consequently, there is no regulation regarding the company's email addresses with the related hypotheses of closure/cancellation of accounts when a collaborator ceases his service” (see note cit., p. 4);
“the email address [assigned to the complainant] had been prepared by Sicurnet Liguria s.r.l. in order to provide its customers with a reference point within the company” (see note cit., p. 4).
On 23 September 2023, the complainant submitted his counter-arguments in which he stated that:
- “my requests for clarification (7 and 9 June 2022) reached Sicurnet Liguria approximately 9 months after my last day of work (30 September 2021), a reasonable amount of time, I believe, for any possible reorganisation”;
- “the emails addressed to [the email address assigned to me] were probably diverted to another company email address, but the sender did not receive any communication with an “invitation to update the address books/personal data and refer to …””.
2. The initiation of the proceedings and the Company’s arguments.
On 13 November 2023, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the alleged violations of the Regulation found, with reference to art. 5, par. 1, letter a), b), c), e), 12, 13, 15, 17 of the Regulation.
On 13 December 2023, the Company submitted its written defence and on that occasion highlighted that:
“the reasons why the email address [assigned to the complainant] was not immediately deactivated after the termination of the working relationship with the [complainant] were those limited to the management of customer relations, for the time necessary to provide the same customers with an alternative address” (see note 13/12/2023, p. 2);
“it was necessary to collect all the references of the customers who had interacted with the company through the address [assigned to the complainant], before being able to manage them and communicate an alternative address to them” (see note cit., p. 2);
“these purposes cannot but be considered “adequate, pertinent and limited”, according to the letter and spirit of the rule contained in Article 5, paragraph I, letter c of the regulation, given that the employment relationship between Sicurnet Liguria s.r.l. and the [complainant] was interrupted, by decision of the [complainant], suddenly and the company, in the absence of any collaboration with the same [complainant], had the need to be aware of and manage the communications collected by the same former employee” (see note cit., p. 2);
“the processing had exclusive regard to contents pertaining to the company’s activity” (see note cit., p. 2);
“there are no elements from which to deduce that there was, by Sicurnet Italia s.r.l., a use of the email address for purposes other than those indicated” (see note cit., p. 3);
“the processing of personal data for purposes other than those for which the personal data were initially collected is permitted if compatible with the purposes for which the personal data were initially collected. In this case, no separate legal basis is required other than that which allowed the collection of personal data” (see note cit., p. 3);
“in the case in question, during the employment relationship between the parties, it is common ground that the [complainant] gave his consent to the use of an e-mail address bearing his surname for purposes relating to business activity; those same needs constituted the reason for the use of the mailbox for the time necessary to transfer the collected data” (see note cit., p. 3);
“these elements were communicated to the [complainant] with the note sent to the Guarantor Authority on 8 June 2023, in which the [complainant] was included in copy” (see note cit., p. 3);
“therefore, the conduct of Sicurnet Liguria s.r.l. was also compliant with Article 13 of the Regulation and Article 5, letters a) and b)” (see note cit., p. 3);
“the conduct adopted by Sicurnet Liguria s.r.l. was motivated by objective needs to avoid damage to its business activity, with consequent economic losses that would have arisen from the failure to manage the data collected by the [complainant] during the duration of the employment relationship” (see note cit., p. 4);
“these elements cannot but be considered relevant by the Authority for the purposes of archiving the proceedings or, alternatively, for the application of the sanction to the minimum extent permitted by the regulation” (see note cit., p. 4).
3. Outcome of the proceedings.
3.1 Facts ascertained and observations on the legislation on the protection of personal data.
: Following the examination of the statements made to the Authority during the proceedings, as well as the documentation acquired, it appears that the Company, as the data controller, has carried out some processing operations relating to the complainant that are not compliant with the regulations on the protection of personal data, with regard to the processing of the company email address assigned to the complainant during the employment relationship.
In particular, the Company has not responded to a repeated request to exercise the rights presented by the complainant and, furthermore, has arranged for incoming communications received after the termination of the employment relationship to be forwarded to another constantly monitored email address of the Company, on the email address assigned to the complainant, which has been kept active for a significant period of time.
In this regard, it should be noted that, unless the act constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”.
Art. 5, par. 1, letter a), of the Regulation provides that data must be processed, among other things, fairly (principle of fairness).
Art. 5, par. 1, letters b) and c) of the Regulation provides that personal data are “collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes” (principle of purpose limitation) and that they are “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (principle of data minimization).
Art. 5, par. 1, letter e) of the Regulation provides that personal data are “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed” (principle of storage limitation).
Art. 13 of the Regulation provides that the controller is required to provide the data subject with all the information relating to the essential characteristics of the processing before it begins.
Art. 12 of the Regulation, to be read also in conjunction with the provisions relating to the specific rights recognized by the law to the data subject, provides that “the controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language […]. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means” (paragraph 1). It is also provided that “the controller shall facilitate the exercise of the data subject’s rights under Articles 15 to 22” (paragraph 2).
Paragraph 3 of the same article specifies that “the controller shall provide the data subject with information on action taken on a request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. That period may be extended by two more months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject”.
According to paragraph 4 of art. 12 of the Regulation, the data controller, if it does not comply with the request of the data subject, "shall inform the data subject without delay and at the latest within one month of receiving the request of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy".
Art. 15 of the Regulation provides that "the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the […] information" indicated in the same article (par. 1) and that "the controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form” (paragraph 3).
Article 17 of the Regulation provides that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where […] the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”.
3.2 Confirmed violations.
3.2.1 Violation of Articles 12, 15 and 17 of the Regulation.
Based on the elements acquired during the investigation and subsequent assessments by the Office, it is established that the Company has not provided any feedback to the request to exercise the rights, submitted by the complainant on 7 June 2022 (right to cancellation) and reiterated on 9 June 2022, with the integration of the request to access incoming communications on the individualized company email address following the termination of the employment relationship (right of access).
In this regard, the Company, during the investigation, limited itself to making a generic reference to unspecified organizational needs that arose following the termination of the employment relationship with the complainant, without further arguing the absence of any feedback to the requests submitted by the interested party.
It is highlighted, in particular, that the Company not only did not allow the complainant to exercise the rights requested, but did not even communicate to the complainant any refusal, pursuant to art. 12 par. 4 of the Regulation, with an indication of the specific reasons why it could not have followed up on the request submitted.
As specified in the matter of right of access by the EDPB Guidelines 1/2022 on the rights of data subjects - Right of access adopted on 28 March 2023, to which slight amendments were made on 30 May 2024, "where controllers refuse, in whole or in part, to comply with a request for access pursuant to Article 15, paragraph 4, GDPR, they must inform the data subject of the reasons without delay and at the latest within one month of receiving the request (Article 12, paragraph 4, GDPR). The motivation must refer to the specific circumstances to allow the data subjects to assess whether they intend to oppose the refusal, and must include information on the possibility of lodging a complaint with a supervisory authority (Article 77 GDPR) and of bringing a judicial remedy (Article 79 GDPR)” (see par. 6.2, par. 174).
Therefore, following a request to exercise the rights presented by the data subject to whom the data in the request refers, the data controller must provide feedback to the data subject either in the sense of accepting the request (Article 12 par. 3 of the Regulation) or containing an indication of the reasons for the refusal and the right to lodge a complaint with the Guarantor or a complaint with the ordinary judicial authority.
The conduct of the Company is therefore in conflict with Articles 12, 15 and 17 of the Regulation. Violation of the aforementioned provisions makes the administrative sanctions provided for by Article 83, par. 5, letter b), of the Regulation applicable.
3.2.2 Violation of art. 5, par. 1, letters b), c), e) of the Regulation.
Furthermore, by keeping active, after the termination of the employment relationship (which occurred on 09/30/2021), the account assigned to the complainant during the employment relationship itself (“XX”), the Company activated an automatic system for forwarding incoming emails to another constantly monitored Company email address, thus taking note of the aforementioned communications. In this regard, in fact, the Company declared that incoming emails to the email address in question were provided with feedback “from another email address” (see note 07/28/2023, pp. 3,4).
The account assigned to the complainant was kept active, for a significant period of time, although not defined as the Company stated that it was unable to identify the precise date of its cancellation (in any case it remained active, and, at least - an element not contested in the documents - until the presentation of the request to exercise the rights of the complainant of 7 June 2022, reiterated and integrated on 9 June 2022, given that with the same the complainant, among other things, requested the cancellation of the account still active).
In this regard, it is emphasized that, despite what the Company claims regarding the absence of personal data relating to the complainant, in the context of the processing of the individualized email address assigned to the same, the conduct of the Company has entailed the performance of processing activities of personal data, relating to the complainant, which cannot be considered limited to the data relating to the surname alone: access to the individualized email account and to all incoming and outgoing communications contained therein inevitably determine a processing of personal data of the assignee of the account.
This in light of the definitions of "personal data" and "processing", pursuant to art. 4, n. 1 and 2 of the Regulation, which necessarily also include data relating to work activity (for "personal data" it must be understood "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"; for "processing" it must be understood "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or alteration, erasure or alteration, erasure or removal, erasure or removal by automated means ... cancellation or destruction”).
In this regard, it is specified that the exchange of electronic correspondence − whether or not unrelated to work activity − on an individualized company account constitutes a processing operation that allows certain personal information relating to the interested party to be known (see "Guidelines of the Guarantor for electronic mail and the Internet", in the Official Journal no. 58 of 10/3/2007, spec. point 5.2, letter b), and that the Guarantor has already deemed compliant with the principles on the protection of personal data that, after the termination of the employment relationship, the owner removes the account, after deactivating it and adopting automatic systems aimed at informing third parties and providing them with alternative addresses relating to his professional activity, also taking suitable measures to prevent the display of incoming messages during the period in which this automatic system is in operation (see, among many, Provv.ti 1 December 2023, no. 602, web doc. no. 9978536; 4 December 2019, no. 216, web doc. 9215890; 1 February 2018, no. 53, web doc. no. 8159221, point 3.4.).
The systematic persistent activity of the company account, assigned to the complainant at the time, even after the termination of the employment relationship and for a significant period of time, during which the Company activated a system for forwarding incoming communications to another email address, in the absence of any specific, explicit and legitimate purpose pursued, violates the principle of data minimization (Article 5, paragraph 1, letter c) of the Regulation) and purpose limitation (Article 5, paragraph 1, letter b) of the Regulation) as well as storage limitation (Article 5, paragraph 1, letter e) of the Regulation).
With regard to the violation of the principle of minimization, it is emphasized that the Company, with the conduct described, did not limit itself to processing data that was adequate, pertinent and limited to what was necessary with respect to the purposes for which they were processed (as required by art. 5, par. 1, letter c), of the Regulation).
The same purpose declared by the Company ("management of customer relations") could have been pursued with processing methods compliant with data protection regulations, as they were less invasive of the complainant's sphere of confidentiality and this confirms the non-necessity of the processing carried out.
Again with reference to the purpose declared by the Company, it is noted that the same (in theory certainly lawful), cannot be considered, in this case, given the manner in which it was pursued, an element such as to make the processing (i.e. forwarding incoming communications to another Company account) compliant with the law.
In fact, the Company accessed the conversations received on the email address assigned to the complainant; with regard to the latter, it is also specified that the content of the email messages, as well as the external data of the communications themselves and the attached files, concern forms of correspondence supported by guarantees of confidentiality also protected by the Constitution (articles 2 and 15 of the Constitution). The protection of the same, therefore, is recognized by the legal system in favor of the recipient of the communications.
With regard to the violation of the principle of limitation of conservation, it is noted that the Company has kept the email account in question active, accessing it from the termination of the employment relationship (30/09/2021) until, at least, the submission of the request to exercise the rights of the complainant of 7 June 2022, reiterated and integrated on 9 June 2022 therefore for a considerable period of time.
Furthermore, with regard to the Company's statement that "in this case, during the employment relationship between the parties, it is common ground that the [complainant] gave his consent to the use of an e-mail address bearing his surname for purposes relating to business activities; those same needs constituted the reason for using the mailbox for the time necessary to transfer the collected data" (see note 13/12/2023, p. 3), it is observed that this reference to the complainant's consent as an element to legitimise the infringement of the interested party's right to protection of personal data cannot be shared nor does it appear to be conferring.
In this regard, it should be noted, first of all, that the Company has not provided evidence of consent given by the complainant in this sense and formally acquired by the data controller; furthermore and in any case, precisely because of the imbalance of power between the employer and the employee, it is unlikely, except in particular cases to be identified on a case-by-case basis, that the employee will freely give his or her consent to the employer (see in this regard the Guidelines on consent under the Regulation adopted by the EDPB on 4 May 2020 according to which, in recalling Opinion 2/2017 on data processing in the workplace, pages 6-7, "the Committee considers it problematic for the employer to process the personal data of current or future employees on the basis of consent, as this is unlikely to be given freely. For most processing activities carried out in the workplace, the legitimate basis cannot and should not be the employee's consent (Article 6, paragraph 1, letter a)) given the nature of the relationship between employer and employee"). This is especially true if giving consent would lead to a reduction in the scope of the protections granted to the interested party in terms of personal data protection.
Finally, with reference to the reference made by the Company to the decision of the EU Court of Justice, Section III, 2 March 2023, no. 268 (see note 13/12/2023, p. 3), we limit ourselves to observing that such reference is not relevant given the object of the decision itself.
In light of the above analytically represented, it therefore emerges that the conduct of the Company was implemented in violation of the provisions of art. 5, par. 1, letters b), c) and e) of the Regulation.
3.2.3 Violation of arts. 5 par. 1, letters a) and 13 of the Regulation.
It was also found that the processing carried out by the Company on the individualized company email account assigned to the complainant was carried out in the absence of suitable information.
As stated by the Company itself, not even the existing company regulations contained, within them, references to the use of the email account "and, consequently, there is no discipline regarding the company's email addresses with the related hypotheses of closure/cancellation of accounts when a collaborator ceases his/her service" (see note 07/28/2023, cit., p. 4).
Nor can it be considered suitable compliance with the provisions of art. 13 of the Regulation, as instead claimed by the Company (see note 12/13/2023, p. 3), the response to the invitation to adhere of the Guarantor of 9 March 2023 which would have been provided in copy to the complainant, on 8 June 2023, in the context of the administrative procedure opened before the Authority following the complaint.
This is because, the obligation to provide suitable information, if personal data are collected from the interested party, must be fulfilled "at the time in which the personal data are obtained".
It is clear, however, that this did not occur in the case in question, considering that some information requested regarding the processing carried out by the Company was provided, only following the submission of the complaint and only following the opening of the investigation by the Authority.
In this regard, it is emphasized that the rationale of what is provided by art. 13 of the Regulation is to provide the interested parties, prior to the start of the processing of their personal data, clear and specific information on such processing: therefore, in order for the provisions of the aforementioned article to be considered as complied with, it is necessary that the information provided with the information fully describes the processing.
Therefore, the Company has violated the provisions of art. 13 of the Regulation - which constitutes a corollary of the principle of transparency pursuant to art. 5, par. 1, letter a), of the Regulation - according to which the data controller is required to provide the interested party in advance with all information relating to the essential characteristics of the processing (see Provision 1 March 2007, no. 13 "Guidelines for electronic mail and the Internet" cit.).
The Company's conduct was also implemented in a manner that was not in accordance with the provisions of art. 5, par. 1, letter a), of the Regulation. a), of the Regulation since, in the context of the employment relationship, the obligation to inform the employee is also an expression of the general principle of fairness.
4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act initiating the procedure to be overcome and that they are therefore unsuitable to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.
The processing of personal data carried out by the Company and in particular the processing carried out, after the termination of the employment relationship, on the email account assigned to the complainant, among other things, in the absence of appropriate information, and the absence of response to the request to exercise the rights is in fact unlawful, in the terms set out above, in relation to Articles 5, paragraph 1, letters a), b), c), e), 12, 13, 15, 17 of the Regulation.
It is noted that the email address subject to processing was finally deleted by the Company, albeit on a date not indicated by the Company itself.
The violation, ascertained in the terms set out in the reasons, cannot be considered "minor", taking into account the nature and gravity of the violation itself which concerned, among other things, the general principles of processing, as well as the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
The Authority also considered that the level of severity of the infringement is medium, in light of all the factors relevant to the specific case, and in particular the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected by the damage and the level of damage suffered.
The Authority also took into account the criteria relating to the intentional or negligent character of the infringement and the categories of personal data affected by the infringement as well as the manner in which the supervisory authority became aware of the infringement (see Article 82, paragraph 2, and Recital 148 of the Regulation)
5. Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulation; Article 166, paragraph 7, of the Code).
The infringement of Articles 5, paragraph 1, letter c), a), b), c), e), 12, 13, 15, 17 of the Regulation entails the application of the administrative sanction provided for by art. 83 of the Regulation.
The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Sicurnet Liguria S.r.l., which has been found to be unlawful, in the terms set out above.
Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that “if, in relation to the same processing or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement”, the total amount of the fine is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5.
With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (Article 83, paragraph 1 of the Regulation), it is represented that, in the case in question, the following circumstances were taken into account:
the significant seriousness of the violation, in fact this also involved cases punished more severely due to the interest protected by the violated rules (concerning the principles of correctness, minimization, limitation of storage and limitation of purpose; the right to information; the exercise of the rights of the interested parties);
the seriousness of the violation, which involved the use of the individualized company email address following the termination of the employment relationship;
the duration of the violation;
the number of interested parties involved in the violations ascertained, equal to one;
with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the objective elements of the Company's conduct and the degree of responsibility of the same were taken into consideration, as it violated the obligation of diligence, provided for by the law, and did not comply with the data protection regulations, in relation to a plurality of provisions; indeed, the Company, during the proceedings, repeatedly stated that the processing relating to the individualized company email address assigned to a worker does not involve the processing of personal data other than the surname of the interested party. Despite the public online availability of the numerous provisions of the Authority and the rulings of the case law on the matter
It is also believed that the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the abbreviated financial statement for the year 2023 (last available), are relevant in this case, due to the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the fine (art. 83, par. 1, of the Regulation).
In light of the above elements and the assessments made, it is believed, in this case, to apply to Sicurnet Liguria S.r.l. the administrative sanction of the payment of a sum equal to Euro 8,000 (eight thousand/00).
In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor.
This is in consideration of the specific characteristics of the case under consideration, in particular having assessed the conduct of the Company which during the investigation confirmed its belief that it was not processing the complainant's personal data in the context of the processing of the individualized company email account assigned to the complainant. From this circumstance emerges the lack of basic essential knowledge regarding the processing of personal data by the Company.
NOW, CONSIDERING ALL THE ABOVE, THE GUARANTOR
pursuant to articles 57, par. 1, letter f) and 83 of the Regulation, notes the unlawfulness of the processing carried out by Sicurnet Liguria S.r.l. in the person of its legal representative, with registered office in Via Fieschi 20/1 (GE), C.F. 01426730998 in the terms set out in the motivation, for the violation of articles 5, par. 1, letter a), b), c), e), 12, 13, 15, 17 of the Regulation;
ORDERS
pursuant to art. 58, par. 2, letter i) of the Regulation to the same Sicurnet Liguria S.r.l., to pay the sum of Euro 8,000 (eight thousand/00) as an administrative pecuniary sanction for the violations indicated in this provision.
HEREBY ORDER
therefore Sicurnet Liguria S.r.l. to pay the aforementioned sum of Euro 8,000 (eight thousand/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - again according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.
ORDERS
pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;
pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website;
pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, January 16, 2025
THE PRESIDENT
Stanzione
THE REPORTER
Stanzione
THE GENERAL SECRETARY
Mattei
