Garante per la protezione dei dati personali (Italy) - 9751137

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9751137
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 02.12.2018
Decided: 10.02.2022
Published: 16.03.2022
Fine: 10,000 EUR
Parties: Costampress S.p.A.
National Case Number/Name: 9751137
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Cesar Manso-Sayao

The Italian DPA issued a fine of €10,000 against a company for processing personal data contained in an former employee's computer without adopting internal regulations regarding the handling of employee's IT tools, in violation of Articles 5(1)(a), 12, and 13 GDPR.

English Summary

Facts

A data subject issued a complaint with the Italian DPA (Garante per la Protezione dei Dati Personali – Garante) against his previous employer Costampress S.p.A. (a manufacturer of aluminium components). The data subject alleged that once his employment relationship had been terminated, the company had failed to delete the company email assigned to him, and that he had not been granted access to the company laptop computer and the personal data contained in it.

The company responded to these allegations, stating that after the data subject’s dismissal, he had unilaterally proceeded to delete all the communications in his company email account. The company also explained that in order to protect its legitimate interest, it set up an automatic response system that would notify users of the deactivation of the complainant's mailbox, with an alternative email address to send messages relating to the activities carried out by the complainant within the company. According to the employer, this lasted for a month and a half, and then the email account itself was completely deactivated.

Furthermore, the company stated that once the relationship was terminated, the data subject’s company laptop was given to an expert IT consultant to carry out an inspection. This was based on a legitimate suspicion that the hard disk might contain elements that could be used to refute the authenticity of documents which were subject to a separate legal dispute between the claimant and the company in the a Specialised Business Section Court in Venice.

Additionally, during the preliminary phase of the proceedings, the Garante expressed concerns related to this data processing carried out on the data subject’s hard disk, due to an absence of specific company regulations regarding the handling of IT systems used by employees. The company addressed these concerns, noting that among the tasks entrusted to the complainant, one was precisely the drafting of these regulations, which were never fully completed during his tenure.

Holding

Regarding the alleged failure to delete the data subject’s company email account, the Garante noted, first of all, that the company did not have access to the communications contained in its mailbox following the termination of the employment relationship, since they had been deleted by the complainant upon his dismissal. The Garante also took into consideration the fact that the email account only remained partially active with an automated redirection message for a month and a half, before it was permanently deactivated. Therefore, the Garante did not find any GDPR violations regarding this element of the claim.

With regards to the processing of data contained in the complainant’s company laptop, the Garante once again highlighted the absence of regulations or information provided to employees regarding the company’s handling, possible controls and interventions on these computers, as well as on other tools provided to its workers as part of their employment relationship. The Garante established that it was of no relevance that the task of drafting these regulations was the responsibility of the complainant during his tenure, because any liability deriving from non-compliance with data protection legal obligations by the employee ultimately falls on the company, since the role of data controller is attributed to the company itself and not the employee (without prejudice to the possible civil liability that the employee might have towards the company in this sense).

Moreover, the Garante held that the obligation to provide the information regarding the collection of personal data referred to in Article 13 GDPR, falls on the data controller, who once again, in the context of a work relationship, is the employer. Additionally, the Garante noted the protection of privacy also extends to the workplace, since the boundary between the working/professional sphere, and the strictly private sphere, cannot always be clearly drawn. On this point, the Garante cited European Court of Human Rights case law which considers that Article 8 of the European Convention on Human Rights protects private life without making a distinction between the private and professional spheres.

Based on these considerations, the Garante held that processing of personal data contained in the company computer assigned to the complainant in the absence of internal regulations and information on the handling of employee IT tools, violated the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR, as well as the data subject’s right to information under Articles 12 and 13 GDPR, and issued a fine of €10,000 against the company.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9751137]
Injunction order against Costampress S.p.A. - February 10, 2022
Record of measures
n. 42 of 10 February 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, Avv. Guido Scorza, member and cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");
GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");
GIVEN the complaint submitted pursuant to art. 77 of the Regulation dated 2 December 2018 by Mr. XX towards Costampress S.p.A .;
EXAMINED the documentation in deeds;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
RAPPORTEUR prof. Pasquale Stanzione;
WHEREAS
1. The complaint against the company and the preliminary investigation.
1.1. With a complaint presented on 2 December 2018, Mr. XX complained about alleged violations of the Regulations by Costampress S.p.A. (hereinafter, the company), with reference to the failure to cancel the company email account XX following the termination of the employment relationship between the company and the complainant and the impossibility of being assigned the company telephone number, but that in in the past it was a private number, used by the complainant for both business and personal needs. On 28 January 2019 the complainant, supplementing the contents of the complaint, also complained about the impossibility, on 5 October 2018, to "enter the laptop" assigned to the same; on the same date, he also communicated to the authority that he had received a copy of the summons filed by the company at the Court of Venice Section specialized in business matters, specifying that in the same "it can be seen how the company has given I consent to third parties to access my private whatsapp conversations between my wife and me ".
With regard to the processing of personal data carried out during the proceedings before the Court of Venice, during the investigation, on May 14, 2019, the Office specified that pursuant to art. 160-bis of the Code "the validity, efficacy and usability in judicial proceedings of deeds, documents, and provisions based on the processing of personal data not compliant with provisions of law or regulation remain governed by the relevant procedural provisions".
With a note dated February 25, 2019, the company, in providing feedback to the Office's requests made on January 15, 2019, stated that:
to. "Among the tasks entrusted to the Complainant [...] there was the preparation of the company regulation, concerning - inter alia - the regulation of the use of the company mail account of the workers and the appointment of the System Administrator authorized to view, for Company account, incoming messages to Company accounts. However, the assignment in question was never completed by the current complainant "(note 25.02.2019, p. 3);
b. "The impossibility on the part of the Respondent to provide [...] a" definitive "company regulation is a circumstance attributable exclusively to the applicant [...]" (cit. Note, p. 3);
c. "With reference to the processing carried out on the complainant's corporate e-mail account, it is important to underline that [...] after the dismissal [the complainant], unilaterally, proceeded to delete all communications in his corporate email box" (cit. Note, p. 4);
d. "In order to protect its legitimate interest, the company, starting from 8.10.2018, correctly set up, on the company email account of [the claimant], an automatic response system that would notify users of the deactivation of the complainant's mailbox, with the contextual indication of an alternative e-mail address to which to send the messages relating to the activity carried out and the relationships managed by the latter. " (cit. note, p. 4);
And. the IT Manager of the company stated in this regard that it is "possible to activate the automatic reply only on existing mailboxes", "to activate the mail message it was not necessary to access the mailbox associated with alias XX", " no Costampress employee had access to the mailbox "(cit. note, p. 4);
f. "The data processing carried out on the complainant's mailbox [...] ended on 26.11.2018 when the mailbox was definitively closed" (cit. Note, p. 4);
g. "The [...] sim [the complainant's company] was returned by [the complainant], together with the company telephone, on 13.11.2018, but without the latter providing the codes (PIN and PUK) that would have allowed the unblocking the SIM and the device, which, therefore, were already unusable by the Company "(cit. note, p. 6);
h. "Not being able to use the SIM card in the absence of the relevant PIN and PUK codes, the Company proceeded to request the telephone operator to assign the XX number to a" virgin "SIM" (cit. Note, p. 6);
the. "Not even the new SIM - which was assigned the [aforementioned] number [...] - has never been reassigned to another user and, therefore, is currently unused".
Following a request for further clarifications made by the Authority on 14 May 2019 in relation to which the supplement to the complaint provided by the complainant on 28 January 2019 was taken into consideration, Costampress SpA, on 13 June 2019, declared that :
to. "The Company in" blocking "provisionally [...] [the complainant] access to his account, on 5.10.2018, [...] acted legitimately in order to protect the company assets" (note 06.13.2019, p . 6);
b. the two company computers, fixed and portable, assigned to the complainant have been formatted (cit. note, p. 7);
c. "The processing of the personal data [of the complainant] found inside the company PC, already in use by the Complainant, was carried out by the Company for the purpose of ascertaining and exercising a right of the company in court (cit. , p. 9) ";
d. "Costampress S.p.A. instructed the [...] consultant [...] to carry out a technical consultancy party aimed at analyzing the content of the personal computer used by [the complainant], at Costampress, on 31.10.2018 "(cit. note, p. 10) ;
And. "With reference to the [...] request for clarification [relating to the SIM card and the associated number assigned to the complainant during the employment relationship], the Company has made a change of SIM and points out that the" virgin "SIM, to which the 'user [subject of the complaint] [...] has been the subject of operational checks by the IT manager of the Company [...], who, since its return (13.11.2018) to date, has supervised its conservation "(cit. ., p. 12);
f. "[...] the company makes itself available from now on to request the competent operator to terminate the user due to the telephone number [subject of the complaint] or, possibly, to return it to the Complainant authorizing the portability, on the order of this Authority "(Cit. Note, p. 13).
On 13 October 2019, the complainant sent his counter arguments. Subsequently, on 11 March 2020, the Authority sent a further request for clarification to the company, in relation to which Costampress S.p.A., on 10 April 2020 declared that:
to. "On 26/11/2018 the e-mail address [subject of the complaint] was closed" (cit. Note, 10.04.2020, p. 1);
b. “The Sim is not in use and is properly guarded so that it cannot be used. We therefore confirm that the company telephone number [subject of the complaint] has not been used and even less has been assigned to other people "(cit. Note, p. 1);
c. "This SIM and its telephone number, unless otherwise indicated, will be terminated by 15/05/2020" (cit. Note, p. 1).
With a note dated April 15, 2020, the complainant sent his own considerations regarding the Authority's request to the company with an invitation to provide further clarifications of March 11, 2020.
2. The initiation of the procedure for the adoption of corrective measures and the company's deductions.
On 29 July 2020, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lett. a), c), 6, 12, 13, 20 of the Regulation.
With defense briefs sent on November 2, 2020, the company, with reference to the disputed notification of violations, stated that:
to. the complainant "has held the position of Chief Executive Officer and executive of the Company for several years" (see note cited November 2, 2020, p. 3);
b. the company “resolves [to] the dismissal of the [complainant] from his role as manager; this decision was formalized by the Company with a communication dated 05.10.2018 "(see note cit., p. 3);
c. "A few days after the dismissal of the Complainant, the Company [...] discovered, within the personal file of the [complainant], the existence of two documents hitherto completely unknown, namely: [...] a document called «Stability Pact» [and] a document called «Annual award assignment» ”(see cit. Note, p. 3);
d. "It was therefore decided to submit the laptop to [...] an appraisal on the basis of the legitimate suspicion that the memory of the PC could have residual elements useful to disavow the authenticity of the two documents" (see note cit., P. 4);
And. "The expert investigations conducted by the [consultant] concluded by giving evidence of how a back up of the smartphone device in use by the [complainant] was performed on the memory medium of the laptop" (see note cit., P. 5);
f. "The judging body in the Court of Venice proceeding section specialization Company […] requested by the patronage of Costampress s.p.a. to admit official technical advice, [has] accepted this request [...] authorizing the filing of the hard disk in court "(see note cit., p. 10);
g. with regard to the "disputes concerning the data processing carried out on the hard disk" "with reference to the failure to draft the company regulation on the use of IT systems [...] it is worth recalling that among the tasks entrusted to the Complainant [...], there was precisely the preparation of the company regulation "(see cit. note, p. 18, 19);
h. "The document submitted for examination by the (then) CEO for approval (and never adopted due to the latter's exclusive inconclusiveness), albeit still in a draft state, expressly provided for in art. 6: «- the mailbox, assigned by the Company to the User, is a work tool and is, therefore, accessible at any time by the Data Controller or by his appointees for the performance of his functions or of corporate interests (Article 6.1); - The persons assigned to the e-mail boxes are responsible for the correct use of the same (art. 6.2). - It is forbidden to use the company e-mail box to send internal and external personal messages [...] unless otherwise explicitly authorized (Article 6.3) "" (see note cit., P. 19);
the. "Therefore, the [complainant] was irrefutably aware of what was soon to become the corporate policy in terms of IT infrastructure management and e-mail"; (see cit. note, p. 19);
j. “The [complainant] was undeniably granted the possibility, as in fact, to exercise the right of cancellation pursuant to art. 17 GDPR of all their data: indeed [...] the Complainant's PC - initially blocked to avoid the risk of "emptying" of confidential files to which the [complainant] had access through the company server - was immediately unlocked on the day of the communication of the dismissal in order to allow the ex-employee to recover their personal data "(see cit. note, p. 19);
k. "It should be noted in any case [...] how the Company has diligently adopted by resolution to recommend an" Internal Regulations for the use of corporate IT equipment, the Internet, e-mail and company telephone number "also acting as disclosure pursuant to art. 13 GDPR "(see cit. Note, p. 21);
L. "With reference to the maintenance of the individual e-mail [assigned to the complainant]" "this is the exact chronology of events in relation to the deactivation of the [aforementioned account]:
5 October 2018 Costampress s.p.a. dismiss the [complainant] for a justified objective reason;
5 October 2018 at approximately 3.30 pm, Costampress s.p.a. temporarily blocks the [complainant] from accessing his account to avoid retaliation following the news of the dismissal (the Complainant had free access to the company server); the account is reactivated about an hour and a half later in the presence of the [system administrator] of Costampress s.p.a .;
5 October 2018 Costampress s.p.a. requests the [complainant] to return the SIM, company telephone and accessories; the [complainant] declines the company's request.
8 October 2018 Costampress s.p.a. permanently deactivates the company account and enables the automatic response system;
11 October 2018 Costampress s.p.a. gives a mandate to [a] lawyer for the exercise of any criminal actions against the [complainant];
19 October 2018 Costampress s.p.a. again urges the [complainant] to return the SIM and telephone […];
October 31, 2018 the lawyer [ocato] appoints the expert [...] of the [company specializing in Digital Forensics and incident response];
November 13, 2018 the [complainant] returns the company SIM without PIN and PUK and the telephone;
November 26, 2018 Costampress s.p.a., permanently removes the mailbox [assigned to the complainant] "(see cit. Note, p. 21, 22);
m. "In order to better understand the needs that led Costampress s.p.a. not to immediately remove the Complainant's mailbox, even if deactivating it and setting the automatic reply message for a period of about a month and a half, it must first be borne in mind that the [complainant] held a top position at the time the dismissal; not only that, the latter, in the last months before the dismissal was negotiating some contracts of primary importance for the Company, such as, by way of example, contracts for the management of electricity and gas utilities "(see note cit., p. 22);
n. "The Company [...] has not operated any automatic redirection of the e-mails received from the account [assigned to the complainant] to a new alternative account to contact the Company" (see note cited, p. 22);
or. "The timely cancellation of the account [assigned to the complainant] would not have allowed the possibility of activating the automatic reply message" (see note cit., P. 23);
p. “Upon receipt of the notice of dismissal, the [complainant], unilaterally, proceeded to cancel all communications present in his company e-mail box” (see note cit., P. 24);
q. “It is not true […] that the [complainant] has been prohibited from deleting their personal data on the phone and / or on the SIM. In fact, from 05.10.2018 - date of dismissal in which the [complainant] in the presence of [the system administrator] deleted all his e-mails - until 13.11.2018, the Complainant continued to have, in absolute freedom of the telephone and the SIM. Only on 13.11.2018, after repeated reminders from the company [the complainant] finally returned the SIM and the smartphone [...] to Costampress s.p.a. without, however, sharing the PIN and PUK codes ”(see cit. note, p. 24, 25);
r. “Company telephone and SIM therefore remained available to the Complainant for 39 days. The mobile phone was returned by the Complainant after the latter had taken steps to restore the factory settings, according to the official procedures [...] for which, as certified by [the system administrator], upon receipt "to his there are no internal files, folders, conversations, contacts and / or other personal data attributable to the [complainant] "such as conversations on the" WhatsApp "app" (see cit. note, p. 25);
s. "the user [subject of this complaint], although originally attributable to the [complainant], was later knowingly transferred by the latter to the Company definitively from 2013 to 2018 [...]. It follows that the aforementioned number telephone has become, in all respects, a corporate user. And in fact, the delivery document [...] prepared by the Company, in the person of the same [complainant] precisely provided "what is listed above (editor's note: company PC, company SIM , Mobile phone [...]) must be returned at the end of the collaboration with the company. In using the above devices, you will still be required to comply with the following limitations: - you will not allow third parties including family members to use mobile phones and PCs - undertakes not to modify or install software programs and / or external applications without explicit authorization from our company or IT department […] »” (see note cit., p. 25);
t. "Therefore, the Complainant could not use the mobile phone for personal purposes as he certainly knew well, for having given himself and received the document with the instructions containing the company policy on the use of the so-called "Devices". And in fact, the contract for the use of the SIM associated with the number [subject of this complaint] was stipulated between Telecom Italia s.p.a. (TIM) and Costampress s.p.a and not between TIM and the [complainant] "(see cit. Note, p. 26);
u. "In any case, even in the unlikely hypothesis in which it is desired, in any case, to consider that an illegal processing of the data contained in the chat archive has occurred due to the" WhatsApp "application, it should be remembered that the [complainant], upon delivery of the SIM to which he is associated with the user [subject of the complaint], as expressly acknowledged by the latter, failed to provide the Company - although it was obliged to do so given the membership of the SIM in the Company, the PIN code and PUK code that would have allowed its use . Consequently, the Respondent had to request from the telephone operator a new virgin SIM with the same telephone number "(see note cit., P. 26);
v. "On the failure to exercise the right to cancellation and portability" "it is important to observe [...] as the Legislative Decree no. 101 of 2018, in compliance with art. 23 of the GDPR, has included the interest in carrying out defensive investigations among those deserving of particular protection. [...] It follows [...] that the request of the Complainant - incidentally completely illegitimate as well as unfounded [...] - must be limited in compliance with the provisions of art. 2-undecies of the Privacy Code "(see cit. Note, p. 26, 27);
w. "The undersigned Company, after having made itself available - both with the supplementary note of 13.06.2019 and with Annex A) to the defensive note of 10.04.2020 - to allow the registration of the SIM by the [complainant] -" on order of this Authority "(never received), instead of ceasing the use [object of this complaint], it deemed it appropriate - prudentially and melius re perpensa - to continue in good faith to pay the relative fee in order to be able to comply with any order portability of this Authority. In the meantime, the SIM has never been used by anyone "(see note cit., P. 27);
x. "Art. 22 paragraph 13 of Legislative Decree 101/2018 of 10.08.2018 [...] established that "For the first eight months from the date of entry into force of this decree, the Guarantor for the protection of personal data takes into account, for the the application of administrative sanctions and within the limits in which it is compatible with the provisions of Regulation (EU) 2016/679, of the phase of first application of the sanctioning provisions "" (see note cit., p. 27);
y. "As you can easily see, in September / October 2018 there was absolute uncertainty about the regulatory context in which the data controllers had to move, a sort of limbo in which even for the operators in the sector it was extremely difficult to identify enlightening guidelines to ensure compliance with the GDPR and the Privacy Code. In other words, during this period, in the absence of an express repeal of Legislative Decree lgs. 196/2003 and pending new implementing measures by this Authority, it was in no way clear which was the applicable discipline to ensure the commitment of the data controllers to guarantee compliance with the new legislation (in particular in terms of privacy by design and privacy by default) "(see cit. note, p. 28);
On November 2, 2021, the company sent an addendum to the defense briefs of September 15, 2020.
3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.
3.1. Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which do not comply with the regulations on the matter of protection of personal data. In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".
3.2. Principle of transparency and absence of information to the interested party.
In this regard, it emerged that the company, through an expert consultant in the field of "Digital Forensics and incident response", carried out the processing of data contained in the personal computer used by the complainant during the period in which he was working for the company, in the absence of a regulation or other specific company document with which it was possible to inform the interested party of the possible controls that Costampress SpA reserved the right to put in place with regard to company PCs or other tools provided to its workers, as part of the employment relationship.
In this regard, the company specified that the preparation of the company regulation, concerning, among other things, the regulation of the use of the company mail account of workers and the appointment of the system administrator authorized to view, on behalf of the company, the incoming messages in the company accounts, would have been the responsibility of the complainant and that the same document was present in a "draft" version at the time of the processing.
The company also specified that it had adopted "with a resolution to recommend an" Internal Regulations for the use of corporate IT equipment, the Internet, e-mail and company telephone number "also providing information pursuant to art. 13 GDPR ". This document, which was provided as an attachment to the defense briefs of September 15, 2020, appears to have been approved by the Board of Directors during the meeting of September 24, 2019 and is dated September 23, 2019.
Having said this, it is therefore ascertained that, in the period in which the check was carried out on the data contained in the computer assigned to the complainant, the company had not adopted any document, in a definitive version and in any case made known to the employees, which regulated the possible controls of the employer on the tools provided by the same to the workers. In confirmation of this, the company, attaching the resolution of the Board of Directors approving the regulation containing the information pursuant to art. 13 of the Regulations, has provided a document drawn up, however, in a much later period, compared to the facts which are the subject of the complaint.
It is of no relevance that the company has declared that the task of drafting the regulation regarding the use of the company mail account of the workers and the appointment of the system administrator authorized to view, on behalf of the company, the incoming messages in the corporate account was attributed to the complainant. Without prejudice, in fact, to any civil liability of the director towards the company, any liability deriving from non-fulfillment of legal obligations by the same, however, falls on the company as the latter assumes the role of owner of the treatment.
The obligation to provide the so-called information pursuant to art. 13 of the Regulation, moreover, weighs on the data controller who, in the context of the employment relationship, is, as a rule, the employer, a role covered, in this case, by Costampress S.p.A.
In this regard, it is first noted that, in accordance with the constant orientation of the European Court of Human Rights, the protection of private life also extends to the workplace, considering that it is precisely during the performance of work and / or professional activities that relationships where the personality of the worker is expressed (see articles 2 and 41, paragraph 2, of the Constitution).
Also taking into account that the borderline between the work / professional and the strictly private sphere cannot always be clearly drawn, the Court considers that art. 8 of the European Convention on Human Rights set up for the protection of private life without distinguishing between the private sphere and the professional sphere (see Niemietz v. Allemagne, 16.12.1992 (rec. No. 13710/88), spec. Para. 29; Copland v. UK, 03.04.2007 (ref. No. 62617/00), spec. Par. 41; Bărbulescu v. Romania [GC], 5.9.2017 (ref. No. 61496/08), spec. Par. 70 -73; Antović and Mirković v. Montenegro, 28.11. 2017 (rec. No. 70838/13), spec. Par. 41-42). Therefore, the processing of data carried out using IT technologies in the context of the employment relationship must comply with respect for fundamental rights and freedoms as well as the dignity of the interested party, for the protection of workers and third parties (see Recommendation CM / Rec (2015) 5 of the Committee of Ministers to the Member States on the processing of personal data in the employment context, spec. Point 3).
The processing carried out by the company results, as regards the lack of information to the interested party, therefore, in violation of art. 13 of the Regulation, according to which the owner is required to provide the interested party - before the start of the treatments - all the information relating to the essential characteristics of the treatment itself, as well as art. 12 of the Regulation which states that "the data controller takes appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14" of the Regulation. In the context of the employment relationship, the obligation to inform the interested party is also an expression of the general principle of fairness of processing, enshrined in art. 5, par. 1, lett. a) of the Regulations.
With reference to the persistent activity of the company e-mail account, following the termination of the employment relationship (5.10.2018) until its definitive deactivation (based on the statements made by the company, which took place on 26.11.2018), taking into account of the short period of time that has elapsed and considering that the company has declared that it has not had access to the communications received on the account in question after the termination of the employment relationship, it is considered to file the specific finding under dispute.
With reference to the profiles relating to the SIM card, to which the telephone number used by the complainant was associated also for the performance of the work activity, considering the defensive briefs presented by the company, having regard to the document of delivery to the worker, among other things, of the SIM and the associated telephone number, signed by the complainant himself in which it is specified that the material delivered "must be returned at the end of the collaboration with the company", the disputed findings in this regard are considered outdated and therefore it is considered to archive the related dispute.
With reference to the request for telephone number portability, considering the provisions of art. 20 of the Regulation regarding the conditions necessary for the exercise of this right, it is not considered that, in this case, the grounds for adopting sanctions in relation to the violation of art. 20 of the Regulation, contained in the notification of violation and it is therefore considered that the part concerning this specific profile subject to dispute should be filed.
Finally, with regard to the alleged inability to access the complainant's computer on 5 October 2018, no evidence of the violation of the personal data discipline was found and therefore there are no grounds for adopting sanctions in this regard.
4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure with reference to Articles 5, par. 1, lett. a), 12, 13 and which are therefore unsuitable for allowing the filing of this proceeding, however, with reference to these profiles, none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.
The processing of personal data carried out by the company is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lett. a) (principle of correctness), 12 and 13 (information to the interested party) of the Regulation.
Given the corrective powers attributed by art. 58, par. 2, of the Regulations, a pecuniary administrative sanction is imposed pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).
At the outcome of the procedure it appears that Costampress S.p.A. has violated the articles 5, par. 1, lett. a), 12 and 13 of the Regulations. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. a) and b) of the Regulations, through the adoption of an injunction order (Article 18, Law 11/24/1981, n. 689).
Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", the total amount of the sanction is calculated so as not to exceed the legal maximum provided for by the same art. 83, par. 5.
With reference to the elements listed in art. 83, par. 2 of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), it is stated that , in the present case, the following circumstances were considered:
a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, concerning the general principles of processing, including the principle of fairness;
b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same have been taken into consideration which has not complied with the regulations on data protection relating to a plurality of provisions;
c) the absence of specific precedents was taken into account in favor of the Company.
It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2020. Lastly, the extent of the sanctions imposed in similar cases is taken into account.
In light of the elements indicated above and the assessments made, it is considered, in this case, to apply the administrative sanction of payment of a sum equal to Euro 10,000 (ten thousand) to Costampress S.p.A.
In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of processing, in particular the principle of fairness, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.
It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.
WHEREAS, THE GUARANTOR
detects the unlawfulness of the processing carried out by Costampress S.p.A., in the person of its legal representative, with registered office in Via Taliercio 13, Scorzè (VE), Tax Code 00273100271, pursuant to art. 143 of the Code, for the violation of art. 5, par. 1, lett. a), 12, 13 of the Regulations;
DETERMINES
to file the objection adopted against Costampress S.p.A. in the person of the pro-tempore legal representative, with deed of 29 July 2020, limited to the violation of articles 5, par. 1, lett. a) and c), 6 as well as art. 20 of the Regulation;
ORDER
pursuant to art. 58, par. 2, lett. i) of the Regulations to Costampress S.p.A., to pay the sum of € 10,000 (ten thousand) as a pecuniary administrative sanction for the violations indicated in this provision;
INJUNCES
therefore to the same Company to pay the aforementioned sum of 10,000 (ten thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1.9.2011 envisaged for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);
HAS
the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.
Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Rome, February 10, 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Stanzione
THE SECRETARY GENERAL
Mattei