Garante per la protezione dei dati personali (Italy) - 9771545
|Garante per la protezione dei dati personali - 9771545|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(e) GDPR
Article 12(3) GDPR
Article 13 GDPR
Article 15 GDPR
|Parties:||Palumbo Superyacht Ancora s.r.l.|
|National Case Number/Name:||9771545|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la Protezione dei Dati Personali (in IT)|
The Italian DPA fined Palumbo Superyacht Ancora €50,000 for, among other things, violating the principles of fairness and storage limitation by illegally keeping a former independent contractor's work email account active and preventing them from accessing it.
English Summary[edit | edit source]
Facts[edit | edit source]
On 29 September 2020, the Italian DPA received a complaint from a former commercial agent for Palumbo Superyacht Ancona s.r.l. The data subject is the former commercial agent. The controller is Palumbo Superyacht Ancona.
On 23 June 20, the controller inhibited the data subject from using her work email address without any notice. She was not allowed to retrieve any information from the account beforehand. The data subject's requests for access to the account were ignored by the controller.
The controller stated that the contract with the data subject was terminated over the disclosure of confidential information and that out of court proceedings over said disclosure were ongoing. The controller claimed that the data subject's email account was kept active to investigate the alleged breach of confidentiality, and to store information for later use in the proceedings. The controller argued that the processing was in compliance with the principles of necessity and data minimization, as it neither used the account themselves nor allowed third parties access. The controller also stated that it made itself available to discuss ways for the data subject to access his account and retrieve his personal data, ensuring that she could not alter the information present.
The DPA found that the controller did not provide the data subject with sufficient information on their policies regarding work emails. Furthermore, the DPA found that the controller was unable to prove compliance with the information duties under Article 13 GDPR, as the information allegedly provided to the data subject lacked the requirements laid down in said Article, and the relevant documentation was not signed by the data subject. The DPA further noted that email accounts are not a suitable tool to store data for later use as evidence in proceedings.
Holding[edit | edit source]
The Italian DPA held that the controller violated the principle of fairness and in particular the principle of storage limitation by keeping the data subject's account active after inhibiting her access to it (Article 5(1)(a)(e) GDPR). The DPA specified that, according to its own case law, work emails of employees must be deactivated at the end of the employment relationship. The DPA further clarified that the data rights of workers must be protected in the employment relationship regardless of the legal nature of the relationship itself. The data subject's position as an independent contractor thus did not change this.
The DPA also held that Article 13 GDPR was violated, as the controller failed to provide the data subject with the required information on the processing of her personal data. Finally, the DPA held that the company violated Articles 12(3) and 15 GDPR by failing to respond to the data subject's access request.
The DPA orders the controller to adopt suitable organisational technological measures to allow the data subject to access the email account and to deactivate it within 7 days. Additionally, to adopt an automated system to provide relevant third parties with an alternative (email) address and suitable measures to prevent the display of incoming messages within 10 days. The DPA further orders the controller to adopt measures to ensure requests from data subjects to exercise their rights are handled in a suitable and timely manner. The DPA prohibits the controller to further process personal data on the email account, without prejudice to the preservation necessary for the ongoing procedures regarding the breach of confidentiality. The DPA imposed a fine of €50.000 on the controller.
Comment[edit | edit source]
The DPA also noted that illegally processed data is generally not admissible as proof under Italian procedural law.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.