Garante per la protezione dei dati personali (Italy) - 9861827

From GDPRhub
Garante per la protezione dei dati personali - no. 9861827
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started: 25.02.2019
Decided: 11.01.2023
Published:
Fine: 5,000 EUR
Parties: Reweb s.r.l.
National Case Number/Name: no. 9861827
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (Italy) (in IT)
Initial Contributor: mg

The Italian DPA fined a controller for not having deactivated a work email account at the end of the employment. The defense of legal claims in civil proceedings does not exclude proportionality of processing.

English Summary

Facts

A controller (Reweb s.r.l.) provided a data subject with a work email account in order to manage some customers of the firm. The data subject was not directly employed by the controller, but just supported the company´s activity as an external consultant. At some point, the cooperation between the controller and the data subject was interrupted for unknown reasons. Short afterwards Reweb started a civil proceeding against the consultant.

Despite the end of the cooperation and an explicit request by the data subject, the controller refused to immediately close the email account. To the contrary, the controller read the correspondence between the data subject and their clients and rerouted clients´ messages to another email account. The controller claimed that this operation was necessary to manage commercial relationships with the customers with whom the data subject was in contact. Moreover, Reweb processed personal data under Article 6(1)(f) GDPR in order to defend his interests in the civil proceeding pending between the parties.

The Italian DPA started a procedure against the controller for potential violations of Articles 5(1)(a) and (c), 6, 12, 13 and 17 GDPR. At that time, the email account had already been deactivated.

Holding

In the first place, the Italian DPA ascertained that the controller never provided the data subject with the privacy policy under Article 13 GDPR. Incidentally, the DPA also found that such a privacy policy was not complete and did not comply with the GDPR requirements.

In addition, the DPA found no appropriate legal basis for the processing. It is true that to keep contact with the clients and to exercise its legal claims was a legitimate interest of the controller. However, there were less intrusive means to achieve the same results. An automated message informing clients that the account was no longer functioning, for instance, would have been an adequate solution with regard to the data minimisation principle. Article 6(1)(f) was instead interpreted in a disproportionate way: a legitimate interest of the controller cannot restrict the core of the right to data protection. In particular, the controller should not have read the content of the emails and rerouted them to another account.

Finally, the controller violated Article 12 GDPR, as it did not facilitate the data subject´s exercise of their rights, especially the right to erasure under Article 17 GDPR.

In view of the above, the Italian DPA used its powers under Articles 58(2) and 83 GDPR to fine the controller €5.000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9861827]

Injunction against Reweb s.r.l. - January 11, 2023

Register of measures
no. 8 of 11 January 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

CONSIDERING the complaint presented pursuant to art. 77 of the Regulation on 25 February 2019 and spontaneously regularized on 17 April 2019 by Mrs. XX against Reweb s.r.l.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint dated 25 February 2019, then spontaneously regularized on 17 April 2019, Ms. XX complained about alleged violations of the Regulation by Reweb s.r.l. (hereinafter, the Company), with reference to the persistent activity of the company e-mail account which remained active after the interruption of the collaboration relationship and to access to the same account.

With a note dated 8 July 2019, in responding to the Office's requests, the Company stated that:

“starting from March 2018, there was a gap between the company Reweb s.r.l. and IT Distribution Soc. Coop. negotiations aimed at defining the acquisition of the latter by the former" (see note 8/7/2019 cit., p. 1);

the complainant, a representative of IT Distribuzione Soc. Coop, “participated together with Reweb s.r.l. at the automation fair Save [...], with the task of collaborating with [Reweb s.r.l.] to promote a common supplier; with the agreement that [...] the [claimant] would collaborate, using the name of Reweb s.r.l.” (see cited note, p. 1, 2);

"the e-mail address XX was activated on 19 October 201[8], to allow it to relate, as agreed, with potential customers met at the event" (see cited note, p. 2) ;

“on 23 December 201[8] the negotiation between Reweb s.r.l. and IT Distribution Soc. Coop. was interrupted” (see note cit., p. 2);

"on 14 January 2019 the [complainant] requested the deactivation of the e-mail address [assigned to her]" (see cited note, p. 2);

“on 31 January 2019 Reweb s.r.l. found the [complainant], informing her that the e-mail address would remain active for the time necessary to find out who, among the potential customers met at the [...] Save fair, had attempted to contact Reweb s.r.l." (see cited note, p. 2);

"Further reminders from the [complainant] followed, also via certified e-mail dated 18 February 2019" (see cited note, p. 2);

"the e-mail account was thus deactivated at the end of February 2019" (see cited note, p. 2);

"it should be noted that from 14 January 2019 until the date of deactivation, no message was sent from the [mailbox in question] or received, except those sent by the [complainant] itself, evidently for the purpose of verifying the closure of the same" (see cited note, p. 2);

"it was not decided to set up an automatic response message to warn senders of the imminent deactivation of the address and of the non-attribution of the same to the [complainant]; this information was provided to potential customers met at the Save fair directly by Reweb personnel s.r.l., via personalized e-mail messages” (see cited note, p. 2);

"the reason why the e-mail address has not been deactivated immediately consists in the exercise, by Reweb s.r.l., not only in the interest, which is certainly considered legitimate, not to interrupt ex abruptly the contacts with customers that the [complainant] had contacted acting on behalf of Reweb s.r.l. itself, using its name, but also to protect the interest - equally legitimate - of the holder of the exercise of his rights in court" (see cited note, p. 2);

“the case is in fact pending [before the] Court of Reggio Emilia, between Reweb s.r.l. and IT Distribuzione Soc. Coop., concerning compensation for damages for pre-contractual liability. [...] relevant in the reconstruction of the facts from which IT Distribuzione's pre-contractual liability derives, it is precisely the behavior assumed by the [complainant] in relations with potential customers met at the Save fair [...], entertained through the postal address electronics [in question]" (see cited note, p. 3);

"the processing carried out by Reweb on the e-mail address [assigned to the complainant] is therefore lawful, as justified by a dual, legitimate interest of the owner: firstly, to allow the temporary management of potential customers and, secondly, allow for the protection of one's rights in the courts” (see note cited, p. 3);

"for each account, to date, the address [...] has been [...] deactivated" (see cited note, p. 3).

In response to the 8 July 2019 response, the Company also attached a copy of the summons notified to IT Distribuzione.

On March 12, 2020, following a request for further clarification sent by this Department, the Company stated that:

- "the use of the ordinary e-mail box [assigned to the complainant] has been limited in time and aimed exclusively at protecting commercial relations with customers contacted by the [complainant] in the name and on behalf of Reweb s.r.l. [...] as well as for the protection of the rights of Reweb s.r.l. in court" (note 12/3/2020 cited. p. 1);

- “the dispute between Reweb s.r.l. and IT Distribution Soc. Coop. with regard to the pre-contractual liability of the latter, it has been in existence, judicially, since 18 March 2019 [...] while the dispute, in an out-of-court settlement, is certainly more dating back, at least since December 2018" (cited note, p . 2).

To the further clarifications, the Company also attached a copy of the "regulation of use of e-mail" specifying that the same regulation "is not provided with a certain date, but displayed on the Notice Board of Reweb s.r.l. and perfectly knowable" as well as a copy of the e-mails sent on dates prior to the termination of the relationship between the complainant and the Company (dated 11/6/2018, 10/30/2018, 11/6/2018, 11/14/2018, 27 /11/2018, 3/12/2018).

On 2 April 2020, the complainant sent an integration to the complaint containing its counter-arguments.

On 9 November 2020, the Company, following an invitation to provide further feedback, stated that:

- "the data relating to the use of the e-mail account dedicated to the [complainant] were collected exclusively for the purpose of allowing the same, with a view to the collaboration that was about to be undertaken [...] to maintain commercial relations and negotiate them with potential customers procured in the interest of Reweb s.r.l.; all the messages contained in the e-mail box were kept, in digital format, for about a month from the termination of the relationship, and placed on a cloud service provided by Microsoft, called «Microsoft 365»” (note 9/11/2020 cit ., p.1);

- "when the [complainant] communicated to Reweb s.r.l. the intention to interrupt the collaboration [...], the same asked Reweb s.r.l. to immediately cancel the aforementioned e-mail box; on the other hand, Reweb s.r.l. informed her how the e-mail box would be kept active, for another month or so, in order to redirect e-mail messages from potential customers procured on behalf of Reweb s.r.l. to other employees, in order to continue with the negotiation phases, and only for this purpose" (note cit., p. 2);

On 1 December 2020, the complainant presented further counter-arguments.

On 1 July 2021, following a request from the Department, the Company further declared that "the redirection of communications was set to the address of [...], commercial director, precisely in order not to lose those potential customers with whom the [complainant] had made contact during the Save Fair held in October 2018" (cited note, p. 1, 2).

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 28 September 2021, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a) and c), 6, 12, 13, 17, 88 of the Regulation, 113 and 114 of the Code.

With the written defenses sent on October 28, 2021, the Company stated that:

- "the [complainant] should have become the manager of the Industrial IOT division of the exponent" (see note 28/10/2021 cit., p. 2);

- the e-mail address assigned to the claimant "was indicated on the business card specifically printed for the SAVE fair, and bearing the name of the [claimant]. Said account was therefore created on 10.19.2018 solely for the purpose of following the customers of the SAVE fair" (see cited note, p. 2);

- "on 21.12.2018 (more than 2 months after the SAVE fair), the negotiations were interrupted but other collaboration spaces were still left open" (see note cit., p. 2);

- "only on 14.01.2019, the [complainant] communicated that she did not want to follow up on the recall activity on the names of the Save [...] and therefore requested the deactivation of the e-mail address [assigned to her]" (see note cit., p. 2);

- "the [...] deactivation [of the account] was requested after the termination of the negotiations for the acquisition of the company, and in the same communication with which the collaboration relations relating to the said fair ended" (see cited note, p. 2);

- "the aforesaid communication was informal in nature and was sent to the [...] commercial manager [...], not to the legal representative of the company" (see cited note, p. 3);

- "on 01.31.2019, the [commercial director] informally verified the [complainant], informing her that the e-mail address would remain active for the time necessary to identify who, among potential customers, had attempted to contact Reweb itself S.r.l. […]. At the subsequent and formal request of 02.18.2019, sent via PEC and therefore directly to the company itself, the latter, through the undersigned attorney, communicated on 02.26.2019 that the data processing carried out by Reweb S.r.l., adopted according to all the provisions by law, was attributable to the need not to jeopardize the company's ability to assert its rights in court. In the following days, the account was deactivated and shortly afterwards the company served a writ of summons before the Court of Reggio Emilia, with a request for assessment and conviction for pre-contractual liability, against the conduct of the [claimant] who had first contacted the names (collected at the SAVE fair) under the name of Reweb, being the stand at the fair in the name of Reweb, to then communicate that the items would be invoiced by IT Distribuzione [...]. Judicial claim for the submission of which, it was necessary not to immediately delete the account of the [claimant]" (see cited note, p. 3);

- "the [complainant] has never performed duties as an employee nor has she ever been classified as such" (see note cit., p. 3);

- “until 14.01.19, the mailbox [assigned to the complainant] had always been accessible only to the [claimant] herself, and even subsequently no one else had ever accessed that mailbox; that address was in fact forwarded to that of the [sales director], which means that he would only receive any emails that someone who knew the address [assigned to the complainant] would have sent to that address. And it was said that that "someone" could only be the one who, at the SAVE fair, had received the business card with that email address from the same [claimant]" (see note cit., p. 4);

- "the regulations for the use of company e-mail are always signed on the date of formalization of the employment relationship, both employee and non-employee (agents, consultants, etc.)" (see cited note, p. 4);

- "the reason why said regulation had not been made to sign in advance by the [complainant] was solely the fact that, as of the date of SAVE 2018, the latter had not yet signed an employment contract which at that specific moment seemed absolutely imminent (given the very advanced stage of the negotiations)" (see note cit., p. 4);

- "similar provisions are also contained in the safety guide signed by the employees hired in 2013 and 2014" (see cited note, p. 5);

- "no private use could and should have been made by the [claimant]" (see cited note, p. 6);

- "as regards the alleged absence of a legitimation criterion for the conservation of the e-mails sent by the complainant, it is noted that the treatment took place in compliance with the provisions of the legislation on the protection of personal data" and in this regard Articles are referred to. 6, par. 1, lit. f) and 21, par. 1, lit. f), of the Regulation (see cited note, p. 6);

- “in the case in question, a balance has been put in place between the right of each interested party to have their personal data deleted and the right of the owner to protect their rights, also in judicial proceedings; balancing that can only be considered proportionate, even in view of the type of personal data processed, not even included among the so-called "particulars"" (see note cit., p. 7);

- "with reference [...] to the failure to activate an automatic response system, proof was provided of the fact that on 15.01.19, and therefore exactly the day following the (informal) deactivation request, the company Reweb provided to communicate immediately to the names of customers collected at the SAVE fair [...] that the [complainant] no longer collaborated with the exponent and therefore to refer to Reweb personnel" (see cited note, p. 8);

- "the company has always responded promptly to the requests of the [complainant] (the fact that these requests were not immediately accepted is a very different matter [...])" (see cited note, p. 8);

- "the first request sent on 14.01.2019, which was said to be of an informal nature and, moreover, included in a broader communication in which this email address was barely mentioned, in fact the communication concerned the intention to no longer follow up the recall activity on the names of the Save, was found on 01.31.2019, and therefore well within the 30-day deadline set by the law.The formal cancellation request, sent by PEC on 02.18.2019, was found in date 26.02.2019, therefore again within the terms" (see cited note, p. 8);

- "all employees and collaborators sign a precise regulation on the use of e-mail accounts, at the time of signing the employment contract, as well as [...] this regulation was in any case posted on the company bulletin board and [...] the same provided for the ban on the use of the mail account for non-work purposes (which is also said with regard to article 83, paragraph 2, letter d). […] at the time of the activation of the [complainant's] account, the negotiations for her employment (and for the acquisition of her company) were very advanced, and […] the interruption of these negotiations [… ] led to the establishment of a civil sentence for pre-contractual liability, for which it was necessary to maintain the account de quo (this is said with regard to article 83, paragraph 2, letter a, therefore it is essential to also note that the treatment concerns only one interested party). For this provision of the Regulation, as well as for the provisions of letter g), it is specified that the personal data in question do not fall into the category of particular data and that they consist solely of the email address made up of the surname and the first letter of the name […]; that the overall duration of the treatment was not even five months, from mid-October 2018 to the end of February 2019; that from the first informal request for cancellation to the actual cancellation, no more than a month and a half has passed, during which all the contacts collected, the only subjects aware of this email address, were notified that the same could not no longer be associated with the [complainant] no longer cooperating with Reweb; that from the formal request for cancellation via PEC to the actual cancellation, just two weeks passed; that one month after the formal request the introductory act of the civil judgment was filed. It is therefore believed that, if any violation were to be identified, the same can only be traced back to a fault by Reweb and not to its willful misconduct, being the same fully convinced of being able to keep the box active in order to be able to ascertain its right in court, as well as to exclusively protect commercial relations with customers contacted by the [complainant] on behalf of Reweb at the SAVE 2018 fair (this is said with regard to article 83, paragraph 2, letter b). It should also be noted that: this is the first proceeding by the Guarantor (this is said with regard to article 83, paragraph 2, letter i), that the authority became aware of the violation through a complaint from the interested party (art. 83, paragraph 2, letter h), and that Reweb has always collaborated with the Authority promptly meeting requests for clarification and document production (art. 83, paragraph 2, letter f). Finally, according to the provision of art. 83, par. 2, lit. d), the privacy information is printed" (see cited note, p. 9, 10).

Following the Company's request, a hearing was held on 21 April 2022. On that occasion, the party represented that:

- “the company has not established any collaboration relationship with the complainant. Starting from March-April 2018, negotiations had begun between the company Reweb s.r.l. and IT Distribuzione for the acquisition of the latter by the company";

- "the company sent an e-mail to the contacts gathered at the fair stand (about 50, 60) specifying that the complainant was no longer acting on behalf of Reweb [...]. The complainant was told that the account would be redirected to the commercial director of the company";

- "the activation of the account took place not in the context of an employment relationship, but in view of the acquisition of the business unit and subsequent hiring of the [complainant]";

- "from 23 December 2018 until the end of January 2019 I was absent from the company [...]. Therefore, only subsequently was I able to examine the communications of the complainant. The informal request for deactivation of the account was addressed by the complainant to another employee and acknowledged within fifteen days".

3. The outcome of the proceeding.

Following the examination of the statements made to the Authority during the proceedings as well as the documentation acquired, it appears that the Company, in its capacity as owner, has carried out some processing operations referring to the complainant which do not comply with the regulations on the protection of personal data.

In particular, following the termination of the collaboration with the complainant - which in any case had not yet been formalized and which is part of the pre-contractual agreements - the Company kept the e-mail account active with the extension referring to the assigned company to the same, taking vision of the content of the same (so as to produce in court e-mails sent from the same account by the complainant during the collaboration).

The Company has also set up on the latter a system for forwarding incoming communications to the different account of its sales manager.

The Company, therefore, at least until the end of February 2019 (even if in the summons presented by Reweb s.r.l. against IT Distribuzione and produced before the Authority by the same Company it is declared that the definitive closure of the account in question is which took place at the beginning of March, see defense writings of 10.28.2021, p. 7), read the electronic communications relating to the account assigned to the complainant.

This emerged from an examination of the Company's statements and some e-mails that were produced in the pending case between Reweb s.r.l. and IT Distribution, in particular dated 30/10/2018, 6/11/2018, 14/11/2018, 27/11/2018, 3/12/2018.

It should be noted that the Company has declared that the "out-of-court dispute" with the complainant began "at least since December 2018".

In relation to the profile relating to the production in court of e-mails taken from the account assigned to the complainant, it is specified, in any case, that on the basis of art. 160-bis of the Code "the validity, effectiveness and usability in judicial proceedings of deeds, documents and provisions based on the processing of personal data that do not comply with the provisions of the law or the Regulations remain governed by the pertinent procedural provisions".

It should be noted that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

3.1. In relation to what emerged during the preliminary investigation, it is necessary to note, first of all, how the Company provided the complainant with an individualized e-mail account with an extension referring to the company which, among other things, according to what was declared by the same Company, has been indicated on the business cards printed for the SAVE fair, in order to be communicated to third parties.

In this regard, the Company has not provided evidence regarding the fulfillment of the provisions of art. 13 of the Regulation towards the complainant with reference to the treatment carried out on the aforementioned account.

In particular, the Company limited itself to attaching a copy of the "Regulations for the use of the company email @reweb.it" to the reply dated 12 March 2020, to which the date of 6 May 2013 is affixed, specifying that the same is without a certain date and which is displayed on the Reweb s.r.l. bulletin board, supporting this statement with the production, attached to the response of 9 November 2020, of a "declaration responsible for the Reweb s.r.l. Administrative Office".

With this declaration, however, the Company limited itself to clarifying, in general terms, that "the IT regulation [of Reweb s.r.l.], as well as the information on data processing also relating to the use of e-mail, are displayed on the bulletin board in the company premises" and that "a copy [of these documents] is delivered to the employee or collaborator at the time of formalization of the employment relationship, as well as that the same can always be consulted and found, to extract a copy, at the [administrative] office, at simple request from the interested party”.

The Company also declared that the reason why "the company e-mail use regulation" "had not been made to sign in advance by the [complainant] was solely the fact that, as of the date of SAVE 2018, this had not yet signed an employment contract that at that specific moment seemed absolutely imminent (given the very advanced stage of the negotiations)" (see defense writings 10/28/2021, p. 4). With this confirming that he never delivered the aforementioned regulation to the complainant.

Furthermore, it is noted that the production of copies of the aforementioned regulation delivered and signed by other subjects cannot be considered a suitable element to prove the exact fulfillment of the provisions of art. 13 of the Regulation, in accordance with the principle of transparency (Article 5, paragraph 1, letter a) of the Regulation), towards the complainant.

With reference to the content of the aforementioned regulation, it is also observed, and in any case, that the specific processing activities that Reweb s.r.l. exercises towards the subjects to whom it assigns an e-mail account with an extension referable to the company.

Not even the "Guide to safety" document which bears the date of 1 May 2013 and which in any case does not appear to have been delivered to the claimant cannot be considered useful for this purpose.

Given this, the conduct held by the Company is in contrast with the provisions of art. 13 of the Regulation, according to which the data controller is required to provide the interested party in advance with all the information relating to the essential characteristics of the treatment and with the provisions of art. 12 of the Regulation ("The data controller adopts appropriate measures to provide the interested party with all the information referred to in articles 13 and 14").

In the context of pre-contractual negotiations, the obligation to inform the interested parties is also an expression of the general principle of correctness (see Article 5, paragraph 1, letter a) of the Regulation).

3.2. In the present case, it was also ascertained that the Company sent "an e-mail to the contacts gathered at the fair stand (about 50, 60) specifying that the complainant was no longer acting on behalf of Reweb", but, not limited to this conduct, it has viewed, in the absence of a legal basis, the correspondence relating to the account of the complainant, received and sent during the collaboration with the same, so as to have produced some of these communications in court, and has set up an automatic system forwarding to a different subject (commercial director) of the e-mails received on the same subject after the termination of the collaboration.

The described conduct of the Company was implemented in the absence of a suitable criterion of legitimacy for carrying out the processing, both in relation to access to the e-mails exchanged during the collaboration and in relation to the same preparation of a forwarding system communications to another account.

Neither the need to maintain relations with customers nor the interest in defending one's right in court, in fact, are elements such as to configure, in the specific case, a suitable criterion for legitimizing the treatment as implemented by the Company .

With regard to the declared need to "not abruptly interrupt contacts with customers that the [complainant] had contacted acting on behalf of Reweb s.r.l. itself, using its name” it is recalled how, according to the consolidated orientation of the Guarantor (among the most recent see Provv. n. 440 of 16 December 2021, web doc. n. 9739653), it achieves an adequate balance of the interests at stake (need to continue the economic activity of the owner and right to privacy of the interested party) the activation of an automatic response system with which alternative addresses are provided to which to contact the owner.

This without the data controller seeing the incoming communications on the individualized account assigned to the interested party. This also derives from the principle of data minimization (Article 5, paragraph 1, letter c) of the Regulation) for which the data controller must only process data that is "adequate, pertinent and limited to what is necessary with respect to the purposes for the which are treated".

The (legitimate) purpose of not losing useful contacts for one's commercial activity, therefore, could have been pursued with less invasive treatments and, therefore, compliant with data protection regulations, compared to that implemented in the present case.

With regard to the "interest [...] of the holder of the exercise of his rights in court" declared by the Company, it is observed that the legitimate interest in processing personal data to defend one's right in court cannot lead to an a priori cancellation of the right to protection of personal data recognized to the interested parties considering, among other things, that the content of the e-mail messages - as well as the external data of the communications and the attached files - concern forms of correspondence assisted by guarantees of secrecy protected also constitutionally, the ratio of which it lies in protecting the essential core of human dignity and the full development of the personality in social formations; further protection derives from the penal provisions protecting the inviolability of secrets (articles 2 and 15 of the Constitution; Constitutional Court of 17 July 1998, n. 281 and 11 March 1993, n. 81; art. 616, fourth paragraph, Criminal Code; art. 49 Digital Administration Code; see Provision 1 March 2007, no. 13 "Guidelines for electronic mail and the internet", in the Official Gazette no. 58 of 10.3.2007).

The conduct held by the Company does not, therefore, comply with the principles set out in art. 5, par. 1, lit. a) and c) of the Regulation and the provisions of art. 6 of the Regulation.

Considering, in this regard, that the Company has outlined more clearly, with the written defense and during the hearing, the characteristics of the relationship existing in the period of the disputed facts, i.e. that it was a phase prior to the stipulation of a contract of work with the complainant and only of a collaboration of the same with the Company as well as operations of sale of business unit, with regard to the proposed violation of articles 113 and 114 of the Code and 88 of the Regulation, contained in the violation notification of 28 September 2021, however, there are no grounds for adopting measures with reference to this specific profile under dispute.

3.3. Lastly, it is believed that the Company has not provided a suitable response to the cancellation request presented by the complainant as dated 31 January 2019; while providing an answer to the interested party, it in fact failed to indicate to the complainant the specific reasons why it could not have followed up on the request for cancellation of the e-mail account as well as the right to lodge an appeal with the judicial authority or a complaint to the Guarantor, as required by art. 12, par. 4, of the Regulation, in the event that the data controller does not comply with the request of the interested party.

On that occasion, the Company limited itself to informing the complainant that it would keep the account active "until we recontact all the save leads so that if someone is looking for us and had your @Reweb references from the fair, they can find. In a month or two we will break it up”.

In this regard, the Company's objection according to which the request would have been sent to the commercial manager and not to the legal representative is of no relevance; in this regard, in fact, it is recalled how recently the Guidelines 01/2022 on data subject rights - Right of access, adopted by the EDPB on 18 January 2022 (subject to public consultation concluded on 11 March 2022), have clarified that on data subjects there is an obligation to adopt a certain format for presenting requests to exercise the right of access (see Guidelines 01/2022 cit., point 52 "the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data.Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller" imposes no requirements on data subjects regarding the format of the request for access to personal data.Therefore, in principle, there are no requirements that the data subject must to respect when choosing a communication channel through which to get in touch with the data controller").

Furthermore, it does not appear that the Company has provided a response to what are defined by the Company itself as "further reminders from the complainant", in particular, contrary to what was declared by the Company, the response of 26 February 2019, a copy of which was produced during the proceedings, it does not contain any reference to the request to exercise rights relating to the e-mail account presented again by the complainant on 18 February 2019, but has as its subject "request for damages". The Company also declared that it had deactivated the account at the end of February.

The Company, therefore, has violated the provisions of art. 12 of the Regulation with reference to art. 17 of the Regulation.

Based on the art. 12 of the Regulation, in particular, the data controller "facilitates the exercise of the rights of the interested party pursuant to articles 15 to 22" and "if he does not comply with the request of the interested party, the data controller informs the interested party without delay, and at the latest within one month of receipt of the request, of the reasons for the non-compliance and of the possibility to lodge a complaint with a supervisory authority and to lodge a judicial appeal".

It should also be noted in this regard that, even if the Company had deemed it necessary to limit or exclude the exercise of the right to cancellation pursuant to art. 2-undecies of the Code ("Limitations to the rights of the interested party") for "the exercise of a right in court", should have communicated the limitation of the aforementioned right to the complainant, motivating this decision. The art. 2-undecies paragraph 3 of the Code establishes, in fact, that "the exercise of rights may, in any case, be delayed, limited or excluded with reasoned communication and made without delay to the interested party, unless the communication could compromise the purpose of the limitation, for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard [the interest in exercising a right in court]" .

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the preliminary investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable to allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company and in particular access to the e-mail account with the forwarding to another account of incoming communications on the individualized account assigned to the complainant during collaboration with the Company and the unsuitable response to the request for cancellation presented by the claimant, it is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lit. a) and c), 6, 12 also with reference to art. 17, 13 of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature and seriousness of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in the light of the specific case, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding it appears that Reweb s.r.l. has violated the articles 5, par. 1, lit. a) and c), 6, 12 also with reference to art. 17, 13 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 5, letter. b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the fine must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned, among other things, the general principles of processing, including the principles of lawfulness, correctness and minimisation; the violation also concerned the rules on the exercise of rights;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the data protection regulations in relation to a plurality of provisions;

c) in favor of the Company, account was taken of the cooperation with the Supervisory Authority demonstrated during the proceeding and the fact that the treatment concerned only one interested party.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the Company with reference to the condensed financial statements for the year 2021. Lastly, the entity of the sanctions imposed in similar cases is taken into account.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply against Reweb s.r.l. the administrative sanction of the payment of a sum equal to 5,000 (five thousand) euros.

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of treatment, and the rules on the exercise of rights, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by Reweb s.r.l., in the person of its legal representative, with registered office in Via Ferruccio Ferrari, 6, (RE), C.F. 02026760351, pursuant to art. 143 of the Code, for the violation of the articles 5, par. 1, lit. a) and c), 6, 12 also with reference to art. 17, 13 of the Regulation;

DETERMINE

to file the dispute adopted against Reweb s.r.l., in the person of the legal representative, with deed dated 28 September 2021, limited to violations of articles 88 of the Regulation, 113 and 114 of the Code;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to Reweb s.r.l., to pay the sum of 5,000 (five thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to Reweb s.r.l. to pay the aforementioned sum of 5,000 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions pursuant to art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 11 January 2023

PRESIDENT
station

THE SPEAKER

station

THE SECRETARY GENERAL
Matthew

[doc. web no. 9861827]

Injunction against Reweb s.r.l. - January 11, 2023

Register of measures
no. 8 of 11 January 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

CONSIDERING the complaint presented pursuant to art. 77 of the Regulation on 25 February 2019 and spontaneously regularized on 17 April 2019 by Mrs. XX against Reweb s.r.l.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint dated 25 February 2019, then spontaneously regularized on 17 April 2019, Ms. XX complained about alleged violations of the Regulation by Reweb s.r.l. (hereinafter, the Company), with reference to the persistent activity of the company e-mail account which remained active after the interruption of the collaboration relationship and to access to the same account.

With a note dated 8 July 2019, in responding to the Office's requests, the Company stated that:

“starting from March 2018, there was a gap between the company Reweb s.r.l. and IT Distribution Soc. Coop. negotiations aimed at defining the acquisition of the latter by the former" (see note 8/7/2019 cit., p. 1);

the complainant, a representative of IT Distribuzione Soc. Coop, “participated together with Reweb s.r.l. at the automation fair Save [...], with the task of collaborating with [Reweb s.r.l.] to promote a common supplier; with the agreement that [...] the [claimant] would collaborate, using the name of Reweb s.r.l.” (see cited note, p. 1, 2);

"the e-mail address XX was activated on 19 October 201[8], to allow it to relate, as agreed, with potential customers met at the event" (see cited note, p. 2) ;

“on 23 December 201[8] the negotiation between Reweb s.r.l. and IT Distribution Soc. Coop. was interrupted” (see note cit., p. 2);

"on 14 January 2019 the [complainant] requested the deactivation of the e-mail address [assigned to her]" (see cited note, p. 2);

“on 31 January 2019 Reweb s.r.l. found the [complainant], informing her that the e-mail address would remain active for the time necessary to find out who, among the potential customers met at the [...] Save fair, had attempted to contact Reweb s.r.l." (see cited note, p. 2);

"Further reminders from the [complainant] followed, also via certified e-mail dated 18 February 2019" (see cited note, p. 2);

"the e-mail account was thus deactivated at the end of February 2019" (see cited note, p. 2);

"it should be noted that from 14 January 2019 until the date of deactivation, no message was sent from the [mailbox in question] or received, except those sent by the [complainant] itself, evidently for the purpose of verifying the closure of the same" (see cited note, p. 2);

"it was not decided to set up an automatic response message to warn senders of the imminent deactivation of the address and of the non-attribution of the same to the [complainant]; this information was provided to potential customers met at the Save fair directly by Reweb personnel s.r.l., via personalized e-mail messages” (see cited note, p. 2);

"the reason why the e-mail address has not been deactivated immediately consists in the exercise, by Reweb s.r.l., not only in the interest, which is certainly considered legitimate, not to interrupt ex abruptly the contacts with customers that the [complainant] had contacted acting on behalf of Reweb s.r.l. itself, using its name, but also to protect the interest - equally legitimate - of the holder of the exercise of his rights in court" (see cited note, p. 2);

“the case is in fact pending [before the] Court of Reggio Emilia, between Reweb s.r.l. and IT Distribuzione Soc. Coop., concerning compensation for damages for pre-contractual liability. [...] relevant in the reconstruction of the facts from which IT Distribuzione's pre-contractual liability derives, it is precisely the behavior assumed by the [complainant] in relations with potential customers met at the Save fair [...], entertained through the postal address electronics [in question]" (see cited note, p. 3);

"the processing carried out by Reweb on the e-mail address [assigned to the complainant] is therefore lawful, as justified by a dual, legitimate interest of the owner: firstly, to allow the temporary management of potential customers and, secondly, allow for the protection of one's rights in the courts” (see note cited, p. 3);

"for each account, to date, the address [...] has been [...] deactivated" (see cited note, p. 3).

In response to the 8 July 2019 response, the Company also attached a copy of the summons notified to IT Distribuzione.

On March 12, 2020, following a request for further clarification sent by this Department, the Company stated that:

- "the use of the ordinary e-mail box [assigned to the complainant] has been limited in time and aimed exclusively at protecting commercial relations with customers contacted by the [complainant] in the name and on behalf of Reweb s.r.l. [...] as well as for the protection of the rights of Reweb s.r.l. in court" (note 12/3/2020 cited. p. 1);

- “the dispute between Reweb s.r.l. and IT Distribution Soc. Coop. with regard to the pre-contractual liability of the latter, it has been in existence, judicially, since 18 March 2019 [...] while the dispute, in an out-of-court settlement, is certainly more dating back, at least since December 2018" (cited note, p . 2).

To the further clarifications, the Company also attached a copy of the "regulation of use of e-mail" specifying that the same regulation "is not provided with a certain date, but displayed on the Notice Board of Reweb s.r.l. and perfectly knowable" as well as a copy of the e-mails sent on dates prior to the termination of the relationship between the complainant and the Company (dated 11/6/2018, 10/30/2018, 11/6/2018, 11/14/2018, 27 /11/2018, 3/12/2018).

On 2 April 2020, the complainant sent an integration to the complaint containing its counter-arguments.

On 9 November 2020, the Company, following an invitation to provide further feedback, stated that:

- "the data relating to the use of the e-mail account dedicated to the [complainant] were collected exclusively for the purpose of allowing the same, with a view to the collaboration that was about to be undertaken [...] to maintain commercial relations and negotiate them with potential customers procured in the interest of Reweb s.r.l.; all the messages contained in the e-mail box were kept, in digital format, for about a month from the termination of the relationship, and placed on a cloud service provided by Microsoft, called «Microsoft 365»” (note 9/11/2020 cit ., p.1);

- "when the [complainant] communicated to Reweb s.r.l. the intention to interrupt the collaboration [...], the same asked Reweb s.r.l. to immediately cancel the aforementioned e-mail box; on the other hand, Reweb s.r.l. informed her how the e-mail box would be kept active, for another month or so, in order to redirect e-mail messages from potential customers procured on behalf of Reweb s.r.l. to other employees, in order to continue with the negotiation phases, and only for this purpose" (note cit., p. 2);

On 1 December 2020, the complainant presented further counter-arguments.

On 1 July 2021, following a request from the Department, the Company further declared that "the redirection of communications was set to the address of [...], commercial director, precisely in order not to lose those potential customers with whom the [complainant] had made contact during the Save Fair held in October 2018" (cited note, p. 1, 2).

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 28 September 2021, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a) and c), 6, 12, 13, 17, 88 of the Regulation, 113 and 114 of the Code.

With the written defenses sent on October 28, 2021, the Company stated that:

- "the [complainant] should have become the manager of the Industrial IOT division of the exponent" (see note 28/10/2021 cit., p. 2);

- the e-mail address assigned to the claimant "was indicated on the business card specifically printed for the SAVE fair, and bearing the name of the [claimant]. Said account was therefore created on 10.19.2018 solely for the purpose of following the customers of the SAVE fair" (see cited note, p. 2);

- "on 21.12.2018 (more than 2 months after the SAVE fair), the negotiations were interrupted but other areas of collaboration were still left open" (see cited note, p. 2);

- "only on 14.01.2019, the [complainant] communicated that she did not want to follow up on the recall activity on the names of the Save [...] and therefore requested the deactivation of the e-mail address [assigned to her]" (see note cit., p. 2);

- "the [...] deactivation [of the account] was requested after the termination of the negotiations for the acquisition of the company, and in the same communication with which the collaboration relations relating to the said fair ended" (see cited note, p. 2);

- "the aforesaid communication was informal in nature and was sent to the [...] commercial manager [...], not to the legal representative of the company" (see cited note, p. 3);

- "on 01.31.2019, the [commercial director] informally verified the [complainant], informing her that the e-mail address would remain active for the time necessary to identify who, among potential customers, had attempted to contact Reweb itself S.r.l. […]. At the subsequent and formal request of 02.18.2019, sent via PEC and therefore directly to the company itself, the latter, through the undersigned attorney, communicated on 02.26.2019 that the data processing carried out by Reweb S.r.l., adopted according to all the provisions by law, was attributable to the need not to jeopardize the company's ability to assert its rights in court. In the following days, the account was deactivated and shortly afterwards the company served a writ of summons before the Court of Reggio Emilia, with a request for assessment and conviction for pre-contractual liability, against the conduct of the [claimant] who had first contacted the names (collected at the SAVE fair) under the name of Reweb, being the stand at the fair in the name of Reweb, to then communicate that the items would be invoiced by IT Distribuzione [...]. Judicial claim for the submission of which, it was necessary not to immediately delete the account of the [claimant]" (see cited note, p. 3);

- "the [complainant] has never performed duties as an employee nor has she ever been classified as such" (see note cit., p. 3);

- “until 14.01.19, the mailbox [assigned to the complainant] had always been accessible only to the [claimant] herself, and even subsequently no one else had ever accessed that mailbox; that address was in fact forwarded to that of the [sales director], which means that he would only receive any emails that someone who knew the address [assigned to the complainant] would have sent to that address. And it was said that that "someone" could only be the one who, at the SAVE fair, had received the business card with that email address from the same [claimant]" (see note cit., p. 4);

- "the regulations for the use of company e-mail are always signed on the date of formalization of the employment relationship, both employee and non-employee (agents, consultants, etc.)" (see cited note, p. 4);

- "the reason why said regulation had not been made to sign in advance by the [complainant] was solely the fact that, as of the date of SAVE 2018, the latter had not yet signed an employment contract which at that specific moment seemed absolutely imminent (given the very advanced stage of the negotiations)" (see note cit., p. 4);

- "similar provisions are also contained in the safety guide signed by the employees hired in 2013 and 2014" (see cited note, p. 5);

- "no private use could and should have been made by the [claimant]" (see cited note, p. 6);

- "as regards the alleged absence of a legitimation criterion for the conservation of the e-mails sent by the complainant, it is noted that the treatment took place in compliance with the provisions of the legislation on the protection of personal data" and in this regard Articles are referred to. 6, par. 1, lit. f) and 21, par. 1, lit. f), of the Regulation (see cited note, p. 6);

- “in the case in question, a balance has been put in place between the right of each interested party to have their personal data deleted and the right of the owner to protect their rights, also in judicial proceedings; balancing that can only be considered proportionate, even in view of the type of personal data processed, not even included among the so-called "particulars"" (see note cit., p. 7);

- "with reference [...] to the failure to activate an automatic response system, proof was provided of the fact that on 15.01.19, and therefore exactly the day following the (informal) deactivation request, the company Reweb provided to communicate immediately to the names of customers collected at the SAVE fair [...] that the [complainant] no longer collaborated with the exponent and therefore to refer to Reweb personnel" (see cited note, p. 8);

- "the company has always responded promptly to the requests of the [complainant] (the fact that these requests were not immediately accepted is a very different matter [...])" (see cited note, p. 8);

- "the first request sent on 14.01.2019, which was said to be of an informal nature and, moreover, included in a broader communication in which this email address was barely mentioned, in fact the communication concerned the intention to no longer follow up the recall activity on the names of the Save, was found on 01.31.2019, and therefore well within the 30-day deadline set by the law.The formal cancellation request, sent by PEC on 02.18.2019, was found in date 26.02.2019, therefore again within the terms" (see cited note, p. 8);

- "all employees and collaborators sign a precise regulation on the use of e-mail accounts, at the time of signing the employment contract, as well as [...] this regulation was in any case posted on the company bulletin board and [...] the same provided for the ban on the use of the mail account for non-work purposes (which is also said with regard to article 83, paragraph 2, letter d). […] at the time of the activation of the [complainant's] account, the negotiations for her employment (and for the acquisition of her company) were very advanced, and […] the interruption of these negotiations [… ] led to the establishment of a civil sentence for pre-contractual liability, for which it was necessary to maintain the account de quo (this is said with regard to article 83, paragraph 2, letter a, therefore it is essential to also note that the treatment concerns only one interested party). For this provision of the Regulation, as well as for the provisions of letter g), it is specified that the personal data in question do not fall into the category of particular data and that they consist solely of the email address made up of the surname and the first letter of the name […]; that the overall duration of the treatment was not even five months, from mid-October 2018 to the end of February 2019; that from the first informal request for cancellation to the actual cancellation, no more than a month and a half has passed, during which all the contacts collected, the only subjects aware of this email address, were notified that the same could not no longer be associated with the [complainant] no longer cooperating with Reweb; that from the formal request for cancellation via PEC to the actual cancellation, just two weeks passed; that one month after the formal request the introductory act of the civil judgment was filed. It is therefore believed that, if any violation were to be identified, the same can only be traced back to a fault by Reweb and not to its willful misconduct, being the same fully convinced of being able to keep the box active in order to be able to ascertain its right in court, as well as to exclusively protect commercial relations with customers contacted by the [complainant] on behalf of Reweb at the SAVE 2018 fair (this is said with regard to article 83, paragraph 2, letter b). It should also be noted that: this is the first proceeding by the Guarantor (this is said with regard to article 83, paragraph 2, letter i), that the authority became aware of the violation through a complaint from the interested party (art. 83, paragraph 2, letter h), and that Reweb has always collaborated with the Authority promptly meeting requests for clarification and document production (art. 83, paragraph 2, letter f). Finally, according to the provision of art. 83, par. 2, lit. d), the privacy information is printed" (see cited note, p. 9, 10).

Following the Company's request, a hearing was held on 21 April 2022. On that occasion, the party represented that:

- “the company has not established any collaboration relationship with the complainant. Starting from March-April 2018, negotiations had begun between the company Reweb s.r.l. and IT Distribuzione for the acquisition of the latter by the company";

- "the company sent an e-mail to the contacts gathered at the fair stand (about 50, 60) specifying that the complainant was no longer acting on behalf of Reweb [...]. The complainant was told that the account would be redirected to the commercial director of the company";

- "the activation of the account took place not in the context of an employment relationship, but in view of the acquisition of the business unit and subsequent hiring of the [complainant]";

- "from 23 December 2018 until the end of January 2019 I was absent from the company [...]. Therefore, only subsequently was I able to examine the communications of the complainant. The informal request for deactivation of the account was addressed by the complainant to another employee and confirmed within fifteen days".

3. The outcome of the proceeding.

Following the examination of the statements made to the Authority during the proceedings as well as the documentation acquired, it appears that the Company, in its capacity as owner, has carried out some processing operations referring to the complainant which do not comply with the regulations on the protection of personal data.

In particular, following the termination of the collaboration with the complainant - which in any case had not yet been formalized and which is part of the pre-contractual agreements - the Company kept the e-mail account active with the extension referring to the assigned company to the same, taking vision of the content of the same (so as to produce in court e-mails sent from the same account by the complainant during the collaboration).

The Company has also set up on the latter a system for forwarding incoming communications to the different account of its sales manager.

The Company, therefore, at least until the end of February 2019 (even if in the summons presented by Reweb s.r.l. against IT Distribuzione and produced before the Authority by the same Company it is declared that the definitive closure of the account in question is which took place at the beginning of March, see defense writings of 10.28.2021, p. 7), read the electronic communications relating to the account assigned to the complainant.

This emerged from an examination of the Company's statements and some e-mails that were produced in the pending case between Reweb s.r.l. and IT Distribution, in particular dated 30/10/2018, 6/11/2018, 14/11/2018, 27/11/2018, 3/12/2018.

It should be noted that the Company has declared that the "out-of-court dispute" with the complainant began "at least since December 2018".

In relation to the profile relating to the production in court of e-mails taken from the account assigned to the complainant, it is specified, in any case, that on the basis of art. 160-bis of the Code "the validity, effectiveness and usability in judicial proceedings of deeds, documents and provisions based on the processing of personal data that do not comply with the provisions of the law or the Regulations remain governed by the pertinent procedural provisions".

It should be noted that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

3.1. In relation to what emerged during the preliminary investigation, it is necessary to note, first of all, how the Company provided the complainant with an individualized e-mail account with an extension referring to the company which, among other things, according to what was declared by the same Company, has been indicated on the business cards printed for the SAVE fair, in order to be communicated to third parties.

In this regard, the Company has not provided evidence regarding the fulfillment of the provisions of art. 13 of the Regulation towards the complainant with reference to the treatment carried out on the aforementioned account.

In particular, the Company limited itself to attaching a copy of the "Regulations for the use of the company email @reweb.it" to the reply dated 12 March 2020, to which the date of 6 May 2013 is affixed, specifying that the same is without a certain date and which is displayed on the Reweb s.r.l. bulletin board, supporting this statement with the production, attached to the response of 9 November 2020, of a "declaration responsible for the Reweb s.r.l. Administrative Office".

With this declaration, however, the Company limited itself to clarifying, in general terms, that "the IT regulation [of Reweb s.r.l.], as well as the information on data processing also relating to the use of e-mail, are displayed on the bulletin board in the company premises" and that "a copy [of these documents] is delivered to the employee or collaborator at the time of formalization of the employment relationship, as well as that the same can always be consulted and found, to extract a copy, at the [administrative] office, at simple request from the interested party”.

The Company also declared that the reason why "the company e-mail use regulation" "had not been made to sign in advance by the [complainant] was solely the fact that, as of the date of SAVE 2018, this had not yet signed an employment contract that at that specific moment seemed absolutely imminent (given the very advanced stage of the negotiations)" (see defense writings 10/28/2021, p. 4). With this confirming that he never delivered the aforementioned regulation to the complainant.

Furthermore, it is noted that the production of copies of the aforementioned regulation delivered and signed by other subjects cannot be considered a suitable element to prove the exact fulfillment of the provisions of art. 13 of the Regulation, in accordance with the principle of transparency (Article 5, paragraph 1, letter a) of the Regulation), towards the complainant.

With reference to the content of the aforementioned regulation, it is also observed, and in any case, that the specific processing activities that Reweb s.r.l. exercises towards the subjects to whom it assigns an e-mail account with an extension referable to the company.

Not even the "Guide to safety" document which bears the date of 1 May 2013 and which in any case does not appear to have been delivered to the claimant cannot be considered useful for this purpose.

Given this, the conduct held by the Company is in contrast with the provisions of art. 13 of the Regulation, according to which the data controller is required to provide the interested party in advance with all the information relating to the essential characteristics of the treatment and with the provisions of art. 12 of the Regulation ("The data controller adopts appropriate measures to provide the interested party with all the information referred to in articles 13 and 14").

In the context of pre-contractual negotiations, the obligation to inform the interested parties is also an expression of the general principle of correctness (see Article 5, paragraph 1, letter a) of the Regulation).

3.2. In the present case, it was also ascertained that the Company sent "an e-mail to the contacts gathered at the fair stand (about 50, 60) specifying that the complainant was no longer acting on behalf of Reweb", but, not limited to this conduct, it has viewed, in the absence of a legal basis, the correspondence relating to the account of the complainant, received and sent during the collaboration with the same, so as to have produced some of these communications in court, and has set up an automatic system forwarding to a different subject (commercial director) of the e-mails received on the same subject after the termination of the collaboration.

The described conduct of the Company was implemented in the absence of a suitable criterion of legitimacy for carrying out the processing, both in relation to access to the e-mails exchanged during the collaboration and in relation to the same preparation of a forwarding system communications to another account.

Neither the need to maintain relations with customers nor the interest in defending one's right in court, in fact, are elements such as to configure, in the specific case, a suitable criterion for legitimizing the treatment as implemented by the Company .

With regard to the declared need to "not abruptly interrupt contacts with customers that the [complainant] had contacted acting on behalf of Reweb s.r.l. itself, using its name” it is recalled how, according to the consolidated orientation of the Guarantor (among the most recent see Provv. n. 440 of 16 December 2021, web doc. n. 9739653), it achieves an adequate balance of the interests at stake (need to continue the economic activity of the owner and right to privacy of the interested party) the activation of an automatic response system with which alternative addresses are provided to which to contact the owner.

This without the data controller seeing the incoming communications on the individualized account assigned to the interested party. This also derives from the principle of data minimization (Article 5, paragraph 1, letter c) of the Regulation) for which the data controller must only process data that is "adequate, pertinent and limited to what is necessary with respect to the purposes for the which are treated".

The (legitimate) purpose of not losing useful contacts for one's commercial activity, therefore, could have been pursued with less invasive treatments and, therefore, compliant with data protection regulations, compared to that implemented in the present case.

With regard to the "interest [...] of the holder of the exercise of his rights in court" declared by the Company, it is observed that the legitimate interest in processing personal data to defend one's right in court cannot lead to an a priori cancellation of the right to protection of personal data recognized to the interested parties considering, among other things, that the content of the e-mail messages - as well as the external data of the communications and the attached files - concern forms of correspondence assisted by guarantees of secrecy protected also constitutionally, the ratio of which it lies in protecting the essential core of human dignity and the full development of the personality in social formations; further protection derives from the penal provisions protecting the inviolability of secrets (articles 2 and 15 of the Constitution; Constitutional Court of 17 July 1998, n. 281 and 11 March 1993, n. 81; art. 616, fourth paragraph, Criminal Code; art. 49 Digital Administration Code; see Provision 1 March 2007, no. 13 "Guidelines for electronic mail and the internet", in the Official Gazette no. 58 of 10.3.2007).

The conduct held by the Company does not, therefore, comply with the principles set out in art. 5, par. 1, lit. a) and c) of the Regulation and the provisions of art. 6 of the Regulation.

Considering, in this regard, that the Company has outlined more clearly, with the written defense and during the hearing, the characteristics of the relationship existing in the period of the disputed facts, i.e. that it was a phase prior to the stipulation of a contract of work with the complainant and only of a collaboration of the same with the Company as well as operations of sale of business unit, with regard to the proposed violation of articles 113 and 114 of the Code and 88 of the Regulation, contained in the violation notification of 28 September 2021, however, there are no grounds for adopting measures with reference to this specific profile under dispute.

3.3. Lastly, it is believed that the Company has not provided a suitable response to the cancellation request presented by the complainant as dated 31 January 2019; while providing an answer to the interested party, it in fact failed to indicate to the complainant the specific reasons why it could not have followed up on the request for cancellation of the e-mail account as well as the right to lodge an appeal with the judicial authority or a complaint to the Guarantor, as required by art. 12, par. 4, of the Regulation, in the event that the data controller does not comply with the request of the interested party.

On that occasion, the Company limited itself to informing the complainant that it would keep the account active "until we recontact all the save leads so that if someone is looking for us and had your @Reweb references from the fair, they can find. In a month or two we will break it up”.

In this regard, the Company's objection according to which the request would have been sent to the commercial manager and not to the legal representative is of no relevance; in this regard, in fact, it is recalled how recently the Guidelines 01/2022 on data subject rights - Right of access, adopted by the EDPB on 18 January 2022 (subject to public consultation concluded on 11 March 2022), have clarified that on data subjects there is an obligation to adopt a certain format for presenting requests to exercise the right of access (see Guidelines 01/2022 cit., point 52 "the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data.Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller" imposes no requirements on data subjects regarding the format of the request for access to personal data.Therefore, in principle, there are no requirements that the data subject must to respect when choosing a communication channel through which to get in touch with the data controller").

Furthermore, it does not appear that the Company has provided a response to what are defined by the Company itself as "further reminders from the complainant", in particular, contrary to what was declared by the Company, the response of 26 February 2019, a copy of which was produced during the proceedings, it does not contain any reference to the request to exercise rights relating to the e-mail account presented again by the complainant on 18 February 2019, but has as its subject "request for damages". The Company also declared that it had deactivated the account at the end of February.

The Company, therefore, has violated the provisions of art. 12 of the Regulation with reference to art. 17 of the Regulation.

Based on the art. 12 of the Regulation, in particular, the data controller "facilitates the exercise of the rights of the interested party pursuant to articles 15 to 22" and "if he does not comply with the request of the interested party, the data controller informs the interested party without delay, and at the latest within one month of receipt of the request, of the reasons for the non-compliance and of the possibility to lodge a complaint with a supervisory authority and to lodge a judicial appeal".

It should also be noted in this regard that, even if the Company had deemed it necessary to limit or exclude the exercise of the right to cancellation pursuant to art. 2-undecies of the Code ("Limitations to the rights of the interested party") for "the exercise of a right in court", should have communicated the limitation of the aforementioned right to the complainant, motivating this decision. The art. 2-undecies paragraph 3 of the Code establishes, in fact, that "the exercise of rights may, in any case, be delayed, limited or excluded with reasoned communication and made without delay to the interested party, unless the communication could compromise the purpose of the limitation, for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard [the interest in exercising a right in court]" .

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the preliminary investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable to allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company and in particular access to the e-mail account with the forwarding to another account of incoming communications on the individualized account assigned to the complainant during collaboration with the Company and the unsuitable response to the request for cancellation presented by the claimant, it is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lit. a) and c), 6, 12 also with reference to art. 17, 13 of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature and seriousness of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in the light of the specific case, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding it appears that Reweb s.r.l. has violated the articles 5, par. 1, lit. a) and c), 6, 12 also with reference to art. 17, 13 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 5, letter. b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the fine must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned, among other things, the general principles of processing, including the principles of lawfulness, correctness and minimisation; the violation also concerned the rules on the exercise of rights;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the data protection regulations in relation to a plurality of provisions;

c) in favor of the Company, account was taken of the cooperation with the Supervisory Authority demonstrated during the proceeding and the fact that the treatment concerned only one interested party.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the Company with reference to the condensed financial statements for the year 2021. Lastly, the entity of the sanctions imposed in similar cases is taken into account.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply against Reweb s.r.l. the administrative sanction of the payment of a sum equal to 5,000 (five thousand) euros.

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of treatment, and the rules on the exercise of rights, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by Reweb s.r.l., in the person of its legal representative, with registered office in Via Ferruccio Ferrari, 6, (RE), C.F. 02026760351, pursuant to art. 143 of the Code, for the violation of the articles 5, par. 1, lit. a) and c), 6, 12 also with reference to art. 17, 13 of the Regulation;

DETERMINE

to file the dispute adopted against Reweb s.r.l., in the person of the legal representative, with deed dated 28 September 2021, limited to violations of articles 88 of the Regulation, 113 and 114 of the Code;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to Reweb s.r.l., to pay the sum of 5,000 (five thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to Reweb s.r.l. to pay the aforementioned sum of 5,000 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions pursuant to art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 11 January 2023

PRESIDENT
station

THE SPEAKER

station

THE SECRETARY GENERAL
Matthew