Garante per la protezione dei dati personali - 9518890

From GDPRhub
Garante per la protezione dei dati personali - 9518890
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 12 GDPR
Article 13 GDPR
Article 88 GDPR
Codice in materia di protezione dei dati personali
Type: Complaint
Outcome: Upheld
Decided: 29.10.2020
Published:
Fine: 20.000 EUR
Parties: Gaypa s.r.l.
National Case Number/Name: 9518890
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) imposed a fine of €20000 on Gaypa s.r.l. for checking its employee's professional email account in order to protect the company's interests. The Garante found that this violated Article 5(1)(a), (c) and (e) and Articles 12, 13 and 88 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Garante examined a complaint submitted by an ex-employee against Gaypa s.r.l. for accessing its professional email account after its dismissal and use some of the checked emails to fill a case against him for the appropriation of reserved information. The company accessed this data after the expiration of the declared retention period and without notifying the ex-employee of the processing.

Gaypa s.r.l. claimed to have used the information only for the defense in court of its legitimate interests. The company also claimed to have internal regulations to inform the data subjects on the processing of personal data.

Dispute[edit | edit source]

Is the processing of the employee's data, after its dismissal and without the notification of the processing, lawful?

Holding[edit | edit source]

The Garante found that the processing of the complainant's personal data carried out by the company through storage and access to the content of the individualized e-mail account, as well as the processing related to mail management of employees carried out on the basis of the company regulations internally adopted, was unlawful because in violation of Article 5(1)(a), (c) and (e) and Articles 12, 13 and 88 GDPR.

In particular, Article 12 and 13 on transparency have been violated because the company did not clearly and timely inform the employees on the processing of personal data; Article 5(c) and (e) has been violated because the company internal regulations on processing of personal data did not apply the principles of data minimisation and storage limitation; and finally, the principle of lawfulness as per article 5(1)(a) has been violated in relation to the violation of the rules in the Italian Privacy Code (Legislative Decree 196/2003, Articles 113 and 114) regarding the processing of personal data in the context of employment as per Article 88 GDPR.

For these reasons, the Garante:

- With the power conferred by Article 58(2)(i) GDPR, imposed a fine of €20,000 on Gaypa s.r.l..

- With the power conferred by Article 58(2)(f) GDPR, imposed a ban on the further processing of the claimant's data and of the data of other employees stored in the company's server.

- With the power conferred by Article 58(2)(d) GDPR, ordered the controller to bring its processing operations in compliance with GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.