The Italian data protection authority (Garante per la protezione dei dati personali – GPDP) has imposed a fine of €10,000 on Solera Italia S.R.L. for breach of Article 5 of the GDPR. The fine was imposed following a complaint filed by a former employee of the company. The complainant reported that after the termination of his employment relationship, his former employer continued to use his work email addresses and provided access to them to other employees. The complainant claimed that during his employment he had not been informed about how long his personal data related to his company email would be processed.
In response to the GPDP’s request for information, the company confirmed that while one of the complainant’s work email addresses had been deactivated after the termination of his employment, the other had remained active to allow for the receipt of emails from outside Solera Italia, and that emails relating to both addresses had been retained on the servers due to the importance of the complainant’s duties.
The GPDP found that Solera Italia had breached the principles of transparency and legality by failing to provide employees with the necessary information regarding the processing of personal data in relation to their e-mail addresses, including the possible control of correspondence during and after the employment relationship. The complainant was also not informed about the scope of data storage. The company also failed to comply with the principles of data minimisation and storage limitation.
According to the GPDP, the company should have deactivated both e-mail addresses belonging to the complainant and restricted the storage of data contained in electronic correspondence. However, there was no policy or proedure within the organisation regarding the use of business email addresses.
In determining the amount of the fine, the supervisory authority took into account as aggravating factors Solera Italia’s lack of spontaneous compliance, even after enforcement proceedings were initiated, and the fact that the infringements in question related to general data protection principles. In favour of the sanctioned company was the fact that, notwithstanding the infringements indicated, personal data had not been compromised.
The GPDP imposed the fine, ordered the publication of its decision on the company’s website and requested information on the corrective measures taken within 60 days of the decision.