With an Order dated 11 January 2023, the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed on a company the payment of an administrative fine equal to EUR 5,000 for having kept active and read the contents of the email account of a collaborator.
The facts
During some negotiations aimed at defining the acquisition of a cooperative company, a company agreed that a representative of the latter should collaborate, using the name of the purchasing company, in the promotion of a common supplier on the occasion of a trade fair.
A company email account was then activated for the collaborator in order to allow her to communicate with potential customers met at the event.
A few months later, the negotiations between the two companies were interrupted and the complainant requested the deactivation of the email account assigned to her. In order not to lose the contacts of potential new customers collected during the event, the company kept the account active and set up a system for forwarding incoming communications to the sales manager’s email, deactivating the complainant’s email address only after (approximately) six months from activation.
The outcome of the investigation by the Authority
The Authority first of all noted that the company has not complied with its obligation to inform the complainant about the processing of data carried out on her email account as instead required by Article 13 of Regulation (EU) 2016/679 (the ‘Regulation’). This obligation, the Authority recalls, also applies in the context of any pre-contractual negotiations as an expression of the principles of fairness and transparency (see Article 5 of the Regulation).
In the present case, the company:
- processed personal data in the absence of a legitimation criterion to the extent that it has (i) viewed, without an appropriate legal basis, the correspondence received and sent to the account during collaboration with the complainant and (ii) set up, at the end of the collaboration, an automatic email forwarding system to a different company account;
- did not achieve an adequate balancing of ‘the interests at stake’: on the one hand, in fact, the need for the company to continue its economic activities is recognized and on the other, the right to privacy of the data subject (namely the complainant). In this regard, the order reads, ‘the (legitimate) purpose of not losing useful contacts for one’s commercial activity, […], could have been pursued with less invasive processing activities and, therefore, compliant with data protection regulations, with respect to that carried out in the present case’;
- did not comply with the obligation to facilitate the exercise of the rights of the data subject to the extent that it has not provided a suitable response to the request for cancellation – the so-called ‘right to be forgotten’ – submitted several times by the complainant.
◊◊◊◊
That said, the Authority recalls that: ‘[…] the legitimate interest in processing personal data to defend one’s legal claim [can]not lead to an a priori cancellation of the right to the protection of personal data recognized to the data subjects […]’.
The order in question also recalls a well-established orientation of the Authority according to which an adequate balancing of the interests as mentioned in letter b) above is achieved by activating an automatic response system with which the sender is provided with alternative addresses through which to contact the company, data controller, without accessing incoming communications, as instead done in the case in question in breach, among others, of the principle of data minimization (see Article 5 of the Regulation).
Other related insights:
Employers who keep the former employee’s email account active commits an offence
Company e-mail account and data processing (Legal – Le Fonti, N. 24 May 2018, Vittorio De Luca)
