ITA 
Published on Sole24Ore - NT Lavoro - on 20/05/2022
Data processing carried out using information technology must comply with respect for the rights, fundamental freedoms and dignity of the data subject, regardless of the type of contract governing the employment relationship.
Thus, the Privacy Guarantor, with its injunction order of 7 April 2022 [9771545] under which it imposed a fine of €.50,000 on a company for having managed an agent’s e-mail account in breach of the protection provided for by the GDPR.
In the case at hand, the company prevented one of its employees – an exclusive agent – from accessing the company e-mail account provided to her during the employment, without prior notice or subsequent justification, by changing her password.
The agent served repeated request for immediate reinstatement of the account, which was essential for the performance of work activities as well as for the protection of his dignity, image, honour and confidentiality, since strictly personal communications were also stored there.
The company, however, ignored the agent’s requests and kept the account active even afther termination of employment, which occurred two months later.
After the agent’s claim and investigations by the Special Privacy Unit of the Guardia di Finanza, the Privacy Guarantor made numerous objections to the company, including:
1) Violation of the principle of “limitation storage” under Article 5 (1) of the GDPR, by virtue of the continued vitality of the company account assigned to the complainant.
2) The company’s failure to provide any information on the processing of data, even less with reference to the company e-mail account during the relationship and at the end of it, in breach of the obligation under Article 13 of the GDP, also in the light of the Garante’s guidelines for e-mail and internet of 1 March 2007, published in Official Gazzette no. 58 of 10 March 2007 (web doc. No. 1387522);
3) Infringement of Article 12 (3) and 15 of the GDPR, respectively by virtue of the failure to respond to the request and the denial of access to the company account in question.
The company defended itself by arguing that the inhibition was justified by undue disclosure of confidential company information by the agent, that it had kept the box active for possible defensive investigations, and that in any event the agent was not equated with an employee, given the inherent organisational and operational autonomy.
With regard to the latter aspect, the Guarantor (Newsletter of 19/05/2022) recalls that the protection of private life also extends to the employment sphere, given that it is precisely on that occasion that relationships develop in which the employee’s personality is expressed. Therefore, «even taking into account the structural difference between a subordinate employment relationship and an agency relationship, the processing of data carried out by means of information technology in the context of any employment relationship must comply with respect for the fundamental rights and freedoms as well as the dignity of the data subject, in order to protect workers and third parties».
Under a different profile, the Guarantor also confirmed the violation of Article 13 of the GDPR, arguing that the professional role of agent assigned to the complainant was irrelevant neither with respect to the obligation to provide information nor with respect to the obligation of correct and transparent management of the company account assigned, since «these obligations must be considered to exist by reason of the processing of personal data concerning a specific natural person as “data subject”».
According to the Guarantor, the violation by the company of the principle of “limitation of storage” and the related principle of “minimisation” is also confirmed, given the failure to remove the account after the termination of the employment relationship, after deactivating it and at the same time adopting automatic system aimed at informing third parties and providing them with alternative e-mail addresses related to his professional activity.
This violation is rendered even more serious when, as in the present case, the account also contains information and communications of a strictly personal nature, «the knowledge of which could cause a serious violation of one’s rights to dignity, image, honour and confidentiality, as well as damage to one’s work».