Reweb s.r.l. – €5,000 Fine (Italy, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Reweb s.r.l. was fined for improperly accessing a former consultant's email account after their cooperation ended. The company read private emails and redirected messages, violating privacy rules. They were fined €5,000 for not respecting the consultant's privacy.
What happened
The company accessed and read a former consultant's email account without permission after their working relationship ended.
Who was affected
The former consultant whose email communications were accessed without consent.
What the authority found
The Italian DPA found that Reweb violated GDPR by not respecting the privacy of the consultant's personal data.
Why this matters
This case underscores the importance of respecting privacy even after a working relationship ends. Companies should have clear policies to protect personal data of former employees or consultants.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A controller (Reweb s.r.l.) provided a data subject with a work email account in order to manage some customers of the firm. The data subject was not directly employed by the controller, but just supported the company´s activity as an external consultant. At some point, the cooperation between the controller and the data subject was interrupted for unknown reasons. Short afterwards Reweb started a civil proceeding against the consultant. Despite the end of the cooperation and an explicit request by the data subject, the controller refused to immediately close the email account. To the contrary, the controller read the correspondence between the data subject and their clients and rerouted clients´ messages to another email account. The controller claimed that this operation was necessary to manage commercial relationships with the customers with whom the data subject was in contact. Moreover, Reweb processed personal data under Article 6(1)(f) GDPR in order to defend his interests in the civil proceeding pending between the parties. The Italian DPA started a procedure against the controller for potential violations of Articles 5(1)(a) and (c), 6, 12, 13 and 17 GDPR. At that time, the email account had already been deactivated. In the first place, the Italian DPA ascertained that the controller never provided the data subject with the privacy policy under Article 13 GDPR. Incidentally, the DPA also found that such a privacy policy was not complete and did not comply with the GDPR requirements. In addition, the DPA found no appropriate legal basis for the processing. It is true that to keep contact with the clients and to exercise its legal claims was a legitimate interest of the controller. However, there were less intrusive means to achieve the same results. An automated message informing clients that the account was no longer functioning, for instance, would have been an adequate solution with regard to the data minimisation principle. Article 6(1)(f) was instea
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Reweb s.r.l. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
11 January 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€5,000
GDPRhub ID
gdprhub-5737About this data
Cite as: Cookie Fines. Reweb s.r.l. - Italy (2023). Retrieved from cookiefines.eu
Last updated: