Reweb s.r.l. – €5,000 Fine (Italy, 2023)

A controller (Reweb s.r.l.) provided a data subject with a work email account in order to manage some customers of the firm. The data subject was not directly employed by the controller, but just supported the company´s activity as an external consultant. At some point, the cooperation between the controller and the data subject was interrupted for unknown reasons. Short afterwards Reweb started a civil proceeding against the consultant. Despite the end of the cooperation and an explicit request by the data subject, the controller refused to immediately close the email account. To the contrary, the controller read the correspondence between the data subject and their clients and rerouted clients´ messages to another email account. The controller claimed that this operation was necessary to manage commercial relationships with the customers with whom the data subject was in contact. Moreover, Reweb processed personal data under Article 6(1)(f) GDPR in order to defend his interests in the civil proceeding pending between the parties. The Italian DPA started a procedure against the controller for potential violations of Articles 5(1)(a) and (c), 6, 12, 13 and 17 GDPR. At that time, the email account had already been deactivated. In the first place, the Italian DPA ascertained that the controller never provided the data subject with the privacy policy under Article 13 GDPR. Incidentally, the DPA also found that such a privacy policy was not complete and did not comply with the GDPR requirements. In addition, the DPA found no appropriate legal basis for the processing. It is true that to keep contact with the clients and to exercise its legal claims was a legitimate interest of the controller. However, there were less intrusive means to achieve the same results. An automated message informing clients that the account was no longer functioning, for instance, would have been an adequate solution with regard to the data minimisation principle. Article 6(1)(f) was instea