Emme ci.service s.r.l. – €2,000 Fine (Italy, 2024)

Two of the former employees, technicians of Emme ci.service s.r.l. (‘controller’) filed a complaint with the DPA due to the processing of their personal data after the termination of the employment relationship with the controller. The data processing involved the use of their names and contact details in the header of the company’s bulletins. The processing occurred after informing the controller of this situation, too. Additionally, the controller kept the data subject’s e-mail accounts active for 7 months after the termination of the employment contract. Lastly, the data subjects stated that the controller failed to deliver certificates of attendance at a basic course for the driving of elevating platforms which took place in 2009. The controller claimed that, firstly, in view of the sudden and unforeseen resignation of the employees, the company continued using the old bulletins until the new ones arrived which no longer made any reference to the data subjects. The controller highlighted that they promptly removed their details from the bulletins upon a request of the data subjects’ lawyer. Secondly, they never had access to the data subjects' e-mail accounts during their employment nor the period after the termination of the employment. The controller argued that the data subjects e-mail accounts do not constitute a ‘company account’ in a strict sense as it was not provided or created by the controller but the data subjects themselves. The address was not used for the official communications on behalf of the controller and the data subjects could have deleted the account at any time. Thirdly, the controller claimed that they were not in possession of the certificates of attendance and emphasized that the certificates were only valid for four years. For that reason, the controller held the course in an updated form in 2018 and was not obliged to keep the expired certificates for such a long period. Moreover, the controller argued that the request for certi