Emme ci.service s.r.l. – €2,000 Fine (Italy, 2024)
Emme ci.service s.r.l. was fined for mishandling former employees' personal data after their contracts ended. The company kept using their names and contact details without permission, which violated privacy rules. This case serves as a reminder for businesses to properly manage personal data even after employment ends.
What happened
Emme ci.service s.r.l. processed former employees' personal data without consent after their employment ended.
Who was affected
Two former employees whose personal data was used in company bulletins without their consent.
What the authority found
The DPA found that Emme ci.service s.r.l. violated GDPR by failing to delete personal data after the employment relationship ended.
Why this matters
This fine highlights the importance of respecting former employees' privacy rights. Companies must ensure they have proper data management practices in place to avoid similar penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Two of the former employees, technicians of Emme ci.service s.r.l. (‘controller’) filed a complaint with the DPA due to the processing of their personal data after the termination of the employment relationship with the controller. The data processing involved the use of their names and contact details in the header of the company’s bulletins. The processing occurred after informing the controller of this situation, too. Additionally, the controller kept the data subject’s e-mail accounts active for 7 months after the termination of the employment contract. Lastly, the data subjects stated that the controller failed to deliver certificates of attendance at a basic course for the driving of elevating platforms which took place in 2009. The controller claimed that, firstly, in view of the sudden and unforeseen resignation of the employees, the company continued using the old bulletins until the new ones arrived which no longer made any reference to the data subjects. The controller highlighted that they promptly removed their details from the bulletins upon a request of the data subjects’ lawyer. Secondly, they never had access to the data subjects' e-mail accounts during their employment nor the period after the termination of the employment. The controller argued that the data subjects e-mail accounts do not constitute a ‘company account’ in a strict sense as it was not provided or created by the controller but the data subjects themselves. The address was not used for the official communications on behalf of the controller and the data subjects could have deleted the account at any time. Thirdly, the controller claimed that they were not in possession of the certificates of attendance and emphasized that the certificates were only valid for four years. For that reason, the controller held the course in an updated form in 2018 and was not obliged to keep the expired certificates for such a long period. Moreover, the controller argued that the request for certi
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Emme ci.service s.r.l. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
24 January 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€2,000
GDPRhub ID
gdprhub-7771About this data
Cite as: Cookie Fines. Emme ci.service s.r.l. - Italy (2024). Retrieved from cookiefines.eu
Last updated: