Comune di Corte Franca – €6,000 Fine (Italy, 2024)

The data subject, ex-employee of the controller, a municipality, advanced a complaint before the DPA. The complaint concerned the publication, on the controller’s website of the data subject’s employment documents. The data published included information on the acknowledgement of the data subject’s resignation, data concerning their job title, the date of their last working day, the time and place of the working arrangements. Legal basis The DPA acknowledges that the public entities, like the controller, may rely on the legal basis on Article 6(1)(c) GDPR and Article 9(2)(b) GDPR, to process personal data in their role of employer. With regards to the personal data disclosure, the DPA reiterated that, as considered in multiple decisions that the publication of employment documents in the website is not in line with the GDPR. Thus, the DPA found a violation of Article 5 GDPR and Article 6 GDPR. Personal data communication to the DPA With regards to the late communication of the personal data, the DPA found that the GDPR violation continued until the DPA managed to contact the controller’s DPO. This exchange only happened much later than the complaint. Thus, the DPA found a violation of Article 37(7) GDPR. Fine On the basis of the violations found, the DPA deemed it appropriate to fine the controller €6,000.