Autostrade per l'Italia S.p.A. – €420,000 Fine (Italy, 2025)
Autostrade per l'Italia S.p.A. was fined €420,000 for using screenshots of an employee's private messages in a disciplinary case without proper legal grounds. This ruling is significant because it reinforces that companies cannot misuse personal data, even if they did not collect it themselves. Employers must be cautious about how they handle employee data.
What happened
Autostrade per l'Italia S.p.A. used screenshots of an employee's private messages in a disciplinary proceeding without a legal basis.
Who was affected
The employee whose private messages were used in the disciplinary action.
What the authority found
The Italian data protection authority determined that the company processed personal data unlawfully, lacking a valid legal basis.
Why this matters
This case serves as a warning to employers about the risks of mishandling employee data. Companies should ensure they have clear legal grounds before using any personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
Autostrade per l’Italia S.p.A. (the controller) is a private company that maintains a portion of the Italian highway system. The controller received screenshots of Messenger and WhatsApp messages of an employee (the data subject) as well as screenshot of content she shared on Facebook. The controller used the information in disciplinary proceedings and fired the data subject. The data subject filed a complaint with the DPA, claiming that her personal data were processed unlawfully. The DPA held that the controller violated Articles 5(1)(a)(b)(c), 6, and 88 GDPR as well as Article 113 d. lgs. 193/2003. The DPA issued a €420,000 fine. The DPA considered the controller’s infringement to be severe and noted that the controller had already been fined for violation related to the processing of employees’ data. The employer processed personal data The controller claimed that it did not process personal data because it merely received the information rather than collecting it. On the contrary, the DPA held that the use of the data in the disciplinary proceedings against the data subjects, constituted a processing of personal data. It did not matter that the controller did not actively collect the information. The processing was unlawful and excessive The DPA held that the controller processed personal data without a legal basis. In particular, the DPA rejected the argument that the processing was based on the controller’s legitimate interest in managing the employment relationship and exercising its powers as the employer, for several reasons. First, the controller claim that it carried out a “balancing test” beforehand (i.e.: that it assessed whether its legitimate interest outweighed the interests and fundamental rights and freedoms of the data subject). However, it also failed to demonstrate this claim, as required by the principle of accountability (5(2) GDPR). Second, the controller failed to demonstrate that the processing was necessary for the stated purpose. In pa
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Autostrade per l'Italia S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
21 May 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€420,000
GDPRhub ID
gdprhub-9364About this data
Cite as: Cookie Fines. Autostrade per l'Italia S.p.A. - Italy (2025). Retrieved from cookiefines.eu
Last updated: