Università degli Studi di Cassino e del Lazio Meridionale – €8,000 Fine (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Italian university, Università degli Studi di Cassino e del Lazio Meridionale, was fined for mishandling a former employee's personal data. The university failed to deactivate the employee's email account and did not delete their emails after they were fired. This case highlights the importance of properly managing employee data after their employment ends.
What happened
The university did not deactivate a former employee's email account or delete their emails after termination.
Who was affected
The former employee whose personal data was mishandled by the university.
What the authority found
The authority found that the university violated multiple GDPR articles by failing to deactivate the email account and not properly addressing the employee's data requests.
Why this matters
This ruling emphasizes that companies must manage personal data responsibly, especially after an employee leaves. Businesses should ensure they have clear processes for handling employee data to avoid similar violations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A professor (the data subject) filed three complaints against his former employer, an Italian university (the controller). He claimed that the controller: * did not deactivate his work email account or delete his emails after firing him; * unlawfully published its personal data on its website; * dismissed his request for access and erasure as well as his opposition to the processing of their data. The data subject claimed that the dismissal was unlawful and not sufficiently explained. The DPA held upheld the data subject’s claims and held that the controller: * violated Articles 5(1)(a), 5(1)(e) and 6 GDPR by failing to deactivate the email account of the data subject and to erase his communications after the end of the employment relationship; * violated Articles 12(3), 17 and 21 GDPR by unlawfully dismissing the data subject’s requests and by failing to explain the reasons behind the dismissal; * violated Articles 5(1)(a) and 6 GDPR as well as 2-ter of the Italian data protection code by unlawfully publishing the personal data of the complainant, as well as information about other data subjects. Contrary to the controller’s arguments, the DPA found that the data subject’s emails did not constitute administrative acts. So, the emails were not covered by any archiving obligation under administrative law. The DPA also dismissed the controller’s arguments that the emails were necessary to defend the controller’s legal claims against the data subject. In this regard, the DPA acknowledged that the controller and the data subject were involved in pending legal proceedings. However, the DPA held that the controller failed to show how storing the emails was concretely necessary for the controller to defend itself in those proceedings. The DPA fined the controller €8,000. In calculating the fine, the DPA considered that the controller implemented technical measures to prevent its staff from accessing the data subject's email, and that it eventually erased the data subject
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Università degli Studi di Cassino e del Lazio Meridionale in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 July 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€8,000
GDPRhub ID
gdprhub-9493About this data
Cite as: Cookie Fines. Università degli Studi di Cassino e del Lazio Meridionale - Italy (2025). Retrieved from cookiefines.eu
Last updated: