Municipality of Nichelin – €18,000 Fine (Italy, 2025)

A former employee (the data subject) of the Municipality of Nichelino (the controller) filed a complaint against the Municipality under the GDPR. The data subject asked the controller to correct her employment records to remove the phrase “failure to pass the probationary period,” which she argued was inaccurate and harmful. She also challenged the publication of decisions regarding her termination and the hiring of a replacement, as well as competition rankings that included personal data and scores of other candidates. The controller stated that it acted in good faith, removed the information, and published a rectification agreed with the data subject. The controller also argued that transparency obligations justified the publication and highlighted measures to limit data exposure, correct technical errors, train staff, and involve the Data Protection Officer. The DPA found that the Municipality violated Article 5 GDPR and Article 6(1)(f) GDPR by publishing personal data without a valid legal basis and failing to respect the principles of lawfulness, fairness, transparency, and data minimisation. Transparency obligations did not authorise the publication of employment or competition records containing personal information, and even if there was an authorisation, the documents remained online longer than permitted by law. The Municipality had not assessed which data were necessary for publication or implemented measures to prevent indirect identification. The published documents allowed the identification of the data subject and other candidates through employment and competition details. The DPA emphasised that even partial anonymisation or later corrections could not justify the original unlawful disclosure. The DPA also found that the Municipality failed to respond adequately to the data subject’s request to exercise their rights under Articles 15-22 GDPR. The Municipality did not provide timely feedback, explain the reasons for non-compliance, or inform the