Alitalia Società Aerea Italiana S.p.a. – €1,250,000 Fine (Italy, 2026)
Alitalia was fined €1,250,000 for improperly sharing personal data of former employees with ITA Airways during a recruitment process. This is significant because it shows that companies must handle personal data carefully, especially during transitions like mergers or acquisitions.
What happened
Alitalia disclosed personal data of former employees to ITA Airways without proper legal grounds.
Who was affected
Former employees of Alitalia whose personal information was shared with ITA Airways.
What the authority found
The authority found that Alitalia violated GDPR by sharing personal data without a valid legal basis.
Why this matters
This case serves as a warning to companies about the risks of mishandling personal data during business transitions. Proper consent and legal grounds are essential.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
The data controllers were Alitalia and ITA Airwais, two Italian airlines. Alitalia was Italy’s historic flagship Airline while ITA is a new airline under partly public ownership, founded in 2021 to serve as a successor to Alitalia. In 2021 Alitalia sold numerous assets from its aviation division to ITA and entered receivership. The operation was the result of a government decision and was provided for by law. Due to certain technicalitiesThe operation was described as a sale of individual assets as opposed to the sale of a "business unit". However, the qualification of the contract was controversial: see the comments for more information. of the sale contract, ITA did not take over Alitalia’s existing employment contracts. So, ITA lacked the staff to operate the assets it bought and sought to hire many former Alitalia employees. In order to speed up the recruitment, Alitalia disclosed personal data of the former employees of its aviation division with ITA. The data included the personal details and contact information of employees, their marital status, their salary (which, as the DPA incidentally noted, was irrelevant for HR purposes), their professional qualification and other information relative to the employment relationship (for instance, whether a worker had been fired and was later reintegrated in the workplace following a court ruling). In 2023 a labour union representative and former Alitalia employee (the data subject) filed access requests with both controllers. In his requests, he specifically asked whether his personal data had been shared between the controllers and inquired about this processing. ITA responded that it was not processing the complainant’s personal data at the time of his request. The company also provided the data subject with the copy of its privacy notice for employees and with other documents related to the processing of personal data. Alitalia did not respond to the request at first. The data subject later filed two distinct compl
Related Enforcement Actions (0)
No other enforcement actions found for Alitalia Società Aerea Italiana S.p.a. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
4 March 2026
Authority
Garante per la protezione dei dati personali
Fine Amount
€1,250,000
GDPRhub ID
gdprhub-9885About this data
Cite as: Cookie Fines. Alitalia Società Aerea Italiana S.p.a. - Italy (2026). Retrieved from cookiefines.eu
Last updated: