ITAS Mutua – €50,000 Fine (Italy, 2026)

€50,000Garante per la protezione dei dati personali12 March 2026Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Italian Data Protection Authority fined ITAS Mutua EUR 50,000 for not providing a former employee with all their work-related emails. This is significant because it underscores the rights of employees to access their personal data without unnecessary restrictions.

What happened

ITAS Mutua only provided non-work-related emails to a former employee who requested access to their work email account.

Who was affected

A former employee of ITAS Mutua was affected by the incomplete access to their personal data.

What the authority found

The authority found that ITAS Mutua violated GDPR by not providing all relevant emails and having unclear data retention practices.

Why this matters

This ruling serves as a reminder for employers to ensure transparency and compliance when handling employee data access requests.

GDPR Articles Cited

AI-verified

Art. 12(GDPR)
Art. 13(GDPR)
Art. 15(GDPR)
Art. 5(1)(a) GDPR
Art. 5(1)(b) GDPR
Art. 5(1)(c) GDPR
Art. 5(1)(e) GDPR
View original scraped data
Art. 5(1) a) GDPR
b)
c)
e) GDPR
Art. 12(GDPR)
Art. 13(GDPR)
Art. 15(GDPR)
Art. 88(GDPR)

Original data from scraper before AI verification against source document.

Source verified 19 May 2026
articles corrected
Italy enforcementGarante per la protezione dei dati personali actionsAll ITAS Mutua actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 50,000 on ITAS Mutua. A former employee of the controller requested access to the documents and emails on his personalised company email account. However, the controller only provided emails that were not declared as work-related, confidential or personal. The DPA found that all emails on a work email account constitute the personal data of the employee (whether current or former), including emails related to work activity. The employer had no right to pre-scan these emails when providing them in the context of an Art. 15 GDPR request. Additionally, the controller had retention periods for backups of employees' email accounts and browser logs that were too long, and the process was too opaque.

Related Enforcement Actions (0)

No other enforcement actions found for ITAS Mutua in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

12 March 2026

Authority

Garante per la protezione dei dati personali

Fine Amount

€50,000

Enforcement Tracker ID

ETid-3149

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. ITAS Mutua - Italy (2026). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: