MP1 s.r.l. – €15,000 Fine (Italy, 2024)

Data subject is a former employee of MP1 s.r.l., the controller. After the termination of his employment contract, the data subject requested the controller to delete their e-mail account which was used for the purpose of managing orders of the controller. The controller replied claiming that 'no use' had been made of the account, despite specifying afterwards that the account had been migrated to another company account for the management of commercial orders. Customers emailing the previous account were redirected to the new one and informed that the data subject no longer worked for the controller. Subsequently, the data subject submitted a formal request to exercise his rights, namely the rights to object and restrict the processing and the right to erasure the e-mail address. The controller did not respond. As a result, the data subject filed a complaint with the DPA for a failure to comply with the request and, in the event of non-compliance, to impose a ban on the unlawful processing consisting in the persistent activity of their account. The investigation revealed, that the controller erased the data subject's account, however, the time of the erasure was not indicated. Firstly, the DPA held that the controller failed to fulfill his obligation to follow modalities prescribed by Article 12 GDPR, in particular to provide the data subject with information on the action taken in respect of a request pursuant to Article 15 GDPR to Article 22 GDPR without undue delay and, in any event, at the latest within one month or receipt of the request. The controller violated this provision despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request. Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account for reasons related to Article 17(3)(e) GDPR. According to such a provision, the right to erasure does not apply if the processing is necess