Italy

ITAS Mutua

50,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2026-03-12.

Rank · Sector

#38

of 213 in Employment

Rank · Italy

#124

of 543

Rank · All fines

#748

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2026-03-12
Controller / Processor: ITAS Mutua
Sector: Employment
Quoted Articles: Art. 5 (1) a), b), c), e) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 88 GDPR
Type of violation: Insufficient fulfilment of data subjects rights

Summary

The Italian DPA has imposed a fine of EUR 50,000 on ITAS Mutua. A former employee of the controller requested access to the documents and emails on his personalised company email account. However, the controller only provided emails that were not declared as work-related, confidential or personal. The DPA found that all emails on a work email account constitute the personal data of the employee (whether current or former), including emails related to work activity. The employer had no right to pre-scan these emails when providing them in the context of an Art. 15 GDPR request. Additionally, the controller had retention periods for backups of employees' email accounts and browser logs that were too long, and the process was too opaque.

Open original source Links to the regulator's original publication or another source.