This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

Italy Fines Employer for Privacy Violation Related to Former Employee's Company Laptop

In a case with potential implications for many employers, Italy's data regulator has fined an Italian employer for failing to notify a former employee that his data might be processed by the company in the wake of his departure. Although the facts are convoluted, the upshot is this: the company did not tell the employee that data on his company-issued laptops could be collected and processed following his departure. (The company examined his laptop for documents with evidentiary value in a separate case.) The violation was a technical one, for failure to give appropriate notice.  

Why It Matters

Employers would be well served to ensure that employee privacy notices/handbooks in relevant jurisdictions give appropriate notice of post-employment data processing. This case was a small one, and decided under the EU's aggressively pro-consumer privacy rules. Starting in January 2023, however, employers with California-based employees will have to treat those employees like consumers when it comes to data privacy. This includes notifying employees of company privacy practices. The theories of liability being tested in the EU, such as this case about post-employment review of company resources, may be tested here as well once the new rules take effect in California.  

The Garante established that it was of no relevance that the task of drafting these regulations was the responsibility of the complainant during his tenure, because any liability deriving from non-compliance with data protection legal obligations by the employee ultimately falls on the company, since the role of data controller is attributed to the company itself and not the employee


hill_mitzi, insights, data security and privacy