In a case with potential implications for many employers, Italy's data regulator has fined an Italian employer for failing to notify a former employee that his data might be processed by the company in the wake of his departure. Although the facts are convoluted, the upshot is this: the company did not tell the employee that data on his company-issued laptops could be collected and processed following his departure. (The company examined his laptop for documents with evidentiary value in a separate case.) The violation was a technical one, for failure to give appropriate notice.
Why It Matters
Employers would be well served to ensure that employee privacy notices/handbooks in relevant jurisdictions give appropriate notice of post-employment data processing. This case was a small one, and decided under the EU's aggressively pro-consumer privacy rules. Starting in January 2023, however, employers with California-based employees will have to treat those employees like consumers when it comes to data privacy. This includes notifying employees of company privacy practices. The theories of liability being tested in the EU, such as this case about post-employment review of company resources, may be tested here as well once the new rules take effect in California.