News

💥 Intrusive surveillance of employees

Data Subject Rights, Retention & Minimisation | 30/03/2025

Source : 10096474,
Italy, Il garante per la protezione dei dati

🔍 When access to employees' computers turns into widespread surveillance... and costs €20,000.

👉 A data controller requested access to an employee's computer.
⚠️ Problem: the computer contained personal data and private communications.
💬 Following several unanswered emails, the person asked :
✅ to exercise his right to erasure (Article 17 of the RGPD).
✅ the deletion of all his pro email accounts.

💥 With no response to her request for deletion, the former employee filed a complaint against her employer in September 2022.

She claimed that her personal data had been improperly processed in connection with the management of her professional e-mail.

📌 Background 
The company had access to professional mailboxes and could redirect their contents to a centralized inbox.
In addition, the employer had implemented IT tools that :
- systematically collected and stored Internet browsing logs (also known as “browsing marks”),
- stored this data for 30 days,
- then transferred them to an external hard disk,

Problems observed
- Disproportionate surveillance of employees, tracking of browsing traces and emails.
- Excessive and prolonged storage of personal data, with no clear purpose or time limit.
- No valid legal basis to justify such processing.
- The stated purpose (security and proper functioning of systems) does not justify such intrusive monitoring.

⚖️ RGPD violations identified

1. Article 5(1)(a) - Lawfulness, fairness, transparency
→ Systematic collection of browsing data without a clear legal basis is unlawful.
2. Article 5(1)(c) - Data minimization
→ Collection must be adequate, relevant and limited to what is necessary. Here, generalized storage runs counter to this principle.
3. Articles 12 & 17 - Right to erasure and duty to respond
→ The employer failed to respond properly to a request for erasure of personal data from a concerned employee, either in time or in writing.

🔍 DPA's position

The DPA acknowledged that:

- The employer had an inappropriate internal policy,
- The level of monitoring introduced was not proportionate to the objectives,
- The management of the data erasure request was non-compliant with the RGPD.

💸 Sanction

➡️ Administrative fine of €20,000

Justified by the seriousness of the breaches, the excessive retention period, and the lack of a formal response to the rights of the data subjects.

 

Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance