The Italian Data Protection Authority recently fined an insurance agency for not having acted properly in in managing the email accounts of two former employees, who filed a complaint with the Garante. The Authority initiated an inspection as a result of which, the agency was fined.
In the course of the inspection activities conducted by the Garante, the agency defended itself by claiming that it had promptly notified IVASS (the insurance regulator) of the employees’ resignations and also blocked the two accounts, which were then deactivated in the following 120 days. According to the agency, this activity was necessary to ensure business continuity. For this purpose, the agency had noted that the address could receive emails, which were automatically redirected to a “sorting manager,” who was then forwarding them to new account managers.
Later, the agency further clarified that:
– the agency had adopted a policy governing the use of company IT resources, and that the relevant document, had been provided to all employees and contractors;
– there was no access in the accounts, as the block was ordered without entering the accounts, and Aruba, the service provider, was guaranting the IT security;
– in addition to the redirection to the sorting manager, the agency was confirming that it was not possible to retrieve any correspondence or documents, as there was no backup;
– an automated message was entered informing customers of the change of manager within the agency;
– the recording and preservation, without time limitation, of the logs of the e-mail system, as well as the contents of the mailbox and other assigned resources, were carried out for reasons related to the company’s business.
The Guarantor, because of its inspection activities Read more
