DPA fines insurance agency for failing to manage corporate email accounts – insurance laws and products

Most Read: Contributor Italy, November 2022

You only need to register or log in to Mondaq.com to print this article.

Italy’s data protection authority recently fined an insurance agency for failing to handle the email accounts of two former employees who filed a complaint with Garante. The office opened an inspection, which resulted in the agency being dissolved.

As part of Garante’s control activity, the agency defended itself by immediately informing IVASS (the insurance regulator) about the resignations of the employees and also blocked two accounts, which were subsequently deactivated in the following 120 days. . According to the agency, this activity was necessary to ensure business continuity. To that end, the agency noted that emails could be received at that address that were automatically forwarded to a “triage manager” who then forwarded them to new account managers.

Later, the agency further clarified that:

  • the agency has adopted a policy governing the use of corporate IT resources and that the relevant document has been provided to all employees and contractors;

  • there was no access to the accounts because the blocking was ordered without entering the accounts and Aruba, the service provider, guaranteed IT security;

  • in addition to being redirected to the triage manager, the agency confirmed that no correspondence or documents could be obtained because there was no backup;

  • an automated message informing customers of a change of manager within the agency was entered;

  • the registration and storage without time limitation of the e-mail system logs, as well as the contents of the mailbox and other assigned resources, was carried out for reasons related to the company’s business.

The guarantor confirmed the violation of the legal regulations on the protection of personal data, in particular Articles 5 and 6 of the GDPR, through its control activities and examination of the agency’s defense. In this regard, the Guarantor has preliminarily noted how the statements are were unclear and contradicted each other (e.g. first it was assured that the accounts were blocked, but later the agency itself admitted that the responsible person was sorting the messages to other employees).

In conclusion, the Guarantor found that:

  • accounts were kept active for 120 days after termination, during which time emails were automatically forwarded to a manager. This period was considered unreasonable as the agency claimed to have informed clients 30 days and because IVASS indicated a maximum 7 days notify the customer of the new representative;

  • no evidence was presented of an automated message to clients or that the responsible person could not actually have access to the content of the emails, a circumstance alleged by the documents in the record (in any event, even the “external data” of the e- mail , such as sender and subject, constitute personal data).

The guarantor states that “It follows that the employer must ensure the removal of the individualized company e-mail account after the end of the (employment) relationship, after its deactivation and the simultaneous introduction of automatic systems aimed at informing third parties and providing alternative addresses, thereby avoiding viewing incoming communications on the individualized account assigned to the person concerned.

Second, the Guarantor confirmed the illegitimacy
sine to die keeping records and contents of company accounts. In fact, the Agency did not provide any evidence of the lack of the aforementioned deposits and, in general, of the existence of a specified retention period.

In this regard, the Guarantor recalled its instructions on the retention of corporate electronic mail and reiterated that “the legitimate need to ensure the preservation of documents necessary for the normal operation and continuity of the business is ensured… by providing document management systems with which through the adoption of appropriate organizational and technological measures identify documents that need to be gradually archived in the course of business ….. Electronic mail systems by their very nature do not allow such features to be ensured“.

The watchdog imposed a €5,000 fine and ordered the agency to bring its corporate regulations into line.

Keeping company accounts is a highly debated and current topic, and a compliant system can certainly be a solid defense in the event of an inspection by the authorities.

Originally published on September 15, 2023

The content of this article is intended to provide a general guide to the issue. Professional advice should be sought regarding your particular situation.

FAVORITE ARTICLES ON: Insurance from Italy

Insurance Comparison Guide

DLA Piper France LLP

Insurance comparison guide for the jurisdiction of France, see our comparison guides section for cross-country comparisons

Leave a Comment