In this article, we analyze a case decided by the Italian data protection authority (“Garante”), concerning the processing and transfer of employees’ personal data between the Italian airlines Alitalia and ITA Airways.

The proceedings arose from a 2021 business transaction involving the transfer of certain assets between the two companies, without a simultaneous transfer of employees.

This particular circumstance raised the issue of the lawfulness of the further processing and sharing of employees’ personal data between the two companies.

Factual Background

In 2021, Alitalia entered insolvency proceedings during which it sold part of its assets to ITA Airways, which had been established as the new national airline carrier. However, the transaction itself did not entail the transfer of existing employment agreements to the new company.

Due to the need to engage workforce, ITA Airways initiated a recruitment process with the intention of hiring former Alitalia employees. In this context, Alitalia provided ITA Airways with the personal data of its former employees (the data was made available through a restricted-access SharePoint folder). The shared data included not only basic identification and contact information, but also additional information such as marital status, salary details, professional qualifications, as well as certain employment-related information concerning the individuals’ relationship with Alitalia, including data regarding dismissals and court proceedings involving Alitalia.

During 2023, a former employee and trade union representative of Alitalia submitted data access requests to both companies, acting as controllers, specifically requesting information on whether his personal data had been shared and how it had been processed.

ITA Airways responded by stating that it was not processing his data at the time of the request and referred him to its privacy policy. Alitalia failed to respond within the statutory deadline.

The employee subsequently lodged complaints with the Garante against both companies — against ITA Airways for providing an inadequate response, and against Alitalia for failing to respond at all. The Garante examined both complaints within a single proceeding.

During the proceedings, Alitalia confirmed that it had transferred the employee’s data to ITA Airways as part of the transaction, while also referring to its privacy policy.

Following the complaints, the Garante initiated proceedings and found that key GDPR principles had been infringed.

Breach of the Principles of Lawfulness, Fairness and Transparency

First, the Garante established that the fundamental principles of data processing, including the principles of lawfulness, fairness and transparency, had been violated, since the processing was not based on a valid legal basis and had not been communicated to employees in a transparent manner.

It was particularly emphasised that the processing had been “systematic and large-scale” and included individuals who had never applied for a position with ITA Airways.

Violation of the Right of Access

The Garante found that neither controller had adequately responded to the employee’s access request.

Namely, Alitalia failed to respond altogether, while ITA Airways did not provide information regarding the previous processing activities, as specifically requested.

In particular, the controllers failed to provide concrete information on whether the personal data had been shared and how it had been processed. The Garante considered that merely referring the employee to privacy policies did not constitute an adequate response to a data access request.

Breach of the Information Obligation 

The Garante determined that employees had not been informed about the transfer, sharing, and processing of their data, and that the controllers’ privacy policies neither contained the relevant information nor was it demonstrated that such policies had been provided to employees.

The authority particularly stressed that information provided to data subjects must be specific and concrete, rather than abstractly contained in general privacy policies.

Unlawful Processing of Personal Data

The controllers defended the processing by relying on several legal bases under the GDPR. However, the Garante rejected these arguments and concluded that the processing was unlawful.

Employment Agreement (Article 6(1)(b) GDPR)

The controllers argued that many Alitalia employees had applied for jobs with ITA Airways before Alitalia entered insolvency proceedings, and that the processing had therefore been necessary for entering into employment agreement.

However, the Garante found that the personal data of all employees had been shared, not only those who had applied for employment.

Accordingly, this legal basis could only potentially cover part of the data processing activities, and the argument was therefore rejected.

Legal Obligation (Article 6(1)(c) GDPR) 

The controllers further argued that the processing had been necessary in order to comply with a legal obligation, relying on provisions of national legislation.

However, the Garante found that those provisions merely permitted the sale of assets and did not refer to the processing of personal data, nor did they provide a basis for the large-scale transfer of employees’ personal data.

For this reason, this argument was also rejected.

Legitimate Interest (Article 6(1)(f) GDPR)

The controllers additionally claimed that they had a legitimate interest in ensuring the proper implementation of the transaction.

However, the Garante established that they had failed to conduct a legitimate interest assessment.

It further noted that legitimate interest cannot be used as a “fallback” legal basis where other legal bases are unavailable.

The authority also stated that, in this case, legitimate interest could not in any event serve as a valid legal basis.

According to the Garante, the necessary elements for relying on legitimate interest were absent, although it did not specify which elements were lacking, referring instead generally to the Article 29 Working Party guidelines without detailed explanation.

Accordingly, this argument was likewise rejected.

Conclusion

Based on the identified GDPR infringements, the Garante imposed administrative fines on the controllers in the total amount of EUR 1,25 million (EUR 1 million against ITA Airways and EUR 250,000 against Alitalia).

This case is, in fact, part of a broader legal controversy between the companies and former employees, in which the question has been raised as to whether the transaction effectively constituted a transfer of an undertaking rather than merely a transfer of individual assets? This issue is significant because, under Italian law, such a transfer would have resulted in the automatic transfer of employment agreements to ITA Airways.

The employee who submitted the access request had already been involved in these disputes and sought to obtain evidence of the large-scale transfer of data as a possible indication that such a transfer of undertaking had occurred.

In this respect, the Garante noted that, in the event of a transfer of an undertaking, the processing could potentially have been based on a legal obligation. However, this legal basis was deemed inapplicable because the companies themselves maintained that the transaction concerned only a transfer of parts of assets.

This case clearly confirms that the processing of employees’ personal data, even in the context of complex business transactions, must be based on a valid legal basis and carried out in compliance with the principle of transparency.

It particularly highlights that the right of access entails an obligation on the part of controllers to provide specific and clear information regarding the processing activities, rather than merely referring data subjects to general internal policies.

Finally, the exchange of data between a predecessor company and a successor company cannot be considered automatically permissible but must instead be properly grounded in law.

This article is provided for informational purposes only and does not constitute legal advice. Should you require any additional information, please feel free to contact us.