Italy's Data Protection Authority (Garante per la protezione dei dati personali) issued a sanctioning decision against the University of Cassino and Southern Lazio on July 10, 2025, imposing a total fine of EUR 8,000 for multiple violations of the General Data Protection Regulation (GDPR). The case involved three complaints filed by a former university lecturer who had served as a contracted professor in the Department of Letters and Philosophy during the academic years referenced in the proceedings, before the termination of his activities due to the discontinuation of the undergraduate program.

The main violations identified included the improper processing of personal data contained in the complainant's institutional email account. The university kept the lecturer's email account active for approximately two years after the end of the employment contract, retaining received and sent messages without adequate legal justification. Although the institution stated it had revoked the access credentials due to improper use of the account by the lecturer, it failed to implement measures to inform third parties about the inability to access messages, violating the principles of lawfulness, fairness, transparency, and storage limitation set forth in the GDPR.

Additionally, the authority found failures in responding to data subject rights requests. The university did not provide adequate and timely responses to three separate requests submitted by the former lecturer, who sought confirmation of data processing activities, deletion of sensitive and judicial personal information, and objection to the processing of his data. In one instance, the institution's response was generic and did not specify the concrete needs for retaining data for defense in ongoing legal proceedings, merely quoting regulatory provisions verbatim without adequate contextualization.

The case also involved the improper publication of personal data on the university's institutional website. The institution kept online documents related to departmental opinions on the allocation of teaching assignments, arguing that publication was necessary for administrative transparency purposes. However, the authority determined that transparency regulations only require the publication of final ranking lists in public competitions, not internal documents from the selection procedure. The university only removed the documents after an express request from the data subject and intervention by the regulatory authority, demonstrating the inadequacy of its internal personal data management procedures.

This post was translated and summarized from the original decision using AI, with human review.

Source: Garante per la protezione dei dati personali

Series — European Decisions

Given the similarities between the data protection frameworks of Brazil and Europe, BrownPipe publishes European decisions to help Blog readers and clients understand the international regulatory landscape. With the official recognition of LGPD's equivalence with European legislation, consolidated by the draft adequacy decision released by the European Commission in September 2025 for the purposes of international personal data transfers, knowledge of these decisions can help professionals and companies understand enforcement criteria and regulatory best practices developed by European authorities. Their analysis offers valuable interpretive precedents for the application of LGPD (Brazil's General Data Protection Law) in the Brazilian context, preparing readers for compliance requirements in an environment of growing global regulatory convergence.