ITA Airways Slammed with €190,000 Privacy Fine: When “Forensics” Crosses the Line
Subtitle: Italian airline ITA faces a hefty penalty after the privacy watchdog exposes fundamental GDPR failings at the very top.
When does a digital investigation become a privacy breach? For ITA Airways, the answer landed with a thud: a €190,000 fine from Italy’s data protection authority. The case exposes not only a clash between internal investigations and personal data rights, but also a company’s basic missteps in following the GDPR-mistakes that no organization, let alone a national carrier, can afford to make.
Fast Facts
- ITA Airways fined €190,000 by the Italian Data Protection Authority (Garante) on March 4, 2026.
- Case centers on privacy violations during a forensic investigation targeting the company’s former president.
- Lack of proper data processing contract and insufficient privacy notice were key failings.
- Mass extraction of personal emails and files exceeded lawful investigation boundaries.
- Ruling highlights that even top executives deserve full GDPR protection.
Privacy Oversight at the Top: What Went Wrong?
The saga began with a leadership dispute at ITA Airways, culminating in the ousting of the company’s president in November 2022. As legal wrangling ensued, ITA took extraordinary steps to secure digital evidence: the president’s email, SharePoint, and OneDrive accounts were locked down and scrutinized by a third-party forensic firm. But in their zeal to protect the company, ITA’s executives skipped some of the most basic GDPR requirements.
First, the president-the very subject of the investigation-was not given an adequate privacy notice. Article 13 of the GDPR is clear: everyone, even the highest-ranking insider, must know how their data is being processed. Second, ITA failed to formalize a data processing agreement with the external forensics provider, a non-negotiable requirement under Article 28. This contract isn’t just paperwork; it outlines how, for what purpose, and for how long personal data can be handled.
Worse, the investigation led to a “massive extraction” of personal data, far beyond what was necessary. The Garante found that ITA’s policies, while impressively worded, failed in practice-the company’s approach treated privacy as an afterthought, allowing open-ended data access under the vague justification of internal audits or fraud checks. The watchdog was blunt: not even suspicions of misconduct justify trampling on fundamental data rights.
Why This Case Matters
This isn’t just a story about corporate infighting. It’s a warning to every organization: privacy rules apply equally to all, from interns to CEOs. Digital forensics, vital as it is for uncovering wrongdoing, must never override the principles of data minimization, proportionality, and transparency. Policies are not just “pieces of paper,” and contracts with processors cannot be skipped for expediency’s sake.
Even company leaders-often presumed to have less privacy in internal disputes-are entitled to robust protection. Their emails and files, while company property, are still shielded by law, including constitutional guarantees of correspondence secrecy.
Conclusion: Back to GDPR Basics
ITA’s costly lesson is a stark reminder: the ABCs of privacy can’t be ignored, even in the boardroom. When digital investigations cross the line from legitimate inquiry to privacy overreach, the price isn’t just reputational-it’s financial, and potentially existential. For companies across Europe, the message is clear: respect the rules, or prepare for turbulence.
WIKICROOK
- GDPR: GDPR is a strict EU and UK law that protects personal data, requiring companies to handle information responsibly or face heavy fines.
- Data Processing Agreement: A data processing agreement is a contract detailing how personal data is managed between a controller and processor, ensuring legal compliance and data protection.
- Data Minimization: Data minimization means collecting and using only the data strictly needed for a specific purpose, reducing privacy risks and enhancing security.
- Digital Forensics: Digital forensics involves collecting and analyzing digital evidence to investigate cybercrimes, support law enforcement, and ensure data integrity in legal cases.
- Litigation Hold: A litigation hold requires organizations to preserve all relevant data when legal action is anticipated, preventing deletion or alteration of important digital records.




