The online publication of judicial documents can become a legal risk when it involves inadequately protected personal data. This is highlighted by a recent decision of the Data Protection Authority,which brings back into focus the delicate balance between transparency, corporate communication, and the right to privacy.

A fine of €96,000 was imposed on Eni S.p.A. for publishing on its website the full writ of summons relating to a climate litigation case brought in 2023 by Greenpeace, Re Common, and twelve individuals.

The document was accessible online without any redaction and contained various categories of personal data pursuant to Article 4.1 of the Regulation (EU) 2016/679 (GDPR), including names, dates and places of birth, tax identification numbers, and residential addresses. Following the publication, the data subjects filed a complaint with the Authority, alleging a violation of data protection law.

During the proceedings, Eni argued that the publication was justified on the basis of legitimate interest (Article 6.1(f) GDPR), claiming it was necessary to protect its reputation and provide a transparent account of the facts in response to media coverage of the dispute. The company also noted that some of the information was already publicly available. However, the investigation found that the full disclosure of the document was not strictly necessary for these purposes, which could have been achieved through less intrusive means, such as redacting personal data.

In rejecting the company’s arguments, the Authority reiterated that reliance on legitimate interest requires three cumulative conditions: a real interest, necessity of the processing, and a proper balancing with the rights and freedoms of the data subjects. In this case, the necessity requirement was not met, particularly in light of the data minimization principle (Article 5.1(c) GDPR).

The Authority also emphasized the reasonable expectations of the data subjects. Even if some personal data were already public, individuals could not reasonably expect the further online dissemination of additional identifying and sensitive information.

In determining the fine, the Authority considered several factors, including the absence of a valid legal basis, the duration of the publication, the limited number of individuals involved, and the nature of the data. Mitigating factors included the company’s cooperation and the prompt corrective measures taken to comply with the GDPR.

The case also highlights the risks associated with forms of “total transparency.” As noted in legal scholarship, the protection of corporate reputation cannot justify the indiscriminate dissemination of personal data, especially when less intrusive alternatives are available. In this perspective, the conduct appears to conflict with the principles of accountability and privacy by design, which require a prior assessment of the impact of data processing.

The decision provides a concrete interpretation of Articles 5 and 6 GDPR, reaffirming the central role of necessity, proportionality, and the protection of data subjects’ expectations.