Garante per la protezione dei dati personali (Italy) - 10009296

From GDPRhub
Garante per la protezione dei dati personali - 10009296
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 12(5) GDPR
Article 15 GDPR
Article 2-terdecies
Type: Complaint
Outcome: Upheld
Started: 13.07.2023
Decided: 07.03.2024
Published:
Fine: 10,000 EUR
Parties: Banca popolari di Bari S.p.a.
National Case Number/Name: 10009296
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: im

The DPA fined a bank €10,000 for not fulfilling an access request made by an heir on behalf of a deceased person. The DPA rejected the bank’s justification for the delayed response, according to which the data subject did not use a correct address to make a request.

English Summary

Facts

On 31 July 2023 a data subject complained to the DPA against a bank - Banca popolari di Bari S.p.a. (‘controller’). The data subject made an access request as an heir to her deceased father. The request was based on Article 15 GDPR and Article 2-terdecies of the Italian Data Protection Code which makes a special reference to heirs who are beneficiaries of life insurance policies. The data subject claimed that despite repeated requests, the bank initially stated there were no accounts in her father's name. Later, the bank acknowledged their existence but failed to provide the requested information.

After the Authority intervened, the bank partially responded, offering access to account statements for the last ten years but requiring a formal request under Article 119 of Consolidated Bank Act no. 385/1993. The complainant remained dissatisfied and insisted on the access to all data related to her father. Following this, the bank finally provided account statements of the deceased person.

Nevertheless, the DPA initiated proceedings against the bank for violations of Articles 12(3), 12(4) and 12(5) GDPR related to the action taken on the request of the data subject. In the defense briefs, the bank explained that the failure to timely reply to the initial request of the data subject and to the subsequent reminders was caused by a series of operational misunderstandings.

In particular, the data subject mistakenly directed their request to a different e-mail address rather than the one designated for the Data Protection Officer. Moreover, the bank initially believed that no accounts were held in the name of the deceased and subsequently, the organizational unit of the bank misclassified the request. All of this led to the failure to promptly handle the request within the prescribed timeframes. The bank promptly took steps to address the situation by committing to regular awareness-raising communications and provided guidance on its website for submitting data access requests.

Holding

The DPA confirmed that the Bank did not provide a reply to the data subject’s request for access to personal data without undue delay or no later than one month from the receipt of the request as provided in Article 12(3) GDPR. Additionally, the controller also failed to inform the data subject within the same time limit of the reasons for non-compliance and of the possibility of lodging a complaint with a DPA or seek a judicial remedy as provided in Article 12(4) GDPR.

The DPA dismissed the controller’s assertion that directing the access request to an e-mail address other than the one dedicated for such requests constituted the reason for the delay in response. The DPA recalled EDPB Guidelines 01/2022 on data subject rights which clarify that data subjects are not obliged to adopt a particular format for submitting requests to exercise their right of access. There are in fact no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller.

Therefore, for the failure to respond to the access request, the DPA ordered the controller to pay the sum of €10,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10009296]
Provision of 7 March 2024
Register of measures
n. 160 of 7 March 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, n. 101, hereinafter “Code”);
GIVEN the complaint presented on 31 July 2023 pursuant to art. 77 of the Regulation by Mrs. XX towards BdM Banca S.p.a. (formerly Banca Popolare di Bari S.p.a.);
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER Dr. Agostino Ghiglia;
GIVEN
1. The complaint against the credit institution and the preliminary investigation activity.
With the complaint presented to this Authority on 31 July 2023, Ms. XX complained that she had not obtained adequate feedback from Banca Popolare di Bari S.p.a. (hereinafter “BdM Banca” or “the credit institution” or “the bank”), to a request for access to personal data formulated pursuant to articles. 15 of the Regulation and 2-terdecies of the Code as heir of the deceased father.
In particular, the complainant represented how, following the request dated 16/3/2023, the credit institution, requested several times, first communicated that in the name of the deceased, "born on (...) it was not ] no relationship", while following further discussions, on 6/6/2023, he instead stated that there were "relationships in the name of the deceased", failing, however, to provide the requested data.
Following the invitation formulated by the Office to provide observations regarding the facts which are the subject of the complaint, as well as to spontaneously adhere to the requests formulated by the complainant, the Bank, with a note dated 18/9/2023 (addressed to the complainant and at the same time to the Authority ), in transmitting a copy of the note dated 4/9/2023 (then sent on 14/9/2023) with which partial feedback was provided to the interested party, also communicated that "the complete copy of the account statements and movements relating to the last 10 years of the current account relationship" could only be acquired following access to bank records and documents, formulated pursuant to art. 119 of Legislative Decree 385/1993 (so-called T.u.b.)
On the same date, the complainant, declaring herself dissatisfied with the feedback obtained, further renewed her request for access to all the data relating to the deceased "however held and preserved, without exclusion of any kind and not yet communicated [...]"; therefore, following further discussions between the parties, the Bank, with a note dated 2/10/2023 - sent to the complainant and the Authority - announced that it had taken steps "today to send a copy of the account statements relating to the latest ten years referring to current account no. (...) registered in the name of the deceased (...), after obscuring the data of third parties".
For the above, with a note dated 9/10/2023, the Office notified the Bank of the start of the procedure for the adoption of the measures referred to in the articles. 58, par. 2, and 83 of the Regulation, in compliance with the provisions of the art. 166, paragraph 5, of the Code, in relation to the violation of articles. 12, par. 3 and 4 and 15 of the Regulation.
With the same note, the Bank was invited to produce defensive writings or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, law no. 689 of November 24, 1981).
On 25/10/2023, the credit institution sent its defense writings, which are referred to in full here, with which, in describing the commitment made in training and raising awareness of staff regarding compliance with the principles regarding protection of personal data, - also through the adoption of a "Group Policy" and a "Privacy Manual" which regulates the "Operating procedure for the management of the rights of interested parties" -, highlighted how "the omitted timely response to the initial request of 16 March 2023 and subsequent reminders was determined by a series of operational problems attributable to three specific circumstances". In particular:
a) "incorrect addressing" of the request for access to the personal data relating to the deceased to an email inbox "formally intended for the reception of requests with different purposes and not to one of the two inboxes of the DPO (ordinary and PEC) specifically identified for the management and response to requests from interested parties, as clearly reported in the "Privacy" section of our website and in the customer privacy information, also available on the Bank's website. The correct sending of the request to one of the two addresses of the DPO would certainly have guaranteed the correct framing of the issue and the timely response within the terms established by the relevant legislation";
b) “wrong belief regarding the non-existence of relationships in the name of the deceased, as identified in the self-certification declaration produced by the lawyer attached to the request itself; said circumstance (erroneous indication of the date of birth) had, initially, led the U.O. Foreclosures and inheritances not to respond promptly to the request, believing that the Bank is not the real recipient of the request";
c) "incorrect classification of the request by the organizational unit receiving the original request of 16 March 2023, which treated and managed it as a request relating to the opening of an inheritance procedure, as also demonstrated by the request made by the same structure on 6 June last. integration of the documentation necessary for the definition of the practice itself".
In the same memorandum, the Bank, in observing that it had never been the recipient of any corrective measure by the Authority, highlighted that it had "promptly taken action in order to mitigate the negative consequences arising from the proposed violation", not only by "planning for the month of November 2023, a specific training activity for the central structure responsible for receiving requests for data and documents and for the one responsible for managing inheritance practices", but also preparing and publishing:
a) "with display on a bimonthly basis, specific awareness communication, via notice on the home page of the company intranet, aimed at reiterating the need to be interested within the short term envisaged in internal regulations (within the day following receipt), l 'office of the DPO in case of requests to exercise the rights of interested parties or requests that contain any regulatory reference to the legislation on the protection of personal data or doubts regarding the classification of the request';
b) "on the BdM website (www.popolarebari.it) in the "institutional" section, a link to the Privacy section, where the information is provided to correctly address requests to exercise the rights of interested parties".
2. The legislation regarding the protection of personal data.
The art. 12 of the Regulation provides that "the data controller adopts appropriate measures to provide the interested party with all [...] the communications referred to in articles 15 to 22 and article 34 relating to the processing" (para. 1) and that "the data controller facilitates the exercise of the rights of the interested party pursuant to articles 15 to 22” (para. 2).
Paragraph 3 of the same article specifies that "the data controller provides the interested party with information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself. This deadline may be extended by two to six months if necessary, taking into account the complexity and number of requests. The data controller will inform the interested party of this extension, and of the reasons for the delay, within one month of receiving the request".
According to paragraph 4 of the same article, the data controller, if he does not comply with the request of the interested party, "informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility to lodge a complaint with a supervisory authority and to lodge a judicial appeal”.
The art. 15, par. 1 of the Regulation also provides that "the interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and in this case to obtain access to the personal data and […] information [indicated in the same Article 15].
The art. 2-terdecies, paragraph 1, of the Code, finally, provides that "the rights referred to in articles 15 to 22 of the Regulation referring to personal data concerning deceased persons can be exercised by those who have an interest of their own, or act to protect the interested, as his representative, or for family reasons worthy of protection".
3. The outcome of the investigation and the Authority's assessments.
Based on the documentation produced and the declarations made by the party during the proceedings, given that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces documents or false documents is liable pursuant to art. 168 of the Code, it emerged that the Bank did not respond to the request for access to personal data formulated by the complainant, within the deadline set by the art. 12, par. 3 of the Regulation ("without unjustified delay and, in any case, at the latest within one month of receiving the request"), nor did it inform the interested party, within the same deadline, of the reasons for non-compliance as well as the possibility of lodging a complaint to a supervisory authority or a judicial appeal (art. 12, par. 4 of the Regulation).
In fact, only following the start of the investigation by the Authority did the credit institution (on the same date as that of the invitation to join) provide the interested party with an initial partial response, which was integrated, in the following days, by delivery of the requested documentation.
With reference to what was claimed by the Bank regarding the reasons that led to the delay in replying (incorrect addressing of the request for access to an email inbox formally intended for the reception of requests having purposes other than the exercise of rights), it must remember that the “Guidelines 01/2022 on data subject rights - Right of access”, adopted by the EDPB on 18 January 20222022 (subject to public consultation concluded on 11 March 2022), clarify that interested parties are not under the obligation to adopt a certain format for submitting requests to exercise the right of access (see Guidelines 01/2022 cit., point 52 “the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore , there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller” trad. unofficial “the General Data Protection Regulation does not impose any requirements on data subjects regarding the format of the request for access to personal data. Therefore, in principle, there are no requirements that the interested party is required to comply with when choosing a communication channel through which to contact the data controller).
4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2 of the Regulation.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
The failure to respond to the access request presented by the complainant pursuant to art. 2-terdecies of the Code, is in fact illicit, in the terms set out above, in relation to the art. 12 of the Regulation; on the other hand, in relation to the request to "order the data controller to satisfy the requests to exercise the rights referred to in the articles. from 15 to 22 of the Regulation", considering that the Bank, at the same time as the initiation of the investigation procedure by the Authority, having ascertained the misunderstanding, provided the complainant with an initial response and that the same was subsequently integrated by delivery of all the banking documentation referring to the deceased (without the application of the costs legally provided for by art. 119 of the Consolidated Banking Act), the prerequisite for the adoption of an injunctive measure by the Authority itself does not exist (art. 58 , par. 2, letters c) and d)).
It is also noted that the Company has developed detailed organizational measures for the management of requests relating to the exercise of rights pursuant to articles. 15-22 of the Regulation, with particular regard to the need for correct and timely identification of the same.
Therefore, the complaint presented pursuant to art. 77 of the Regulation must be considered well founded and this Authority, in exercising the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation provides for the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.
5. Order of injunction.
Violation of the provisions mentioned above entails the application of the administrative sanction provided for by the art. 83, par. 5, letter. b), of the Regulation.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the circumstances reported below were taken into consideration:
a) the relevant nature of the violation, which concerned the provisions relating to the exercise of the rights of the interested parties;
b) the degree of responsibility of the owner which is attenuated since the same, as soon as he became aware of the violation, provided the interested party with the requested information;
c) the measures adopted by the owner to mitigate the negative consequences deriving from the offence, including the delivery of a copy of the banking documentation relating to the deceased relating to the last ten years;
d) collaboration with the Authority during the procedure;
e) the small number of interested parties involved (one);
f)  the organizational measures implemented in order to guarantee timely and adequate response to requests for the exercise of rights;
g) the absence of previous violations for the same case against BdM Banca S.p.a. (formerly Banca Popolare di Bari S.p.a.), (see art. 83, par. 2, and paragraph 148 of the Regulation).
In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, par. 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved referring to the financial statements for the year 2022 and it was also considered that the owner has never been the recipient of provisions referred to in the art. 58 of the Regulation.
On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 10,000.00 (ten thousand) euros for the violation of the art. 12, par. 3 and 4 of the Regulation.
In this framework, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website.
Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THE WHEREAS, THE GUARANTOR
declares, pursuant to articles. 57, par. 1, letter. f) and 83 of the Regulation, the illegality of the processing carried out, within the terms set out in the motivation, for the violation of art. 12, par. 3 and 4 of the Regulation.
ORDER
to BdM Banca S.p.a. (formerly Banca Popolare di Bari S.p.a.) with registered office in Corso Cavour n. 19 – Bari – C.F. 00254030729, pursuant to art. 58, par. 2, letter. i), of the Regulation, to pay the sum of 10,000 (ten thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;
ORDERS
to the same BdM Banca S.p.a. to pay the sum of 10,000.00 (ten thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981. We represent that pursuant to art. 166, paragraph 8 of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.
HAS
pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 7 March 2024
PRESIDENT
Stantion
THE SPEAKER
Ghiglia
THE GENERAL SECRETARY
Mattei