Cass.Civ. - 9313/2023: Difference between revisions
No edit summary |
m (Mg moved page Cass. - 9313/2023 to Cass.Civ. - 9313/2023) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 64: | Line 64: | ||
}} | }} | ||
The Supreme Court of Cassation stated that | The Supreme Court of Cassation stated that a controller should respond to an access request, even if such a response is a negative one. | ||
== English Summary == | == English Summary == | ||
Line 80: | Line 80: | ||
The DPA stressed the incontrovertible fact that Ing Bank had not met the request for access to the documents, making it impossible for the data subject to know whether it possessed their personal data and to verify the legitimacy of the data collection. | The DPA stressed the incontrovertible fact that Ing Bank had not met the request for access to the documents, making it impossible for the data subject to know whether it possessed their personal data and to verify the legitimacy of the data collection. | ||
According to the Court of Cassation, the controller should have responded to the request, even if the response was a negative one. Contrary to what was held by the first instance Court, it held that the burden of | According to the Court of Cassation, the controller should have responded to the request, even if the response was a negative one. Contrary to what was held by the first instance Court, it held that the burden of showing whether or not it is processing personal data is on the controller and not on the data subject making the request. | ||
Similarly, it emphasized that, pursuant to Article 12(5), the controller has the burden of demonstrating the manifestly unfounded or excessive nature of the request. In any case, the Court of Cassation stated, from the literal wording of the last-mentioned provision it clearly emerges that the controller must always acknowledge the request, even in negative terms, as it cannot hide behind a non liquet. | Similarly, it emphasized that, pursuant to Article 12(5) GDPR, the controller has the burden of demonstrating the manifestly unfounded or excessive nature of the request. In any case, the Court of Cassation stated, from the literal wording of the last-mentioned provision it clearly emerges that the controller must always acknowledge the request, even in negative terms, as it cannot hide behind a non liquet. | ||
In the Court's view, the challenged decision unlawfully burdened the data subject with demonstrating that the controller was in possession of their personal data, which amounts to the burden of producing diabolical proof. Therefore, it held that the decision inverted the burden of proof which, clearly and for the aforementioned reasons, must instead be placed on the recipient of the access request, who has at least the obligation to respond to it, even if in negative terms. | In the Court's view, the challenged decision unlawfully burdened the data subject with demonstrating that the controller was in possession of their personal data, which amounts to the burden of producing diabolical proof. Therefore, it held that the decision inverted the burden of proof which, clearly and for the aforementioned reasons, must instead be placed on the recipient of the access request, who has at least the obligation to respond to it, even if in negative terms. | ||
Line 89: | Line 89: | ||
== Comment == | == Comment == | ||
The decision frames the legal issues in terms of burden of proof. However, it may be argued that "diabolical proof" is not only the one that a data subject should provide about the existence of a processing concerning them, but also the one requested to the controller, in case they want to demonstrate that personal data are not processed. As a matter of fact, it seems more reasonable and straightforward to argue that a controller, regardless of the burden of proof, has always an obligation to reply to an access request, even if the content of such a reply is merely negative. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 14:01, 21 June 2023
Cass.Civ. - 9313 | |
---|---|
Court: | Cass.Civ. (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 12(5) GDPR Article 15 GDPR |
Decided: | 04.04.2023 |
Published: | |
Parties: | ING Bank |
National Case Number/Name: | 9313 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | Italian |
Original Source: | Corte di Cassazione (in Italian) |
Initial Contributor: | Bernardo Armentano |
The Supreme Court of Cassation stated that a controller should respond to an access request, even if such a response is a negative one.
English Summary
Facts
The Court of Milan rejected a claim brought by the data subject against the controller, ING Bank, relating to the non-compliance with an access request made on the basis of Article 15 GDPR.
The Court accepted the arguments of the controller, who denied having processed the data subject's data, and stated that they failed to prove that the bank was the controller in relation to the processing of their data. On this basis, it rejected the claim.
The data subject challenged the decision with appeal to cassation, arguing that there was a wrong application of Articles 12 and 15 GDPR.
Holding
The DPA highlighted that Article 12 GDPR burdens the controller with the obligation to provide data subjects with information regarding the existence of personal data as a result of the access request presented by them. Therefore, contrary to what was decided by the first instance, Ing Bank should have provided a complete reply to the access request within one month or at least should have asked for a deadline extension.
The DPA stressed the incontrovertible fact that Ing Bank had not met the request for access to the documents, making it impossible for the data subject to know whether it possessed their personal data and to verify the legitimacy of the data collection.
According to the Court of Cassation, the controller should have responded to the request, even if the response was a negative one. Contrary to what was held by the first instance Court, it held that the burden of showing whether or not it is processing personal data is on the controller and not on the data subject making the request.
Similarly, it emphasized that, pursuant to Article 12(5) GDPR, the controller has the burden of demonstrating the manifestly unfounded or excessive nature of the request. In any case, the Court of Cassation stated, from the literal wording of the last-mentioned provision it clearly emerges that the controller must always acknowledge the request, even in negative terms, as it cannot hide behind a non liquet.
In the Court's view, the challenged decision unlawfully burdened the data subject with demonstrating that the controller was in possession of their personal data, which amounts to the burden of producing diabolical proof. Therefore, it held that the decision inverted the burden of proof which, clearly and for the aforementioned reasons, must instead be placed on the recipient of the access request, who has at least the obligation to respond to it, even if in negative terms.
For these reasons, the Court enunciated the following principle of law: "With regard to personal data processing matters, the subject burdened with the obligation to provide an answer in relation to the possession (or not) of the data is the recipient of the access request, who always have to reply, even if in negative terms, expressly declaring to be, or not, in its possession".
Comment
The decision frames the legal issues in terms of burden of proof. However, it may be argued that "diabolical proof" is not only the one that a data subject should provide about the existence of a processing concerning them, but also the one requested to the controller, in case they want to demonstrate that personal data are not processed. As a matter of fact, it seems more reasonable and straightforward to argue that a controller, regardless of the burden of proof, has always an obligation to reply to an access request, even if the content of such a reply is merely negative.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
JUDGMENT Civil cassation section I - 04/04/2023, no. 9313 Heading THE SUPREME COURT OF CASSATION FIRST CIVIL SECTION Composed of the Distinguished Magistrates: XXX XXX XXX XXX said the following: ORDER on appeal no. 8263-2021 reg. proposed by: C.A. (tax code (Omissis)), represented and defended, just special power of attorney affixed at the bottom of the appeal, by the Lawyer XXX, at whose office he is electively domiciled in XXX - applicant - against ING BANK N.V., General Representative for Italy, (tax code VAT number (Omissis)), in the person of the pro tempore legal representative; - intimated - against the judgment of the Court of Milan, filed on 2.16.2021; having heard the report of the case carried out in the council chamber of the 2/24/2023 by Councilor XXX. FOUND THAT 1. With the non-appealable sentence challenged here with an appeal for cassation on Court of Milan rejected the request proposed by the C. against ING BANK N. V., time to do ascertain the non-fulfillment of the latter with the obligation to verify the instance of access to the personal data forwarded with pec communication dated 11.18.2019. The Court first of all recalled that the C. had assumed, basis of his claim, the circumstance according to which the latter had submitted on 11.18.2019, by pec, request for access to data personal and that the bank had violated the EU Regulation 2016-679 (articles 15 and following GDPR) and Legislative Decree no. 196 of 2003, art. 7, in order to provide a complete and timely response to this request; he remembered that the defendant Ing Bank N.V., in appearing in court, had, among other things, disputed having processed the personal data of the C.; however noted that the actor does not had fulfilled the burden of allegation and proof - on the same burden, in view of the dispute of defendant - of the existence of the prerequisite for the liability of Ing Bank N.V., presupposition constituted by the possession of the latter of the quality of owner or of responsible for the processing of the applicant's personal data, hereby thus imposing itself the rejection of the application. 2. The sentence, published on 16 February 2021, was challenged by C.A. with appeal for cassation, entrusted to three reasons. The summoned company did not defend itself. WHEREAS 1. With the first reason, the appellant complains, pursuant to art. 360 c.p.c., paragraph 1, no. 3, violation and false application of the European Regulation n. 679 of 2016, articles 12 and 15 e of the art. 1175 of the Civil Code. 1.1 The reason is well founded. 1.2 As correctly observed by the appellant, EU Reg. no. 679 of 2016, art. 12 charges the addressee of the request for access to the documents to be provided to the requesting information regarding the existence of personal data, and this only for effect of the access instance presented by the interested party. It follows that, contrary to what was claimed by the judge of first instance, the Ing Bank N.V. should have provided a complete response to the request for access to the records within i terms established by current legislation (see EU Reg. No. 2016-679, art. 12, paragraph 3) or at least he should have asked for an extension in order to carry out any checks. 2.3 It is, however, a non-controversial circumstance (and in any case ascertained also in the judgment under appeal) that Ing Bank N.V. had not found the aforementioned instance of access to the documents, thus not allowing the applicant to know the eventual possession of your personal data and to verify the legitimacy of the data collection procedure themselves. 2.4 It should in fact be clarified that, on the basis of the aforementioned legislation, the Ing Bank would had to provide an answer to the request of the interested party, even if the feedback itself had had a negative result. Contrary to what the Court held, it is the addressee of the access instance data to have to be considered burdened with the obligation to provide an answer in order at possession or not of the aforesaid personal data and cannot instead be considered the burdened moment proof of that factual circumstance. 2.5 The art. 12 of the EU Reg. mentioned above is in fact clear in ruling, expressly in his paragraph 3, that "The data controller provides the data subject with the related information to the action taken with respect to a request pursuant to Articles 15 at 22 without unjustified delay and, in any case, at the latest within one month from receipt of the request itself. This deadline may be extended by two months if necessary held account of complexity and number of requests. The data controller informs the interested party this extension, and the reasons for the delay, within one month of receipt of the request. Self the interested party submits the request by electronic means, le information is provided, where possible, by electronic means, unless otherwise indicated of the interested party", adding, moreover, in paragraph 4 that "If he does not comply with the request of the interested party, the the data controller informs the data subject without delay, and at the latest within a month of receipt of the request, the reasons for the non-compliance and the possibility to propose complaint to a supervisory authority and to lodge a judicial remedy". But it is however the paragraph 5 of the aforementioned art. 12 to expressly specify, and for how long here of interest in this dispute, which "incumbent on the owner of the treatment the burden of demonstrate the manifestly unfounded or excessive nature of the request". 2.6 However, it emerges from the literal wording of the provision last cited clearly that the recipient of the data access request must always find the instance of the interested party, even in negative terms, not being able to hide behind to a non liquet. On the other hand, the contested sentence unlawfully burdened the applicant, in the especially the C., della demonstration in court of ownership and possession by Ing Bank N.V. dei personal data concerning him, thereby, on the one hand, burdening the part of a proof diabolical (since it is not clear how C. could provide such proof) and, on the other, reversing the burden of proof that, clearly and for the aforementioned reasons, it must be placed instead at the expense of the recipient of the access request, who has at least the obligation to respond to the interested party, even in the negative terms above clarify. 3. The acceptance of the first reason determines the absorption of the remaining ones reasons, with which the appellant alleges, in the second, lack of "motivation in relation to art. 360 c.p.c. no. 4" and, in the third, vice of "failure to examine the facts decisive for the judgment in relation to art. 360c.p.c. no. 5", in relation to the lack of examination by the first judge degree of evidence documents and testimonials, articulated in the proceedings before the Court, capable of demonstrating possession by Ing Bank N.V. of the data for which it is requested the ostension. The following principle of law must therefore be enunciated: "Regarding the processing of personal data, the subject charged of the obligation to supply the recipient is the answer as to possession (or not) of sensitive data of the instance of access and not instead the instant, since the first must always find the instance of the interested party, even in negative terms, expressly declaring to to be, or not, in possession of the data the ostension of which is requested". P.Q.M. accepts the first ground of appeal; declares the remaining reasons absorbed; case the sentence challenged and refers to the Court of Milan, in the person of a different judge, for the decision also of the expenses of the present judgment of legitimacy. Decided in Rome on February 24, 2023. Filed in the Registry on 4 April 2023