Cass.Civ. - 9313/2023

From GDPRhub
Cass.Civ. - 9313
Courts logo1.png
Court: Cass.Civ. (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(5) GDPR
Article 15 GDPR
Decided: 04.04.2023
Parties: ING Bank
National Case Number/Name: 9313
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Italian
Original Source: Corte di Cassazione (in Italian)
Initial Contributor: Bernardo Armentano

The Supreme Court of Cassation stated that a controller should respond to an access request, even if such a response is a negative one.

English Summary


The Court of Milan rejected a claim brought by the data subject against the controller, ING Bank, relating to the non-compliance with an access request made on the basis of Article 15 GDPR.

The Court accepted the arguments of the controller, who denied having processed the data subject's data, and stated that they failed to prove that the bank was the controller in relation to the processing of their data. On this basis, it rejected the claim.

The data subject challenged the decision with appeal to cassation, arguing that there was a wrong application of Articles 12 and 15 GDPR.


The DPA highlighted that Article 12 GDPR burdens the controller with the obligation to provide data subjects with information regarding the existence of personal data as a result of the access request presented by them. Therefore, contrary to what was decided by the first instance, Ing Bank should have provided a complete reply to the access request within one month or at least should have asked for a deadline extension.

The DPA stressed the incontrovertible fact that Ing Bank had not met the request for access to the documents, making it impossible for the data subject to know whether it possessed their personal data and to verify the legitimacy of the data collection.

According to the Court of Cassation, the controller should have responded to the request, even if the response was a negative one. Contrary to what was held by the first instance Court, it held that the burden of showing whether or not it is processing personal data is on the controller and not on the data subject making the request.

Similarly, it emphasized that, pursuant to Article 12(5) GDPR, the controller has the burden of demonstrating the manifestly unfounded or excessive nature of the request. In any case, the Court of Cassation stated, from the literal wording of the last-mentioned provision it clearly emerges that the controller must always acknowledge the request, even in negative terms, as it cannot hide behind a non liquet.

In the Court's view, the challenged decision unlawfully burdened the data subject with demonstrating that the controller was in possession of their personal data, which amounts to the burden of producing diabolical proof. Therefore, it held that the decision inverted the burden of proof which, clearly and for the aforementioned reasons, must instead be placed on the recipient of the access request, who has at least the obligation to respond to it, even if in negative terms.

For these reasons, the Court enunciated the following principle of law: "With regard to personal data processing matters, the subject burdened with the obligation to provide an answer in relation to the possession (or not) of the data is the recipient of the access request, who always have to reply, even if in negative terms, expressly declaring to be, or not, in its possession".


The decision frames the legal issues in terms of burden of proof. However, it may be argued that "diabolical proof" is not only the one that a data subject should provide about the existence of a processing concerning them, but also the one requested to the controller, in case they want to demonstrate that personal data are not processed. As a matter of fact, it seems more reasonable and straightforward to argue that a controller, regardless of the burden of proof, has always an obligation to reply to an access request, even if the content of such a reply is merely negative.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.


Civil cassation section I - 04/04/2023, no. 9313


                      THE SUPREME COURT OF CASSATION
                          FIRST CIVIL SECTION

                Composed of the Distinguished Magistrates:

said the following:

on appeal no. 8263-2021 reg. proposed by:
               C.A. (tax code (Omissis)), represented and defended,

just special power of attorney affixed at the bottom of the appeal, by the Lawyer
XXX, at whose office he is electively domiciled in XXX

- applicant -
ING BANK N.V., General Representative for Italy, (tax code

VAT number (Omissis)), in the person of the pro tempore legal representative;
- intimated -
against the judgment of the Court of Milan, filed on

having heard the report of the case carried out in the council chamber of the
2/24/2023 by Councilor XXX.


1. With the non-appealable sentence challenged here with an appeal for cassation on
Court of

Milan rejected the request proposed by the C. against ING BANK N.

V., time to do

ascertain the non-fulfillment of the latter with the obligation to verify
the instance of access to the

personal data forwarded with pec communication dated 11.18.2019. The Court first of all recalled that the C. had assumed,

basis of his claim, the circumstance according to which the latter had
submitted on 11.18.2019, by pec, request for access to data
personal and that the bank had violated the
EU Regulation 2016-679 (articles 15 and following GDPR) and Legislative Decree no. 196 of 2003,
art. 7, in
order to provide a complete and timely response to this request;
he remembered that

the defendant Ing Bank N.V., in appearing in court, had, among other things,
disputed having
processed the personal data of the C.; however noted that the actor does not
had fulfilled the burden of
allegation and proof - on the same burden, in view of the
dispute of

defendant - of the existence of the prerequisite for the liability of
Ing Bank N.V.,
presupposition constituted by the possession of the latter of the quality of
owner or of
responsible for the processing of the applicant's personal data, hereby
thus imposing itself

the rejection of the application.

2. The sentence, published on 16 February 2021, was challenged by C.A. with
appeal for
cassation, entrusted to three reasons.

The summoned company did not defend itself.


1. With the first reason, the appellant complains, pursuant to art. 360 c.p.c.,
paragraph 1, no. 3,
violation and false application of the European Regulation n. 679 of 2016,
articles 12 and 15 e

of the art. 1175 of the Civil Code.

1.1 The reason is well founded.

1.2 As correctly observed by the appellant, EU Reg. no. 679 of 2016,
art. 12 charges the

addressee of the request for access to the documents to be provided to the
requesting information
regarding the existence of personal data, and this only for effect
of the access instance
presented by the interested party. It follows that, contrary to what was claimed by the judge of first instance,
the Ing Bank
N.V. should have provided a complete response to the request for access

to the records within i
terms established by current legislation (see EU Reg. No. 2016-679, art. 12,
paragraph 3) or

at least he should have asked for an extension in order to carry out
any checks.

2.3 It is, however, a non-controversial circumstance (and in any case ascertained

also in the
judgment under appeal) that Ing Bank N.V. had not found the aforementioned
instance of

access to the documents, thus not allowing the applicant to know
the eventual
possession of your personal data and to verify the legitimacy of the

data collection procedure


2.4 It should in fact be clarified that, on the basis of the aforementioned legislation, the

Ing Bank would
had to provide an answer to the request of the interested party, even if the
feedback itself

had had a negative result.

Contrary to what the Court held, it is the addressee
of the access instance

data to have to be considered burdened with the obligation to provide an answer in
order at

possession or not of the aforesaid personal data and cannot instead be considered
the burdened moment
proof of that factual circumstance.

2.5 The art. 12 of the EU Reg. mentioned above is in fact clear in ruling,
expressly in his
paragraph 3, that "The data controller provides the data subject with the
related information
to the action taken with respect to a request pursuant to Articles 15
at 22 without

unjustified delay and, in any case, at the latest within one month from
receipt of the request
itself. This deadline may be extended by two months if necessary held
account of
complexity and number of requests. The data controller informs
the interested party this extension, and the reasons for the delay, within one month of receipt of the
request. Self
the interested party submits the request by electronic means, le
information is provided,

where possible, by electronic means, unless otherwise indicated
of the interested party",
adding, moreover, in paragraph 4 that "If he does not comply with the request
of the interested party, the
the data controller informs the data subject without delay, and at the latest
within a month of

receipt of the request, the reasons for the non-compliance and the
possibility to propose
complaint to a supervisory authority and to lodge a judicial remedy". But
it is however the
paragraph 5 of the aforementioned art. 12 to expressly specify, and for how long
here of

interest in this dispute, which "incumbent on the owner of the
treatment the burden of
demonstrate the manifestly unfounded or excessive nature of the

2.6 However, it emerges from the literal wording of the provision last cited

that the recipient of the data access request must always
find the instance
of the interested party, even in negative terms, not being able to hide behind
to a non liquet.

On the other hand, the contested sentence unlawfully burdened the applicant, in the
especially the C., della

demonstration in court of ownership and possession by Ing
Bank N.V. dei
personal data concerning him, thereby, on the one hand, burdening the part of
a proof

diabolical (since it is not clear how C. could provide such proof)
and, on the other,
reversing the burden of proof that, clearly and for the aforementioned reasons,

it must be

placed instead at the expense of the recipient of the access request, who has
at least
the obligation to respond to the interested party, even in the negative terms above

3. The acceptance of the first reason determines the absorption of the remaining ones
reasons, with which

the appellant alleges, in the second, lack of "motivation in relation
to art. 360 c.p.c. no. 4" and,
in the third, vice of "failure to examine the facts decisive for the judgment in
relation to art. 360c.p.c. no. 5", in relation to the lack of examination by the first judge
degree of evidence

documents and testimonials, articulated in the proceedings before the Court,

capable of demonstrating
possession by Ing Bank N.V. of the data for which it is requested
the ostension.

The following principle of law must therefore be enunciated:

"Regarding the processing of personal data, the subject charged

of the obligation to supply

the recipient is the answer as to possession (or not) of sensitive data
of the instance of
access and not instead the instant, since the first must always find the instance
of the interested party, even in negative terms, expressly declaring to
to be, or not,

in possession of the data the ostension of which is requested".


accepts the first ground of appeal; declares the remaining reasons absorbed;

case the sentence

challenged and refers to the Court of Milan, in the person of a different judge, for
the decision also of the expenses of the present judgment of legitimacy.

Decided in Rome on February 24, 2023.

Filed in the Registry on 4 April 2023