Garante per la protezione dei dati personali (Italy) - 10007853
Garante per la protezione dei dati personali - 10007853 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 19.12.2020 |
Decided: | 07.03.2024 |
Published: | |
Fine: | 20,000 EUR |
Parties: | Banca di Credito Cooperativa di Spinazzola |
National Case Number/Name: | 10007853 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante (in IT) |
Initial Contributor: | im |
The DPA held that a data subject has a right to access their data regardless of the purpose of the request. The controller shall not assume a purpose and refuse to act on the basis that such a purpose is illegitimate.
English Summary
Facts
A data subject lodged a complaint against Banca di Credito Cooperativa di Spinazzola, a bank (‘controller’) where she worked. She made an access request pursuant to Article 15 GDPR in order to find out what information gave rise to a disciplinary sanction against her.
The bank failed to respond adequately to the request as it only provided certain data, omitting evaluation documents on the basis of which the disciplinary sanction was imposed. The data subject was informed that she lacked legitimate interest to have access to these documents because the employment relationship ceased back in 2014 and the appeal against the sanction was no longer possible.
It was only after the opening of the investigation by the DPA that the bank handed over to the former employee the further documentation contained in the file. This concerned, in particular, correspondence between the controller and a third person, who complained about the data subject unlawful disclosure of information of a current bank account holder in the context of disciplinary proceedings.
The bank argued that displaying correspondence with third person could violate its confidentiality and rights in judicial proceedings. Additionally, the right to access information provided for in Article 15(1) GDPR cannot be exercised by the employee that was unable to obtain the information on the basis of labour law provisions.
Holding
Firstly, the DPA held that the controller was not compliant with Article 12(3) and (4) GDPR for failing to disclose the reasons for the non-delivery of the additional documentation.
Secondly, the DPA noted that as a general rule, the purpose of the right of access is to enable the data subject to have control over their personal data and to verify its accuracy. This right cannot be denied or limited in case of another purpose of the request. In fact, Article 12 and 15 GDPR indicate that data subjects are not required to state a reason or a particular need to justify their requests to exercise their rights. Accordingly, the controller should not deny access on the ground or suspicion that the requested data is meant to be used by the data subject to defend themselves in court in case of dispute with the controller, and the term for this legal action has expired. In this regard, the EDPB Guidelines on the right of access clarified that the controller should not assess "why" the data subject is requesting access, but only "what" the data subject is requesting.
As a result, the bank was fined €20,000 for the breach of Article 12(3), (4) and 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Newsletter of 3 May 2024 [doc. web no. 10007853] Provision of 7 March 2024 Register of measures n. 137 of 7 March 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter “Code”) as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; GIVEN the complaint presented by Mrs. XX, pursuant to art. 77 of the Regulation, with which a violation of the regulations regarding the protection of personal data by Banca di Credito Cooperativo Appulo Lucana soc was complained of. cooperative (formerly Banca di Credito Cooperativa di Spinazzola); GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000; SPEAKER the lawyer. Guido Scorza; PREMISE 1. The preliminary investigation. With the complaint presented to this Authority on 12/19/2020, regularized on 11/10/2021, Ms. XX represented that she had formulated a request to exercise her rights, pursuant to art. 15 of the Regulation, against the Banca di Credito Cooperativa di Spinazzola (now Banca di Credito Cooperativo Appulo Lucana cooperative company following the merger, hereinafter "the Bank"), of which she had been an employee, and of having received a non-compliant response suitable. The request, in particular, was aimed at obtaining "access to the personal data contained in one's personal file, a copy of the same and in particular to the data contained in the disciplinary proceedings file (...) to know, in a precise and timely manner, all information concerning you (evaluative and non-evaluative data) concerning the facts and behaviors (...) resulting in the disciplinary sanction imposed by the Bank" (request dated 07/10/2020). The complainant complained that the feedback provided by the Bank, dated 03/11/2020, was not suitable, as it consisted of a "communication and list, which was not complete, only of the correspondence between the parties relating to the aforementioned disciplinary proceedings" lacking of the further information on the basis of which the disciplinary sanction had been imposed on her. In relation to the complaint, the Office invited the Bank to provide observations on what was represented, to clarify whether all the data contained in the complainant's personal file, and in particular the documents relating to the disciplinary proceedings, had already been communicated at the time and, if not, to provide a copy (note dated 04/29/2022). With communication dated 17/05/2022, the Bank represented, preliminarily, that it had given immediate response to the request to exercise the rights formulated by the complainant "by providing a large body of information relating to the processing of her personal data, through documentation referring to the disciplinary proceedings against you", believing, in this way, to have allowed you to know the reasons behind the proceedings and the assessments carried out. With the same note, the Bank sent further documentation, referring to the disciplinary proceedings, "in which those personal data not referring to your person were made appropriately illegible, pursuant to art. 15, paragraph 4, of the GDPR". 2. The initiation of the proceedings. Having examined the documents received, the Office proceeded to notify the Bank of the initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles. 12, par. 3 and 4, and 15 of the Regulations (note dated 07/09/2022). The Bank, on 06/10/2022, sent its defense writings, pursuant to art. 18 of law no. 689/1981, with which he reiterated, preliminarily, his conviction regarding the exhaustive and timely response to the complainant's request. In fact, the Bank argued that: - "the documentation provided (...) in response to the first request made on 09.10.2020 allowed, (...), to ‹‹know all the information concerning her regarding the facts and behaviors deemed irregular which resulted in the disciplinary sanction›› in relation to the facts underlying the disciplinary proceedings, the assessments carried out, the underlying reasons that led to the dismissal"; - "the complainant, ultimately, complained about the fact that nothing was attached by the credit institution regarding the correspondence exchanged with (omissis), i.e. regarding an object very different from that relating to the original request"; - "the disclosure, initially refused by this Bank, of the correspondence between the Bank and (omissis) could have harmed not only the confidentiality of the latter, but also its rights in court (...)"; - "at the same time, it must be highlighted that the corresponding right of defense in the disciplinary proceedings against the (complainant) finds no reason to be protected through access to information" having intervened at a time in which the disciplinary proceedings could no longer be contested; - "from the above, derives the natural, reasonable and full conviction of having complied exactly with the request and therefore in compliance with current legislation (...). It can be seen that the undersigned Bank believes it has acted correctly and consistently, also with respect to its decision not to provide the further communication referred to in par. 4, of the art. 12 of the Regulation, the omission of which is also contested here and which instead, (...) cannot be invoked. This is because the rule (which provides for the obligation to communicate the reasons for the lack of response and the timely notice on the available protections) takes on a supplementary operational role subject to the failure to respond within the deadlines established by the art. 12, par. 3, of the Regulation"; From another perspective, the Bank observed that: - “the right of access should concern personal data as well as the information provided for by par. 1 of the art. 15 and, at least as a rule, not the documents that contain them, nor the documents containing information relating to events and third parties and can (rectius must) be limited to protect the rights and freedoms of others, such as the right of defense of bank responsible for the processing"; - "on this occasion, it seems possible to note that the general right of access pursuant to art. 15 of the GDPR cannot be used by the worker to obtain a benefit that he cannot request based on the relevant sector regulations, such as labor law (...)". Finally, the Bank communicated, on 01/24/2024, that it was waiving the hearing initially requested "deeming there to be no further elements and arguments to bring to attention, in addition to what was already set out in the defense briefs". 3. The outcome of the investigation. Upon examination of the documentation produced and the declarations made by the party during the proceedings, given that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Bank, in response to the request to exercise the rights formulated by the complainant on 07/10/2020, provided partial feedback and, only following the start of the investigation by the Authority, delivered the further documentation contained in the complainant's personal file. Preliminarily, it is highlighted that the Banca di Credito Cooperativa di Spinazzola, under which the complainant worked and against which the request to exercise the rights pursuant to art. 15 of the Regulation, was canceled following the merger, through incorporation, into Banca di Credito Cooperativo Appulo Lucana soc. cooperative on 06/05/2022 and that, therefore, on the basis of the provisions of the art. 2504-bis of the Civil Code. and of the "Provisions regarding mergers and demergers between companies" adopted by the Authority on 04/08/2009 (available on the website doc. no. 1609999), this provision is adopted with respect to the incorporating company that takes over in the active and passive relationships of the incorporated company. Having said this, with reference to the arguments put forward by the Bank in the defense briefs referred to above, it is clear that the Authority, having examined the complaint and the requests underlying it, invited the Bank to clarify whether further data and information relating to the complainant (referring in particular to the disciplinary proceedings initiated against him) that had not already been delivered, inviting him, if necessary, to do so (note dated 04/29/2022). In response to the invitation to join, the Bank proceeded to send additional documentation, consisting of the correspondence between the Bank itself and a third party and which, on the basis of what emerged from the investigation carried out as well as the declarations of the Bank itself, constituted an integral part of the documents underlying the disciplinary proceedings (see, in this regard, the Bank's response dated 17/05/2022 in which it declared: "the following supplementary documentation relating to the disciplinary proceedings against you is attached (...)"). In particular, it concerned the correspondence maintained by the Bank with a third party who complained about the illicit communication of confidential information of an account holder (the complainant's brother) and used by the complainant in the context of judicial proceedings. The Bank, in the feedback notes to this Authority, justified the initial failure to show this documentation due to the implications that would have arisen for the right of defense and the protection of third party confidentiality. However, it does not appear that these reasons were made known to the complainant, who was only omitted the additional documentation and reported "the lack of interest in access both because the employment relationship ended way back in 2014 and because the disciplinary sanction issued (...) was not challenged within the deadlines" (see note dated 03/11/2020 in response to the request for access). In light of the above, the Bank's conduct was deemed not to comply with the provisions of the art. 12, par. 4 of the Regulation, having failed to disclose the reasons for the failure to deliver the additional documentation, despite having been the subject of a specific request. However, as regards the needs underlying the access request made by the complainant, some observations need to be made. In general, it is noted that the right of access has the purpose of allowing the interested party to have control over the personal data concerning him and, in particular, to "be aware of the processing and verify its lawfulness" (see Cons. 63); however, this does not mean that this right must be denied or limited when the basis of the request is the pursuit of a different objective. In fact, from reading the combined provisions of the articles. 12 and 15 of the Regulation there is no need for interested parties to indicate a reason or a particular need to justify their requests to exercise their rights, nor is the data controller recognized the possibility of asking for the reasons for the request. This interpretation was also clarified by the EBDP through the approval of the Guidelines on the right of access (see, in particular, point 2.1 which states that "data controllers should not evaluate "why" the interested party requests access, but only "what" the data subject requests (see section 3 on analysis of the request) and whether they hold personal data relating to that person (see section 4). Therefore, for example, the data controller does not should deny access for reasons or suspicion that the requested data could be used by the interested party to defend himself in court in the event of dismissal or commercial dispute with the data controller) and is the result of a constant jurisprudential orientation of the Court of Justice (see, most recently, sentence C307/22). Therefore, given that the complainant's request to access all the data and information forming part of her personal file and underlying the disciplinary proceedings concerning her is lawful, it is noted that her evasion could not be subordinated to the occurrence of certain conditions or to the pursuit of particular objectives, among other things not foreseen by the legislator. The ruling of the Civil Court of Cassation, referred to by the party in its defense briefs, according to which the employer is not obliged to make the company documentation relating to the facts underlying a disciplinary proceeding available to the worker, concerns a different and not comparable situation with the one under consideration. This ruling, in fact, refers to the particular situation in which the request is made by the worker as part of the disciplinary procedure referred to in art. 7 of law no. 300/1970. Differently, the relevant jurisprudence has on several occasions reiterated that the right of access derives, in addition to the legislation on the protection of personal data, from "respect for the canons of good faith and correctness incumbent on the parties to the employment relationship pursuant to of the articles 1175 and 1375 of the Civil Code, as is confirmed by the fact that, for some time, the collective bargaining of the sector in question provides that the employing company must keep, in a specific personal file, all the deeds and documents produced by the entity or by the employee himself, which relate to the professional career, the activity carried out and the most significant facts concerning him and that the employee has the right to freely view the deeds and documents included in his personal file" (Court of Cassation 7 April 2016, n. 6775). Consistent with this approach, the Authority, in its provisions, has often called on data controllers to respond to requests from interested parties in relation to requests relating to the employment relationship and, therefore, relating to data and information contained in the personal file , even when it concerns information underlying disciplinary proceedings (most recently see provision no. 290 of 07/06/2023, web doc. no. 9927300). Lastly, with reference to the format in which the data must be made available instantly and, that is, whether it is sufficient to provide the data and not also the documents in which they are present, it must be observed that, pursuant to art. 12, of the Regulation “The data controller adopts appropriate measures to provide the interested party with all the information referred to in articles 13 and 14 and the communications referred to in articles 15 to 22 relating to the processing in a concise, transparent, intelligible and easily accessible form. accessible, with simple and clear language". This rule, correctly interpreted, attributes to the data controller, within the scope of the principle of accountability, the task of identifying the most complete and satisfactory form with which to verify access requests, in compliance with the provisions of the art. 12 mentioned above. Even in this case, it is worth remembering the clarifications made by the EBDP in the Guidelines on the right of access where, with respect to this particular issue, it is specified that "The obligation to provide a copy should not be understood as an additional right of the interested party, but as a method of accessing data" and which, therefore, "does not aim to broaden the scope of the right of access: it refers (only) to a copy of the personal data being processed, not necessarily to a reproduction of the original documents" ( see section 2, point 23, of the Guidelines). So, “doing some sort of data compilation and/or extraction to make the information easy to understand could, in some cases, be a way to meet these requirements. In other cases the information is better understood by providing a copy of the actual document containing the personal data. Therefore, the most suitable form must be decided on a case-by-case basis” (see point 153 of the Guidelines). With respect to the case in question, it is observed that the delivery of the documentation containing the personal data of the complainant underlying the disciplinary proceedings constituted the only suitable method to allow access according to the aforementioned principles of correctness and transparency. 4. Conclusions: illegality of the treatments carried out. In light of the previous assessments, it is noted that the declarations made by the data controller in the defense writings ˗ the truthfulness of which can be called upon to respond pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the proceedings and are insufficient to allow them to be archived, as, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019, concerning the internal procedures of the Authority with external relevance. For the above reasons, therefore, the complaint presented pursuant to art. is declared founded. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation provides for the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation. 5. Order of injunction. The Guarantor, pursuant to art. 58, par. 2, letter. i) of the Regulation and of the art. 166 of the Code, has the power to inflict a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data relating to the complainant, whose illegality has been ascertained, within the terms set out above. With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the circumstances reported below were taken into consideration: - with regard to the nature, gravity and duration of the violation, the nature of the violation which concerned the provisions relating to the exercise of the rights of the interested parties was considered relevant; - the absence of previous relevant violations committed by the data controller; - the circumstance that the owner provided feedback to the complainant's request during the proceedings. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, par. 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2022. On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 20,000.00 (twenty thousand) euros for the violation of the articles. 12, par. 3 and 4, and 15 of the Regulation. In this context, also in consideration of the type of violation ascertained, which affected the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website. Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THE WHEREAS, THE GUARANTOR declares, pursuant to articles. 57, par. 1, letter. f) and 83 of the Regulation, the illegality of the processing carried out, within the terms set out in the motivation, for the violation of the articles. 12, par. 3. and 4, and 15 of the Regulations; ORDER to Appulo Lucana Cooperative Credit Bank, in the person of the pro-tempore legal representative, with registered office in Spinazzola (BT), Corso Umberto I n. 65, P.I. 00256810722, pursuant to art. 58, par. 2, letter. i), of the Regulation, to pay the sum of 20,000.00 (twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; ORDERS to the same Company to pay the sum of 20,000.00 (twenty thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981. We represent that pursuant to art. 166, paragraph 8 of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1 September 2011 provided for the filing of the appeal as indicated below. HAS pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 7 March 2024 PRESIDENT Stantion THE SPEAKER Zest THE GENERAL SECRETARY Mattei SEE ALSO Newsletter of 3 May 2024 [doc. web no. 10007853] Provision of 7 March 2024 Register of measures n. 137 of 7 March 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter “Code”) as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; GIVEN the complaint presented by Mrs. XX, pursuant to art. 77 of the Regulation, with which a violation of the regulations regarding the protection of personal data by Banca di Credito Cooperativo Appulo Lucana soc was complained of. cooperative (formerly Banca di Credito Cooperativa di Spinazzola); GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000; SPEAKER the lawyer. Guido Scorza; PREMISE 1. The preliminary investigation. With the complaint presented to this Authority on 12/19/2020, regularized on 11/10/2021, Ms. XX represented that she had formulated a request to exercise her rights, pursuant to art. 15 of the Regulation, against the Banca di Credito Cooperativa di Spinazzola (now Banca di Credito Cooperativo Appulo Lucana cooperative company following the merger, hereinafter "the Bank"), of which she had been an employee, and of having received a non-compliant response suitable. The request, in particular, was aimed at obtaining "access to the personal data contained in one's personal file, a copy of the same and in particular to the data contained in the disciplinary proceedings file (...) to know, in a precise and timely manner, all information concerning you (evaluative and non-evaluative data) concerning the facts and behaviors (...) resulting in the disciplinary sanction imposed by the Bank" (request dated 07/10/2020). The complainant complained that the feedback provided by the Bank, dated 03/11/2020, was not suitable, as it consisted of a "communication and list, which was not complete, only of the correspondence between the parties relating to the aforementioned disciplinary proceedings" lacking of the further information on the basis of which the disciplinary sanction had been imposed on her. In relation to the complaint, the Office invited the Bank to provide observations on what was represented, to clarify whether all the data contained in the complainant's personal file, and in particular the documents relating to the disciplinary proceedings, had already been communicated at the time and, if not, to provide a copy (note dated 04/29/2022). With communication dated 17/05/2022, the Bank represented, preliminarily, that it had given immediate response to the request to exercise the rights formulated by the complainant "by providing a large body of information relating to the processing of her personal data, through documentation referring to the disciplinary proceedings against you", believing, in this way, to have allowed you to know the reasons behind the proceedings and the assessments carried out. With the same note, the Bank sent further documentation, referring to the disciplinary proceedings, "in which those personal data not referring to your person were made appropriately illegible, pursuant to art. 15, paragraph 4, of the GDPR". 2. The initiation of the proceedings. Having examined the documents received, the Office proceeded to notify the Bank of the initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles. 12, par. 3 and 4, and 15 of the Regulations (note dated 07/09/2022). The Bank, on 06/10/2022, sent its defense writings, pursuant to art. 18 of law no. 689/1981, with which he reiterated, preliminarily, his conviction regarding the exhaustive and timely response to the complainant's request. In fact, the Bank argued that: - "the documentation provided (...) in response to the first request made on 09.10.2020 allowed, (...), to ‹‹know all the information concerning her regarding the facts and behaviors deemed irregular which resulted in the disciplinary sanction›› in relation to the facts underlying the disciplinary proceedings, the assessments carried out, the underlying reasons that led to the dismissal"; - "the complainant, ultimately, complained about the fact that nothing was attached by the credit institution regarding the correspondence exchanged with (omissis), i.e. regarding an object very different from that relating to the original request"; - "the disclosure, initially refused by this Bank, of the correspondence between the Bank and (omissis) could have harmed not only the confidentiality of the latter, but also its rights in court (...)"; - "at the same time, it must be highlighted that the corresponding right of defense in the disciplinary proceedings against the (complainant) finds no reason to be protected through access to information" having intervened at a time in which the disciplinary proceedings could no longer be contested; - "from the above, derives the natural, reasonable and full conviction of having complied exactly with the request and therefore in compliance with current legislation (...). It can be seen that the undersigned Bank believes it has acted correctly and consistently, also with respect to its decision not to provide the further communication referred to in par. 4, of the art. 12 of the Regulation, the omission of which is also contested here and which instead, (...) cannot be invoked. This is because the rule (which provides for the obligation to communicate the reasons for the lack of response and the timely notice on the available protections) takes on a supplementary operational role subject to the failure to respond within the deadlines established by the art. 12, par. 3, of the Regulation"; From another perspective, the Bank observed that: - “the right of access should concern personal data as well as the information provided for by par. 1 of the art. 15 and, at least as a rule, not the documents that contain them, nor the documents containing information relating to events and third parties and can (rectius must) be limited to protect the rights and freedoms of others, such as the right of defense of bank responsible for the processing"; - "on this occasion, it seems possible to note that the general right of access pursuant to art. 15 of the GDPR cannot be used by the worker to obtain a benefit that he cannot request based on the relevant sector regulations, such as labor law (...)". Finally, the Bank communicated, on 01/24/2024, that it was waiving the hearing initially requested "deeming there to be no further elements and arguments to bring to attention, in addition to what was already set out in the defense briefs". 3. The outcome of the investigation. Upon examination of the documentation produced and the declarations made by the party during the proceedings, given that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Bank, in response to the request to exercise the rights formulated by the complainant on 07/10/2020, provided partial feedback and, only following the start of the investigation by the Authority, delivered the further documentation contained in the complainant's personal file. Preliminarily, it is highlighted that the Banca di Credito Cooperativa di Spinazzola, under which the complainant worked and against which the request to exercise the rights pursuant to art. 15 of the Regulation, was canceled following the merger, through incorporation, into Banca di Credito Cooperativo Appulo Lucana soc. cooperative on 06/05/2022 and that, therefore, on the basis of the provisions of the art. 2504-bis of the Civil Code and of the "Provisions regarding mergers and demergers between companies" adopted by the Authority on 04/08/2009 (available on the website doc. no. 1609999), this provision is adopted with respect to the incorporating company that takes over in the active and passive relationships of the incorporated company. Having said this, with reference to the arguments put forward by the Bank in the defense briefs referred to above, it is clear that the Authority, having examined the complaint and the requests underlying it, invited the Bank to clarify whether further data and information relating to the complainant (referring in particular to the disciplinary proceedings initiated against him) that had not already been delivered, inviting him, if necessary, to do so (note dated 04/29/2022). In response to the invitation to join, the Bank proceeded to send additional documentation, consisting of the correspondence between the Bank itself and a third party and which, on the basis of what emerged from the investigation carried out as well as the declarations of the Bank itself, constituted an integral part of the documents underlying the disciplinary proceedings (see, in this regard, the Bank's response dated 17/05/2022 in which it declared: "the following supplementary documentation relating to the disciplinary proceedings against you is attached (...)"). In particular, it concerned the correspondence maintained by the Bank with a third party who complained about the illicit communication of confidential information of an account holder (the complainant's brother) and used by the complainant in the context of judicial proceedings. The Bank, in the feedback notes to this Authority, justified the initial failure to show this documentation due to the implications that would have arisen for the right of defense and the protection of third party confidentiality. However, it does not appear that these reasons were made known to the complainant, who was only omitted the additional documentation and reported "the lack of interest in access both because the employment relationship ended way back in 2014 and because the disciplinary sanction issued (...) was not challenged within the deadlines" (see note dated 03/11/2020 in response to the request for access). In light of the above, the Bank's conduct was deemed not to comply with the provisions of the art. 12, par. 4 of the Regulation, having failed to disclose the reasons for the failure to deliver the additional documentation, despite having been the subject of a specific request. However, as regards the needs underlying the access request made by the complainant, some observations need to be made. In general, it is noted that the right of access has the purpose of allowing the interested party to have control over the personal data concerning him and, in particular, to "be aware of the processing and verify its lawfulness" (see Cons. 63); however, this does not mean that this right must be denied or limited when the basis of the request is the pursuit of a different objective. In fact, from reading the combined provisions of the articles. 12 and 15 of the Regulation there is no need for interested parties to indicate a reason or a particular need to justify their requests to exercise their rights, nor is the data controller recognized the possibility of asking for the reasons for the request. This interpretation was also clarified by the EBDP through the approval of the Guidelines on the right of access (see, in particular, point 2.1 which states that "data controllers should not evaluate "why" the interested party requests access, but only "what" the data subject requests (see section 3 on analysis of the request) and whether they hold personal data relating to that person (see section 4). Therefore, for example, the data controller does not should deny access for reasons or suspicion that the requested data could be used by the interested party to defend himself in court in the event of dismissal or commercial dispute with the data controller) and is the result of a constant jurisprudential orientation of the Court of Justice (see, most recently, sentence C307/22). Therefore, given that the complainant's request to access all the data and information forming part of her personal file and underlying the disciplinary proceedings concerning her is lawful, it is noted that her evasion could not be subordinated to the occurrence of certain conditions or to the pursuit of particular objectives, among other things not foreseen by the legislator. The ruling of the Civil Court of Cassation, referred to by the party in its defense briefs, according to which the employer is not obliged to make the company documentation relating to the facts underlying a disciplinary proceeding available to the worker, concerns a different and not comparable situation with the one under consideration. This ruling, in fact, refers to the particular situation in which the request is made by the worker as part of the disciplinary procedure referred to in the art. 7 of law no. 300/1970. Differently, the relevant jurisprudence has on several occasions reiterated that the right of access derives, in addition to the legislation on the protection of personal data, from "respect for the canons of good faith and correctness incumbent on the parties to the employment relationship pursuant to of the articles 1175 and 1375 of the Civil Code, as is confirmed by the fact that, for some time, the collective bargaining of the sector in question provides that the employing company must keep, in a specific personal file, all the deeds and documents produced by the entity or by the employee himself, which relate to the professional career, the activity carried out and the most significant facts concerning him and that the employee has the right to freely view the deeds and documents included in his personal file" (Court of Cassation 7 April 2016, n. 6775). Consistent with this approach, the Authority, in its provisions, has often called on data controllers to respond to requests from interested parties in relation to requests relating to the employment relationship and, therefore, relating to data and information contained in the personal file , even when it concerns information underlying disciplinary proceedings (most recently see provision no. 290 of 07/06/2023, web doc. no. 9927300). Lastly, with reference to the format in which the data must be made available instantly and, that is, whether it is sufficient to provide the data and not also the documents in which they are present, it must be observed that, pursuant to art. 12, of the Regulation “The data controller adopts appropriate measures to provide the interested party with all the information referred to in articles 13 and 14 and the communications referred to in articles 15 to 22 relating to the processing in a concise, transparent, intelligible and easily accessible form. accessible, with simple and clear language". This rule, correctly interpreted, attributes to the data controller, within the scope of the principle of accountability, the task of identifying the most complete and satisfactory form with which to verify access requests, in compliance with the provisions of the art. 12 mentioned above. Even in this case, it is worth remembering the clarifications made by the EBDP in the Guidelines on the right of access where, with respect to this particular issue, it is specified that "The obligation to provide a copy should not be understood as an additional right of the interested party, but as a method of accessing data" and which, therefore, "does not aim to broaden the scope of the right of access: it refers (only) to a copy of the personal data being processed, not necessarily to a reproduction of the original documents" ( see section 2, point 23, of the Guidelines). So, “doing some sort of data compilation and/or extraction to make the information easy to understand could, in some cases, be a way to meet these requirements. In other cases the information is better understood by providing a copy of the actual document containing the personal data. Therefore, the most suitable form must be decided on a case-by-case basis” (see point 153 of the Guidelines). With respect to the case in question, it is observed that the delivery of the documentation containing the personal data of the complainant underlying the disciplinary proceedings constituted the only suitable method to allow access according to the aforementioned principles of correctness and transparency. 4. Conclusions: illegality of the treatments carried out. In light of the previous assessments, it is noted that the declarations made by the data controller in the defense writings ˗ the truthfulness of which can be called upon to respond pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the proceedings and are insufficient to allow them to be archived, as, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019, concerning the internal procedures of the Authority with external relevance. For the above reasons, therefore, the complaint presented pursuant to art. is declared founded. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation provides for the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation. 5. Order of injunction. The Guarantor, pursuant to art. 58, par. 2, letter. i) of the Regulation and of the art. 166 of the Code, has the power to inflict a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data relating to the complainant, whose illegality has been ascertained, within the terms set out above. With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the circumstances reported below were taken into consideration: - with regard to the nature, gravity and duration of the violation, the nature of the violation which concerned the provisions relating to the exercise of the rights of the interested parties was considered relevant; - the absence of previous relevant violations committed by the data controller; - the circumstance that the owner provided feedback to the complainant's request during the proceedings. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, par. 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2022. On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 20,000.00 (twenty thousand) euros for the violation of the articles. 12, par. 3 and 4, and 15 of the Regulation. In this framework, also in consideration of the type of violation ascertained, which affected the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website. Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THE WHEREAS, THE GUARANTOR declares, pursuant to articles. 57, par. 1, letter. f) and 83 of the Regulation, the illegality of the processing carried out, within the terms set out in the motivation, for the violation of the articles. 12, par. 3. and 4, and 15 of the Regulations; ORDER to Appulo Lucana Cooperative Credit Bank, in the person of the pro-tempore legal representative, with registered office in Spinazzola (BT), Corso Umberto I n. 65, P.I. 00256810722, pursuant to art. 58, par. 2, letter. i), of the Regulation, to pay the sum of 20,000.00 (twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; ORDERS to the same Company to pay the sum of 20,000.00 (twenty thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981. We represent that pursuant to art. 166, paragraph 8 of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1 September 2011 provided for the filing of the appeal as indicated below. HAS pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 7 March 2024 PRESIDENT Stantion THE SPEAKER Zest THE GENERAL SECRETARY Mattei