Garante per la protezione dei dati personali (Italy) - 10018813
Garante per la protezione dei dati personali - 10018813 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 12 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 12.05.2022 |
Decided: | 24.04.2024 |
Published: | |
Fine: | 30,000 EUR |
Parties: | Gestore Dei Servizi Energeticic – Gse S.p.A. |
National Case Number/Name: | 10018813 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante (in IT) |
Initial Contributor: | im |
The DPA imposed a €30,000 fine on an energy service company for not sending a former employee his personal performance evaluation. The company mistakenly believed the request should have been directed to its DPO mailbox rather than HR.
English Summary
Facts
A data subject lodged a complaint with the DPA against Gestore Dei Servizi Energetici – Gse S.p.A. (‘controller’), his former employer. The data subject made an access request to his personal performance evaluation from 2019 and 2020. On 27 October 2021, the data subject sent an e-mail to the company’s general e-mail address and also CCd a director of the human resources. As the controller did not respond, on 6 December 2021, the data subject sent a reminder.
On 28 March 2022, the data subject sent the same request to the DPO designated by the controller. In its response on 21 April 2022, the DPO stated that the competent Human Resources (‘HR’) functions of the controller took charge of his request for access and will provide the data subject with the information requested. After a further period of time had elapsed without a response to the request, on 12 May 2022, the data subject asked the DPA to order the controller to comply with the request.
The controller argued that the first two e-mails sent by the data subject did not go through their officially certified mailbox of the DPO which is set up for this purpose. Additionally they noted that the data requested was already known to the data subject, given that he became aware of it during his feedback interview.
On 19 September 2022, the HR department provided the data subject with the requested information.
Holding
The DPA established that the controller failed to timely provide the data subject with a copy of his personal performance evaluation file despite his several attempts to access the information. In fact, the controller forwarded the documents to the data subject only after learning that the data subject lodged a formal complaint and with a considerable delay in breach of obligations prescribed in Article 12 and 15 GDPR.
The DPA rejected the controller’s defence statement that the initial access requests were not sent to the DPO's official mailbox set up for this purpose. The controller cannot be absolved from liability because a) the data subject was not informed that the access requests should have been channelled to the DPO’s address and b) the access request was finally complied with on 19 September 2022 by the HR Department – the addressee of the initial access requests. Therefore, it appears that the competent person in relation to this type of request is the Head of HR department.
Regarding the controller’s argument that the data subject was already informed of his performance during the feedback interview, the DPA stated that access requested may well be submitted also in relation to data already in the possession of the data subject or already known to him.
In fact, Article 15 GDPR does not provide for any limitation as to the information relating to the data subject that may be accessed. The GDPR expressly provides for the possibility for the data subject to submit more than one request for access, unless the requests become excessive or repetitive in nature.
For the violations of Article 12 and 15 GDPR, the DPA imposed a fine to the controller in the amount of €30,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 10018813] Provision of 24 April 2024 Register of measures n. 245 of 24 April 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”); HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, n. 101, hereinafter “Code”); GIVEN the complaint presented pursuant to art. 77 of the Regulation by Mr. XX towards Gestore Dei Servizi Energetici - Gse S.p.A.; EXAMINED the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000; SPEAKER the lawyer. Guido Scorza; PREMISE 1. The complaint against the Company and the investigative activity. With a complaint dated 12 May 2022, Mr. XX complained about alleged violations of the Regulation by the Gestore Dei Servizi Energetici - Gse S.p.A. (hereinafter, the Company), with reference to the failure to respond to the exercise of the interested party's right of access to their personal data processed by the company in the context of the employment relationship, no longer existing at the time of the request, and in particular at “personal performance evaluation file relating to the years 2019 and 2020”. In particular, the complainant complained that, following the exercise of the right of access initially by communication via certified email, dated 10/27/2021, addressed to gsespa@pec.gse.it and in copy to the inbox and - company email from the director of the human resources function, and subsequently through the reminder of the request already submitted, sent on 6/12/2021, the Company did not provide any feedback. On 03/28/2022, again by certified email, the complainant sent the same access request to the Personal Data Protection Officer designated by the Company (at the address rdp@pec.gse.it). With a response dated 4/21/2022, the Data Protection Officer provided interlocutory feedback, representing that "the competent HR functions of the GSE have taken charge of the request for access to the documents and will provide specific feedback from a mailbox of the same Function". After a further period of time had elapsed, without a response to the request having been received, the complainant asked the Authority to order the data controller to satisfy the request to exercise the rights. The Company, in providing feedback to an invitation to comply with the interested party's requests sent by the Authority on 6 September 2023, with a note dated 2 October 2023 declared that: to. "following the termination of the [complainant's] employment relationship on 20 June 2021, GSE received a request from the latter for access to its performance evaluation files relating to the services carried out in the years 2019 and 2020"; b. "the request for access to the documents [...], sent at the time directly to the competent offices, was then renewed, on 28 March 2022, [...] by communication to the appropriate email address RPD@gse.it [...] reserved for the specific requests of interested parties"; c. "having therefore verified, also with the support of the undersigned Office, the legitimacy of the applicant to receive the performance evaluation documentation, the same confirmed to the interested party, with email dated 21 April 2022, the acceptance and subsequent transmission of what was requested by the Human Resources Department”; d. "due to a mere IT mix-up, the transmission by the aforementioned Directorate of the requested files [...] however took place via certified email with a positive outcome on 19 September 2022"; And. “in the meantime, on 12 May of the same year 2022, the [complainant] had already submitted a complaint to this Authority without informing it about the positive conclusion of the access [...] a circumstance which would have avoided the subsequent opening of the verification procedure of the art. 15 of regulation 1/2019". 2. The initiation of the procedure for the adoption of corrective measures and the company's deductions. On 8 November 2023, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 12 and 15 of the Regulation. With defense briefs sent on 4 December 2023, the Company declared that: to. the complainant "exercised his right of access for the first time towards the Human Resources Department of the GSE on 27 October 2021 [and subsequently on] 6 December 2021" (note 4/12/2023, p. 2); b. "the two requests did not pass through either the email inbox or the PEC of the GSE DPO, established for this purpose for this type of request" (cited note, p. 2); c. on 28 March 2022, "via certified email, the complainant instead sent the same access request to the DPO for the first time who, promptly and well within the deadlines set by the art. 12 of the Regulation, promptly activated the competent offices of the Company, holders of the documentation of interest to the complainant" (cit. note, p. 2); d. "in fact [...] the documentation was sent by the Human Resources Management on 19 September 2022, as there was no awareness in GSE that [the complainant] had in the meantime [...] submitted a complaint" to the Guarantor (note cit., p. 2 ); And. the information contained in the "personal performance evaluation file for 2019 and 2020 [...] was already known to the employee", considering that the same "as part of the [feedback] interview, becomes aware of the evaluations of his/her manager" (note cit., p. 3); f. the Company carried out training sessions on data protection aimed at employees and in July 2023 adopted an "Internal communication plan to continuously raise awareness/train the company population on GDPR issues" (note cit., p. 6 ); g. "it is deemed necessary to exclude [...] any malicious nature relating to the delay in the response, as well as any negligent behavior of the data controller in the case in question, placing the GSE [...] the utmost attention to the protection of data and the rights of its subjects interested parties” (note cit., p. 6). In this regard, it is noted that, although among the tasks of the Data Protection Officer there are those of providing advice to the owner and acting as a contact point for the Supervisory Authority (art. 39 of the Regulation), it appears inappropriate for him to represent directly to the data controller or data controller in proceedings before the Guarantor for the adoption of corrective and sanctioning measures referred to in the articles. 58, par. 2 and 83 of the Regulation, by signing the defense briefs or receiving the power of attorney to represent him in personal hearings, considering the need to maintain an adequate separation between, on the one hand, the obligations of the data controller/processor and, on the other , the obligations and duties of the data protection officer as established by the Regulation. 3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures. 3.1. Outcome of the investigation. Violation of articles 12 and 15 of the Regulation. Upon examination of the declarations made to the Authority during the proceedings as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which are not compliant with the relevant regulations of protection of personal data. In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor". On the merits, it emerged that the Company did not provide a response to the request to exercise the right of access to some personal data processed in the context of the employment relationship (no longer in existence as of 20/6/2021), presented by complainant on 27/10/2021 to the Company's certified e-mail address and to the email address of the Human Resources director. The request, requested on 6/12/2021 via Pec and Peo against the same recipients of the first request and the pro-tempore CEO of the Company, had as its object "having regard to the Privacy legislation regarding personal data [... ] copy of the personal performance evaluation file relating to the years 2019 and 2020" (see Attachment 1 to the complaint). On 3/28/2022, having not received any response, the complainant sent a further request to the Company's Data Protection Officer with the same content as the previous ones (Annex 3 to the complaint), recalling the two requests which remained unanswered and sending a "formal complaint to the Privacy Guarantor to complain about the violation". To this request, on 21/4/2022, a merely interlocutory response was provided by the office of the Data Protection Officer ("the competent HR functions of the GSE have taken charge of the request for access to the documents and the will provide appropriate feedback from a mailbox of the same function"). On 14 September 2022, with a note sent again to the Company's Data Protection Officer, the interested party represented that he had sent a "formal request [to the Guarantor] for the violation", having not received a response on the merits, a few days after " taking charge" of your request (see Attachment 4 defense briefs 4/12/2023). Only after receiving this further communication, on 19 September 2022 did the Company provide the complainant with the requested information (Annex 2, defense briefs cited). Based on the art. 15 of the Regulation “The interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, in this case, to obtain access to the personal data”. As for the methods with which the owner must provide feedback to the interested party, the same article specifies that "The data controller provides a copy of the personal data being processed". Furthermore, the art. 12 clarifies that the response to requests to exercise the rights provided for by the Regulation (including that of access) must be provided "without unjustified delay and, in any case, at the latest within one month of receipt of the request itself. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests. The data controller informs the interested party of this extension, and of the reasons for the delay, within one month of receiving the request. […]. If the data controller does not comply with the data subject's request, he/she will inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and to lodge a judicial appeal". In light of the aforementioned provisions, the Company, therefore, failed to provide the interested party, as a former employee, with the response to the multiple requests to obtain a copy of the personal performance evaluation file relating to the years 2019 and 2020, and sent the information only after learning that the complainant had submitted a complaint to the Supervisory Authority, albeit before the initiation of proceedings by the latter, approximately eleven months after the first request, in violation of articles 12 and 15 of the Regulation . This, despite the fact that the object of the request was specific and expressly defined within the scope of the provisions of the "Privacy legislation regarding personal data". The art. 15, then, in paragraph 3, provides that "the data controller provides a copy of the personal data being processed", without prejudice to the non-overlapability between access to personal data and access to documents containing the data. The fact that the request dated 27/10/2021 and the reminder dated 6/12/2021 were not sent to the Company "to the email inbox, nor to the PEC of the GSE DPO, established for this purpose this type of request" (see defense briefs, p. 2) cannot eliminate the Company's liability both because there is no evidence in the documents that the complainant had been informed that the access requests had to be forwarded to the Data Protection Officer, and because the feedback of 19 September 2022 was provided by the recipient of the first two access requests (the Company's Human Resources manager), who therefore appears to be the competent person in relation to this type of requests. Finally, it is represented on the point that the Guidelines 01/2022 on data subject rights - Right of access, EDPB, of 28 March 2023, have clarified that the owner cannot request a specific format for requests to exercise the right of access nor, in in principle, specific requirements that data subjects must observe when choosing a communication channel through which they come into contact with the data controller (see point 52). The motivation provided by the Company during the proceedings before the Authority to explain the failure to respond to the interested party's requests (i.e. the existence of "a mere IT mix-up", without however indicating, in concrete terms, the specific elements that would have determined the "mistake"), is not suitable to eliminate the obligation placed on the data controller to respond to requests for the exercise of rights, preparing also organizational measures aimed at facilitating their presentation (see art. 12, par. 2 of the Regulation). With regard, then, to the content of the request presented by the complainant, it is noted that the request for access to personal data can also be presented in relation to data already available to the interested party or already delivered to them or in any case known by the interested party . The art. 15 of the Regulation does not provide for any limitation regarding the information relating to the interested party that can be accessed and the same Regulation, moreover, expressly provides for the possibility that the interested party presents multiple access requests (except for the possibility for the data controller , in the case of "excessive" requests, in particular due to their repetitive nature, to charge a reasonable contribution; art. 12, par. 5, of the Regulation; on the interpretation of the provisions of the Regulation referred to herein, see, in accordance with cited Guidelines 01/2022 on data subject rights - Right of access). This reconstruction is confirmed by the jurisprudence of legitimacy, according to which the right of access to one's personal data, even within the context of the employment relationship, "cannot be understood, in a restrictive sense, as the mere right to knowledge of any new and further than those already included in the heritage of knowledge and, therefore, in the disposition of the same interested party to the processing of his/her own data, given that the purpose of the regulation [which attributes the relevant right] is to guarantee, to protect the dignity and confidentiality of the subject interested party, the verification ratione temporis of the insertion, permanence or removal of data, regardless of the fact that such events had already been brought to the attention of the interested party in another way" (see Court of Cassation 14/12/2018 , no. 32533). The Company, therefore, in the terms described above, has not complied with the obligation to provide feedback to the interested party following the exercise of the rights provided for by the Regulation - in this case the right of access pursuant to art. 15 -, within the terms and in the manner prescribed by the art. 12 of the Regulation. 4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations. For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for in the art. 11 of the Guarantor Regulation n. 1/2019. The processing of personal data carried out by the Company and in particular the failure to respond to requests for access to personal data presented by the complainant within the terms established by the law, is in fact illicit, within the terms set out above, in relation to the articles. 12 and 15 of the Regulation. The violation ascertained within the terms set out in the motivation cannot be considered "minor", taking into account the nature of the violation which concerned the exercise of the rights of the interested party, the gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation). The Authority also took into account the average level of severity of the violation in light of all the factors relevant in the specific case, and in particular the nature, severity and duration of the violation, taking into account the nature, object or purpose of the processing in question as well as the number of data subjects affected by the damage and the level of damage suffered by them. The Authority also took into consideration the criteria relating to the intentional or negligent nature of the violation and the categories of personal data affected by the violation as well as the way in which the supervisory authority became aware of the violation (see art. 83, par. 2 and Recital 148 of the Regulation). Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, a pecuniary administrative sanction is imposed pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation). 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (art. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). At the end of the proceedings it appears that Gestore Dei Servizi Energetici - Gse S.p.A. has violated the articles. 12 and 15 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, letter. b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689). Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5. With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is stated that , in this case, the following circumstances were considered: a) in relation to the nature of the violation, this concerned cases punished more severely pursuant to art. 83, par. 5 of the Regulation (rights of interested parties); in relation to the seriousness of the violation, the nature of the processing which concerned the exercise of the right of access to one's personal data was taken into consideration; with regard to the duration of the violation, the extended duration of the violation itself (approximately one year) was considered relevant; b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the negligent conduct of the Company and the degree of responsibility of the same which did not comply with the regulations on data protection in relation to a plurality of provisions; c) in favor of the Company, the cooperation with the Supervisory Authority was taken into account, the sending, albeit late, of the response to the request for access after having learned of the submission of a complaint to the Guarantor but before the initiation of proceedings to be part of the latter and the circumstance that the violation ascertained concerned only the complainant. It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022. Lastly, the extent of the sanctions imposed in similar cases is taken into account. In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply against Gestore Dei Servizi Energetici - Gse S.p.A. the administrative sanction of payment of a sum equal to 30,000 (thirty thousand) euros. In this context, it is also believed, in consideration of the type of violations ascertained which concerned the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website. It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019. ALL THE WHEREAS, THE GUARANTOR notes the illicit nature of the processing carried out by Gestore Dei Servizi Energetici - Gse S.p.A., in the person of its legal representative, with registered office in Viale Maresciallo Pilsudsky, 92, Rome, C.F. 05754381001, pursuant to art. 143 of the Code, for the violation of articles. 12, 15 and 17 of the Regulation; ORDER pursuant to art. 58, par. 2, letter. i) of the Regulation to Gestore Dei Servizi Energetici - Gse S.p.A., to pay the sum of 30,000 (thirty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; ORDERS therefore to the same Company to pay the aforementioned sum of 30,000 (thirty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code); HAS the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 24 April 2024 PRESIDENT Stantion THE SPEAKER Zest THE GENERAL SECRETARY Mattei