Garante per la protezione dei dati personali (Italy) - 10021452

From GDPRhub
Garante per la protezione dei dati personali - 10021452
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(1) GDPR
Article 12(4) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 07.07.2022
Decided: 24.04.2024
Published:
Fine: 10,000 EUR
Parties: C.I.EL. S.p.A.
National Case Number/Name: 10021452
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The Italian DPA fined a company €10,000 after it failed to respond to an access request made by a former employee. Even if the controller was not storing the information anymore, it would have needed to provide the data subject with the specific reasons for not taking action

English Summary

Facts

On 7 July 2022, the data subject filed a complaint with the Italian DPA against his former employer. During his job, the data subject took part to some safety courses. At the end of them, a certificate was issued. After terminating his job, the data subject filed an access request with the controller. He intended to have a copy of his personal data, included those certificates.

The controller only partially replied to his request. It sent to the data subject a copy of the medical certificate issued by the occupational physician, but not the other certificates he had been awarded. On 7 June 2022, the controller argued that, after the termination of the employment contract, it had deleted them, as it was no more obliged to keep them and as they contained sensitive data.

However, on 28 June 2022, the controller differently told the data subject that it actually still had the certificates, but it will delete them since he was no more an employee of that company.

Holding

Firstly, the DPA pointed out that the information contained in the safety certificates falls into the definition of personal data as per Article 4(1) GDPR.

Secondly, the DPA found that the controller had not promptly and completely answered the data subject’s access request. The controller failed in sending the data subject a copy of his certificates.

The DPA specified that, even if the controller was not storing the certificates anymore, it would have needed to provide the data subject with the specific reasons for not taking action and inform him of the possibility to lodge a complaint with the supervisory authority or to seek a judicial remedy, as provided for by Article 12(4) GDPR.

Therefore, the DPA found a violation of Article 12 GDPR in combination with Article 15 GDPR and issued a fine of €10,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10021452]
Provision of 24 April 2024
Register of measures
n. 246 of 24 April 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, n. 101, hereinafter “Code”);
GIVEN the complaint presented pursuant to art. 77 of the Regulation by Mr. XX towards C.I.EL. S.p.A.;
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER Prof. Pasquale Stanzione;
PREMISE
1. The complaint against the company and the investigative activity.
On 7 July 2022 it was presented by Mr. XX, before the Authority a complaint against C.I.EL. S.p.A. (hereinafter, the Company), for which the complainant carried out work following a temporary contract with Life in S.p.A., with which alleged violations of the Regulation were complained regarding the exercise of the right of access to certificates of training.
On 28 November 2022, an invitation to join the Company was sent by the Office which, on 12 December 2022, sent its response. With the same, the Company asked "LOXAM ACCESS S.r.l., as the entity that provided this training activity and issued the related certificates, to transmit with the utmost urgency to the [complainant] said documentation requested by the same (and referable to the same) ”.
No other subsequent feedback was sent by the Company in this regard.
On 20 December 2022, the complainant communicated to the Department that: "The Loxam company provided only one in-person course, the one carried out in Chieti, concerning: operators operating elevating platforms. For this course, in my opinion, in addition to the certificate that was received, the license should also have been issued. In fact, the teacher from the Loxam company took a photo on a white background which he said would have gone on the license itself. To date, however, the certificates for the courses have not been received: - course on general safety (remote), held by the engineer. […]  safety manager of Ciel SPA; - course on cat III PPE by the 'SIAPAe-Learning' company on 03/23/22”.
On 20 March 2023, the Department sent a request for information pursuant to art. 157 of the Code and on 18 April 2023 the Company, also sending the feedback to the complainant for information, declared that:
- “on 7 July 2022 an email was received from [the complainant]; he asked to send him the certificates of the training courses he attended as well as the certificates relating to the medical examinations. The Company, being obliged by law to maintain them, immediately sent the medical certifications. On the contrary, the certificates were not in possession as, following the termination of the relationship, therefore believing that the Company was no longer obliged to hold them as they contained sensitive data, they were deleted from the archive" (see note 18/4 /2023, cit., p.1);
- "the company received a certified email from the Privacy Guarantor on 28 November 2022; a copy of the certificates was required to be sent. To respond to the request, C.I.EL. S.p.A. invited the companies that deal with training, in the name and on behalf of the same, to send the employee the certificates" (see note cit., p. 1);
- “to the best of our knowledge, the company Loxam Access s.r.l. (holder of the "Instructor in the use of the Mobile Elevating Platform" course) promptly sent the certificate" (see note cit., p. 1);
- "the SIAPA company, with a note dated 03/21/2023, responding to the request of the undersigned dated 01/16/2023, sent the "master" of the training course held in remote agile mode to the Engineer. [of the Company], which sent it to the interested party on 30/03/2023" (see note cit., p. 1);
- "as regards, however, the PPE 3 Cat. course, the SIAPA company informed, with PEC dated 03/21/2023, that there was no certificate in favor of the employee; moreover, in confirmation of this, the C.I.EL. S.p.A. decided not to send the employee in question to this course as he already holds a valid certificate" (see note cit., p. 1);
- "we also inform you that today a copy of the license requested by the same with PEC [...] dated [2]0/03/2023 will be sent to the employee" (see note cit., p. 1).
On 19 July 2023, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, in relation to the articles. 12 with reference to art. 15 of the Regulation.
Following the aforementioned notification, no written defense was presented by the Company.
2. The outcome of the investigation.
2.1. Established facts and observations on the legislation regarding the protection of personal data.
Given that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", based on the elements acquired during the preliminary investigation (referred to in the previous paragraph 1) as well as the subsequent evaluations of this Department, it is established that the Company, as owner, has engaged in conduct that does not comply with data protection regulations with particular reference to the exercise of the right of access, by not providing adequate feedback to the request presented by the complainant .
In this regard, the art. 4 (1) of the Regulation defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical identity, physiological, genetic, psychological, economic, cultural or social".
The art. 12 of the Regulation, to be read also in conjunction with the rules relating to the specific rights recognized by the law to the interested party, provides that "the data controller adopts appropriate measures to provide the interested party with all the information referred to in articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, in simple and clear language […]. The information is provided in writing or by other means, including, where appropriate, by electronic means. If requested by the interested party, the information may be provided orally, provided that the identity of the interested party is proven by other means” (para. 1).
It is also provided that "the data controller facilitates the exercise of the rights of the interested party pursuant to articles 15 to 22" (para. 2).
Paragraph 3 of the same article specifies that "the data controller provides the interested party with information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests. The data controller informs the interested party of this extension, and of the reasons for the delay, within one month of receiving the request. If the interested party submits the request by electronic means, the information is provided, where possible, by electronic means, unless otherwise indicated by the interested party".
According to paragraph 4 of the same article, the data controller, if he does not comply with the request, "informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodge a complaint with a supervisory authority and lodge a judicial appeal".
The art. 15 of the Regulation provides that "the interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, in this case, to obtain access to the personal data" and to a series of information indicated in the same article (par. 1).
Furthermore, based on par. 3 of the same article, “the data controller provides a copy of the personal data being processed. […] If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in an electronic and commonly used format” (para. 3).
2.2. Violations confirmed.
On the merits, from the preliminary investigation documents it is noted that the Company did not adequately respond to the request for access pursuant to art. 15 of the Regulation presented by the complainant regarding the "certificates of training courses carried out during the working period" with the Company.
In particular, based on what was declared by the Company, the same, following a request for access to the data dated 7 June 2022 by the complainant aimed at obtaining a copy of the certificates of the training courses attended as well as the certificates relating to the medical visits, would have "immediately sent the medical certifications. On the contrary, the certificates were not in possession as, following the termination of the relationship, therefore believing that the Company was no longer obliged to hold them as they contained sensitive data, they were deleted" (see response dated 18.4.2023).
Based on the documentation in the documents, it emerged that the complainant, on 16 June 2022, sent the request for access to a contact person of the Company, copying the contact person of Life in S.p.A.
On 28 June 2022, the Company, through its prevention and protection service employee, after being requested by Life in S.p.A., provided its response to the complainant: on this occasion it sent, based on what was declared, the relevant documentation the medical suitability of the complainant.
With reference to the training certificates, however, on that occasion it was declared that "I am not authorized to send them to you but instead I will proceed to cancel them given that you are no longer employed by the company and given that for Privacy reasons I cannot keep them in my Personal Computer".
Following this feedback, again on 28 June 2022, the complainant again requested the delivery of the requested training certificates, making, among other things, express reference to art. 15 of the Regulation.
Having said this, it appears that the Company did not provide adequate feedback to the complainant following the request for access presented by the same: with the response of 28 June 2022, in fact, the Company, through its prevention and protection service employee, informed the complainant that he would proceed with the cancellation of the training certificates relating to the same given that "he was no longer employed by the company".
Thereby confirming that he was in possession of the aforementioned certificates at the time of the request and, in any case, not providing the specific reasons on the basis of which he could not have given the complainant a copy of the training certificates obtained by him and which he held.
On this occasion the Company did not even inform the complainant, as required by art. 12 par. 4 of the Regulation, the possibility, considering the refusal, to lodge a complaint with the Authority or appeal to the ordinary judicial authority.
Only following the start of the investigation by the Authority did the Company clarify that it no longer possessed the requested certificates and took steps to recover them.
In particular, based on what was declared, the Company invited the companies that deal with training for it to send the requested certificates to the complainant and following this, as specified by the Company (which produced supporting documentation), declared that “to the best of our knowledge, the company Loxam Access s.r.l. (holder of the «Instructor in the use of the Mobile Elevating Platform» course) promptly sent the certificate. The SIAPA company, with a note dated 03/21/2023, responding to the undersigned's request dated 01/16/2023, sent the "master" of the training course held in remote agile mode to Eng. […], who sent it to the interested party on 03/30/2023. However, as regards the PPE 3 Cat. course, the SIAPA company informed, with PEC dated 03/21/2023, that there was no certificate in favor of the employee; moreover, in confirmation of this, the C.I.EL. S.p.A. decided not to send the employee in question to this course as he already possesses a valid certificate. We also inform you that today a copy of the license requested by the employee will be sent to the employee with certified email [dated] [2]0/03/2023" (see note 18/4/2023, p. 1, 2).
The Company, therefore, violated the art. 12 of the Regulation with reference to art. 15 of the Regulation.
In particular, in fact, the Company did not provide adequate feedback to the access request presented by the complainant.
This, both if the same was in possession, at the time of the request, of the training certificates (as appears to emerge from the response dated 28 June 2022, attached to the complaint), and if, already at that time, it had canceled them (as appears from the Company's declaration made to the Authority, see reply dated 18.4.2023, "on 7 July 2022 an email was received from the [complainant] as he was not in possession of the certificates as, following the termination of the relationship, considering that the company was no longer obliged to hold them as they contained sensitive data, they were deleted from the archive").
In this regard, it is recalled that the worker's training certificates contain personal data referring to him, to which the interested party has the right to access pursuant to art. 15 of the Regulation.
In this regard, the Guidelines 01/2022 on data subject rights – Right of access, EDPB, 28 March 2023, clarify that “In some cases, the personal data itself sets the requirements in what format the personal data should be provided” (see par 5.2.5, point 155, official translation “In some cases, the personal data itself defines the requirements for the format to be used”).
In any case, if the owner is unable or does not deem it necessary to follow up on a request to exercise the rights (including, therefore, also those to exercise the right of access), he must communicate to the interested party the specific reasons for the refusal as well as that the possibility of submitting a complaint to the Guarantor or appealing to the ordinary judicial authority pursuant to art. 12 par. 4 of the Regulation.
In this case the Company did not engage in the aforementioned conduct. Furthermore, as confirmed by the actions carried out by the company during the investigation, it was able to recover (at least in part) the certificates referring to the interested party and the subject of a specific request for access to the data.
3. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for in the art. 11 of the Guarantor Regulation n. 1/2019.
The conduct implemented by the Company which consisted in providing an inappropriate response to the request for access presented by the complainant is in fact illicit, in the terms set out above, with reference to the art. 12 of the Regulation in relation to the art. 15 of the Regulation.
The violation, ascertained within the terms set out in the motivation, cannot be considered "minor", taking into account the nature, the seriousness of the violation itself, the degree of responsibility and the way in which the supervisory authority became aware of the violation ( cons. 148 of the Regulation).
The Authority also took into account the average level of severity of the violation in light of all the factors relevant in the specific case, in particular the nature, severity and duration of the violation, taking into account the nature, object or purpose of the processing in question as well as the number of data subjects affected by the damage and the level of damage suffered by them.
The Authority also took into consideration the criteria relating to the intentional or negligent nature of the violation and the categories of personal data affected by the violation as well as the manner in which the supervisory authority became aware of the violation (see art. 83, par. 2 and Recital 148 of the Regulation).
The Authority also took into consideration the criteria relating to the intentional or negligent nature of the violation and the categories of personal data affected by the violation and the way in which the supervisory authority became aware of the violation (see art. 83, par. 2 and Recital 148 of the Regulation).
Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the specific case, the application of a pecuniary administrative sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).
In this framework, considering, in any case, that the conduct has exhausted its effects, given that the Company declared to have provided the interested party with the training certificates of which it was able to find copies and declared in relation to "the training course PPE 3 Cat. the Siapa company informed, with PEC dated 03/21/2023, that there was no certificate in favor of the employee", the conditions for the adoption of further corrective measures pursuant to art. are not met. 58, par. 2, of the Regulation. 
4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings it appears that C.I.EL. S.p.A. violated the art. 12 of the Regulation in relation to the art. 15 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, letter. b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).
Considered necessary to apply paragraph 3 of the art. 83 of the Regulation, where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed 'amount specified for the most serious violation', the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is stated that , in this case, the following circumstances were considered:
a) in relation to the nature of the violation, this concerned cases punished more severely pursuant to art. 83, par. 5, of the Regulation (exercise of rights); in relation to the seriousness of the violation, the nature of the processing which concerned the exercise of rights, in particular the right of access to data, was taken into consideration; with regard to the duration of the violation, it was considered that only following the opening of the investigation, the interested party received suitable feedback to the request (feedback finally provided therefore just under eleven months after the presentation of the request to exercise the right of access);
b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the negligent conduct of the Company which did not provide adequate feedback to the request to exercise the right of access was taken into consideration;
c) the Company's cooperation with the Authority during the procedure was considered in favor of the owner.
It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022. Lastly, the extent of the sanctions imposed in similar cases is taken into account.
In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply towards C.I.EL. S.p.A. the administrative sanction of payment of a sum equal to 10,000 (ten thousand) euros.
In this framework it is also considered, in consideration of the type of violations ascertained which concerned the exercise of the rights which pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.
It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THE WHEREAS, THE GUARANTOR
notes the illicit nature of the processing carried out by C.I.EL. S.p.A., with registered office in Via Giulio Vincenzo Bona, 101, Rome (RM), in the person of the legal representative, C.F. 04836840589, pursuant to art. 143 of the Code, for violation of art. 12 of the Regulation in relation to the art. 15 of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i) of the C.I.EL. Regulations. S.p.A., to pay the sum of 10,000.00 (ten thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;
ORDERS
then to C.I.EL. S.p.A. to pay the aforementioned sum of 10,000.00 (ten thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 24 April 2024
PRESIDENT
Stanzione
THE SPEAKER
Stanzione
THE GENERAL SECRETARY
Mattei