Garante per la protezione dei dati personali (Italy) - 10066287

Garante per la protezione dei dati personali - 10066287

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 12(3) GDPR Article 15 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	26.09.2024
Published:
Fine:	4,000 EUR
Parties:	CI & DI Food s.r.l.
National Case Number/Name:	10066287
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined a controller €4,000 after it did not act on an access request sent via registered email (PEC). The DPA hold that the fact that the only person having access to that inbox is on holiday is not a valid excuse not to act in a timely manner.

English Summary

Facts

The data subject is an employee of the controller. She wanted to have access to the data relating to her working times, as recorded by a timekeeping system.

Moreover, she wanted to have access to her "Unified Working Booklet" (Libro Unico del Lavoro), a document that employers, under Italian labor law, are required to keep in order to document all the stages of the employment relationship.

For these reasons, she submitted an access request under Article 15 GDPR by sending it to the controller's registered email address (Posta Elettronica Certificata - PEC).

However, the controller never replied to this request.

After receiving a follow-up letter from the DPA, the controller argued that it had not promptly replied because the only person having access to the PEC inbox (i.e. the CEO of the company) was on holiday.

Moreover, it pointed out that - following this incident - the CEO has activated a notification system, that allows him to know when a new message arrives in the PEC inbox.

Holding

First, the DPA pointed out that the controller had not acted on the access request within the time limits set by Article 12(3) GDPR. Indeed, the controller provided the data subject with an answer only after 13 months and only after the DPA had started proceedings against it.

On this point, the DPA noted that the fact that the CEO was on holiday does not exempt the controller from complying with GDPR obligations. On the contrary, the controller should implement measures to ensure data subjects' requests are promptly addressed.

The DPA welcomed the fact that the controller had implemented further measures to ensure that the responsible person is timely made aware of messages incoming in the PEC inbox.

Therefore, the DPA found a violation of Articles 12 and 15 GDPR and issued a fine of €4,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10066287]

Provision of 26 September 2024

Register of provisions
no. 589 of 26 September 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

HAVING SEEN the complaint submitted pursuant to art. 77 of the Regulation by Ms. XX against CI & DI Food s.r.l. – a limited liability company with a single shareholder;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the Company and the investigative activity.

By complaint dated 17 September 2022, Ms. XX complained of alleged violations of the Regulation by CI & DI Food s.r.l. – a limited liability company with a single shareholder (hereinafter, the Company), with reference to the failure to respond to the exercise of the right of access to her personal data processed by the company in the context of the employment relationship, and in particular to the extract of the Single Employment Book and the “summary of data relating to work attendance […] acquired and recorded by means of an electronic badge relating to the entire duration of the employment relationship”.

In particular, the complainant complained that, in response to the exercise of the right of access carried out by means of a communication with certified electronic mail, sent on 9/8/2022 to the address XX by the complainant’s lawyer, in the name and on behalf of the latter, the Company did not provide any response.

The Company, in responding to an invitation to adhere to the requests of the interested party sent by the Authority on 6 September 2023, with a note dated 28 September 2023 declared that:

a. it intended to carry out “the spontaneous adhesion to the request for access [formulated by the complainant], attaching to this the personal data processed in the context of the employment relationship, as requested, and specifically: Extract of the Single Employment Book […]; Data extracted from the software connected to the “so-called badge” stamping device”;

b. “the failure to send the documents requested by the [complainant] with Certified Email dated 09.08.2022 […] was the result of a mere oversight, considering that in the days preceding said request there had been a series of exchanges [between the Company and the complainant’s lawyer], regularly and promptly noted by the undersigned”;

c. “in particular […] following the request made […] on 06.22.2022 [by the complainant] after having already made available [to the complainant] said documents in paper form at the workplace […], with two PEC responses dated 06.30.2022 and 08.04.2022 […] provided adequate and timely feedback to the requests formulated […]. This fact demonstrates the collaborative spirit” of the Company in the proceedings before the Guarantor.

2. The initiation of the procedure for the adoption of corrective measures and the company's deductions.

On 10 January 2024, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the alleged violations of the Regulation found, with reference to arts. 12 and 15 of the Regulation.

With defensive briefs sent on 9 February 2024, the Company declared that:

a. “the failure to send the documents requested by [the complainant] […] by certified e-mail dated 09.08.2022, within the terms set out in art. 12 GDPR, was the result of an oversight attributable to mere human error, also attributable to the reduced presence of [the Company's legal representative], the only person authorised to view the certified e-mail box, at the workplace due to the holiday period. The absence of fraud is proven by the fact that in the days preceding the aforementioned request there had been a series of certified e-mail exchanges between CI & Di Food and [the complainant's lawyer], regularly and promptly detected by the undersigned, as per the documentation already communicated” (note 01/09/2024, p. 2);

b. with regard to the degree of severity of the violation, “the request for access to personal data pursuant to art. 15 GDPR does not constitute the only free tool available to the worker (or former worker) to have access to a copy of the documentation relating to his/her employment position, and even a failure to respond within the terms set out in art. 12 GDPR does not preclude the worker from resorting to other legal instruments, even free of charge, to obtain the requested documentation (e.g. by contacting a union assistance center)” (note cit., p. 2);

c. “no definitive and irreparable damage to the rights and freedoms of the interested party has occurred, as the requested data were transmitted following the timely response to the invitation to join formulated by this Authority” (note cit., p. 3);

d. the Company “having acknowledged the human error that led to the failure to respond to the request formulated by the [complainant] within the terms established by the GDPR, has decided to implement the technical and organizational measures adopted, and to incorporate the data protection principles and the operating instructions to the data processors, within the Company Regulations” (note cit., p. 3);

e. “In order to facilitate the correct management and processing of access requests that may be received, the Data Controller has decided to assign a specific task and provide specific written instructions to the employee with administrative duties, to implement the support staff for the management of requests to exercise rights by the interested parties” (note cit., p. 4 and Annex 10);

f. “Since the review process of the company regulations was concluded on 02/06/2024 with the publication on the company noticeboard, the company documentation is currently being updated and revised, including the information on the processing of personal data addressed to the various categories of interested parties. Following this revision, the reference to the email address XX (constantly monitored [...]) will be reported in clearly visible terms, within all the information models on the processing of personal data already used by the Company in relations with customers, suppliers, employees and users of the website, as a garrison to which interested parties can address requests to exercise the rights referred to in Articles 15-22 GDPR” (note cit., p. 4);

g. “in order to encourage compliance with the instructions […], an in-person training course aimed at all employees has been scheduled for February 21, 2024, covering, among other things, “General principles on data protection pursuant to the GDPR and Legislative Decree 196/2003 and subsequent amendments” (note cit., p. 4);

h. the Company therefore “disputes the violation of the duty of correctness established by art. 5, par. 1, letter a) of the Regulation, having demonstrated, not only that the failure to respond to the request formulated by the [complainant] within the terms set out in art. 12 GDPR (in addition to representing an isolated case), occurred due to a single human error; but also of the correct approach that each Data Controller must develop in similar circumstances” (note cit., p. 5).

During the hearing, held on 26 March 2024 following the Company's request, the latter ultimately declared that:

a. “even before EU Regulation 2016/679 came into force, with the previous rules, the Company had paid particular attention to the correct management of personal data processing processes”;

b. “the visibility of the PEC mailbox, by company policy, is reserved solely for the legal representative of the company, and was, at the time of the facts, viewable only from the computer on site, and therefore when the legal representative was physically present in the office”;

c. “Given that the request for access was submitted during the summer holidays rotation period, and in light of the described methods of checking the PECs, the complainant's request was not seen due to a simple error. The Company therefore did not have the will not to provide feedback to the request to exercise the right of access, given that the feedback would certainly have been provided if the request via PEC had been viewed”;

d. “Following this episode, the Company first of all reviewed all privacy aspects of the processing of personal data carried out in the course of its business and, furthermore, initiated a process of verification and review of the management of data processing processes. With regard to the management of certified emails, at present, the legal representative, who downloaded the Aruba application on his smartphone, is promptly notified of their arrival by means of an alert, also in order to further reduce the risk of the episode referred to in these proceedings being repeated”;

e. “The Company has updated the company regulations and organized a training course for employees, regularly held on 21 February 2024 (as anticipated in the defense briefs) dedicated to the processing of personal data”.

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

3.1. Outcome of the investigation. Violation of Articles 12 and 15 of the Regulation.

Following the examination of the declarations made to the Authority during the proceedings and of the documentation acquired, it appears that the Company, as the data controller, has carried out some processing operations, relating to the complainant, which are not compliant with the regulations on the protection of personal data.

In this regard, it should be noted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".

On the merits, it emerged that the Company did not provide feedback to the request to exercise the right of access to some personal data processed in the context of the employment relationship submitted by the complainant on 9/8/2022 to the Company's Pec address.
After the complaint was filed with the Guarantor, the Company collaborated with the Supervisory Authority and sent the requested data with a communication dated 28/9/2023 also addressed to the complainant.

Pursuant to art. 15 of the Regulation, “The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”. As for the methods by which the data controller must provide feedback to the data subject, the same article specifies that “The data controller shall provide a copy of the personal data undergoing processing”.

Furthermore, art. 12 clarifies that the response to requests to exercise the rights provided for by the Regulation (including access) must be provided “without undue delay and, in any case, no later than one month after receipt of the request. This period may be extended by two months, if necessary, taking into account the complexity and number of requests. The data controller shall inform the data subject of such extension, and of the reasons for the delay, within one month of receiving the request. […]. If the data controller does not comply with the data subject's request, the data controller shall inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and of bringing a judicial remedy”.

In light of the aforementioned provisions, the Company, therefore, failed to provide the data subject with a response to the request to obtain a copy of the Single Employment Register and of the attendance stamps carried out using the company badge and transmitted the information only after receiving an invitation to join from the Supervisory Authority, more than thirteen months after the request, in violation of Articles 12 and 15 of the Regulation.

The reasoning provided by the Company during the proceedings before the Authority to explain the failure to respond to the requests of the interested party, i.e. the occurrence of "a mere error" determined by the circumstance that at the time of the fact that is the subject of the complaint only the legal representative of the Company had access to the PECs, even during the summer shifts, is not suitable to eliminate the obligation placed on the data controller to respond to requests for the exercise of rights, preparing organizational measures to facilitate their presentation (see art. 12, par. 2 of the Regulation).

Nor can it be taken into consideration, as deduced in the defense briefs, the fact that "other legal instruments, even free of charge, would have been abstractly available to obtain the requested documentation", given that art. 15 of the Regulation does not place any limitation on the information relating to the interested party that can be accessed and also considering that the data relating to the stampings made with the company badge, the subject of the request for access, are in the exclusive availability of the employer.

The Authority, in any case, acknowledges that during the proceedings the Company introduced a notification mechanism for PECs in order to highlight their receipt in the relevant certified mailbox. It is also acknowledged that the Company has adopted some measures, including organizational measures, in order to facilitate the exercise of rights by interested parties, including by indicating a dedicated email address included in the information forms provided to interested parties (employees, customers, suppliers, users of the website).

Therefore, the Company, in the terms described above, has not complied with the obligation to provide feedback to the interested party following the exercise of the rights provided for by the Regulation - in this case the right of access pursuant to art. 15 -, within the terms and with the methods prescribed by art. 12 of the Regulation (in relation to similar cases see, among the most recent: Provv. 24/4/2024, n. 245, in www.garanteprivacy.it, web doc. n. 10018813; Provv. 24/4/2024, n. 246, web doc. n. 10021452; Provv. 18/7/2023, n. 318, web doc. n. 9929053).

Instead, the archiving of the proceedings is ordered in relation to the alleged violation of art. 5, par. 1, letter a) of the Regulation, following the elements provided by the Company with the defense briefs and during the hearing.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the above reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the proceeding to be overcome and are therefore unsuitable to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

The processing of personal data carried out by the Company and in particular the failure to respond to requests for access to personal data submitted by the complainant within the terms provided for by the law, is in fact unlawful, in the terms set out above, in relation to arts. 12 and 15 of the Regulation.

The breach established in the terms set out in the grounds cannot be considered “minor”, taking into account the nature of the breach which concerned the exercise of the rights of the data subject, the gravity and duration of the breach itself, the degree of responsibility and the manner in which the supervisory authority became aware of the breach (see Recital 148 of the Regulation).

The Authority also took into account the average level of severity of the breach in the light of all the factors relevant to the specific case, and in particular the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects harmed by the damage and the level of damage suffered by them.

The Authority also took into account the criteria relating to the intentional or negligent character of the breach and the categories of personal data concerned by the breach as well as the manner in which the supervisory authority became aware of the breach (see Article 83, paragraph 2 and Recital 148 of the Regulation).

Finally, it is believed that the conditions set out in Article 83 are met. 17 of the Regulation of the Guarantor no. 1/2019.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

Violation of arts. 12 and 15 of the Regulation entails the application of the administrative sanction provided for by art. 83 of the Regulation.

The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18, l. 24.11.1981, n. 689), in relation to the processing of personal data carried out by CI & DI Food s.r.l. – a limited liability company with a single shareholder, which has been found to be unlawful in the terms set out above.

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same processing or connected processing, a data controller […] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum amount set out in the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the specific case, the following circumstances were considered:

a) in relation to the nature of the violation, this concerned cases punished more severely pursuant to Article 83, paragraph 5 of the Regulation (rights of the interested parties); in relation to the seriousness of the violation, the nature of the processing that concerned the exercise of the right of access to one's personal data was taken into consideration; with regard to the duration of the violation, the extended duration of the violation itself (more than one year) was considered relevant;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the negligent conduct of the Company and the degree of responsibility of the same for not complying with the data protection regulations in relation to a plurality of provisions were taken into consideration;

c) in favour of the Company, account was taken of the cooperation with the Supervisory Authority, of the late sending of the response to the request for access after having learned of the submission of a complaint to the Guarantor, of the circumstance that the violation ascertained concerned only the complainant and of the adoption during the procedure of measures aimed at facilitating the exercise of rights by the interested parties.

It is also believed that, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), the following are relevant in this case: firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the abbreviated financial statement for the year 2023. Lastly, the amount of sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply to CI & DI Food s.r.l. – a limited liability company with a single shareholder the administrative sanction of the payment of a sum equal to Euro 4,000 (four thousand).

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this provision should be published on the website of the Guarantor. This is in consideration of the type of violations found that concerned provisions relating to the exercise of the rights of the interested party, which constitute an expression of the general principles of correctness and transparency.

GIVEN ALL THE ABOVE, THE GUARANTOR

determines the unlawfulness of the processing carried out by CI & DI Food s.r.l. – a limited liability company with a single shareholder, represented by its legal representative, with registered office in Via delle Cerbaie, 70/72, Altopascio (LU), C.F. 02382190466, pursuant to art. 143 of the Code, for the violation of arts. 12 and 15 of the Regulation;

ORDERS

pursuant to art. 58, par. 2, letter i) of the Regulation to CI & DI Food s.r.l. – a limited liability company with a single shareholder, to pay the sum of Euro 4,000 (four thousand) as an administrative fine for the violations indicated in this provision;

ORDERS

therefore the same Company to pay the aforementioned sum of Euro 4,000 (four thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8, of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below;

ORDERS

a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/20129, the publication of the injunction order on the website of the Guarantor;

b) pursuant to art. 154-bis, paragraph 3, of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority;

c) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2, of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 26 September 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei

[web doc. no. 10066287]

Provision of 26 September 2024

Register of provisions
no. 589 of 26 September 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”);

SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);

SEEN the complaint submitted pursuant to art. 77 of the Regulation by Ms. XX against CI & DI Food s.r.l. – a limited liability company with a single shareholder;

EXAMINING the documentation in the files;

SEEN the observations formulated by the general secretary pursuant to art. 15 of the regulation of the Guarantor no. 1/2000;

REPORTER Prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the Company and the investigative activity.

With a complaint dated 17 September 2022, Ms. XX complained of alleged violations of the Regulation by CI & DI Food s.r.l. – a limited liability company with a single shareholder (hereinafter, the Company), with reference to the failure to respond to the exercise of the right of access to their personal data processed by the company in the context of the employment relationship, and in particular to the extract from the Single Employment Book and the “summary of data relating to work attendance […] acquired and recorded by means of an electronic badge relating to the entire duration of the employment relationship”.

In particular, the complainant complained that, in response to the exercise of the right of access carried out by means of a communication with certified electronic mail, sent on 9/8/2022 to the address XX by the complainant’s lawyer, in the name and on behalf of the latter, the Company did not provide any response.

The Company, in providing feedback to an invitation to adhere to the requests of the interested party sent by the Authority on 6 September 2023, with a note dated 28 September 2023 declared that:

a. intended to carry out “the spontaneous adhesion to the request for access [formulated by the complainant], attaching to this the personal data processed in the context of the employment relationship, as requested, and specifically: Extract of the Single Employment Book […]; Data extracted from the software connected to the “so-called badge” stamping device”;

b. “the failure to send the documents requested by the [complainant] with PEC dated 09.08.2022 […] was the result of a mere oversight, considering that in the days preceding said request there had been a series of exchanges [between the Company and the complainant’s lawyer], regularly and promptly noted by the undersigned”;