Garante per la protezione dei dati personali (Italy) - 9445710
| Garante per la protezione dei dati personali - 9445710 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 12(1) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 02.07.2020 |
| Published: | 02.08.2020 |
| Fine: | 3.000 EUR |
| Parties: | GTL s.r.l. |
| National Case Number/Name: | 9445710 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Ordinanza ingiunzione nei confronti di GTL s.r.l. - 2 luglio 2020 [9445710 (in IT)] |
| Initial Contributor: | Andrea S. |
The Italian DPA imposed a fine of €3000 on GTL for a breach of art. 12 and 15 of the GDPR in relation to an access request from a former employer. In particular, the Garante specified that a 'verbal' response, without any record of it, could not be considered adequate and therefore in line with the Regulation, even if the company has no information to communicate.
English Summary
Facts
On 26 November 2018, a former employee of GTL sent a request to have access to its personal data related to some 'registration sheets and printouts' extracted from the tachograph and those 'downloaded from the driver card relating to the journeys made' by the complainant himself during his previous work activities.
The company did not respond to this specific access request, so the employee made a complaint to the Garante in order to have access to the mentioned information.
Thus the Italian DPA sent a letter with some queries in order to investigate its compliance with the GDPR. Since the company did not respond to the DPA, the DPA sent another letter to demand more information on the data subject request. However, neither this time GTL provided any response.
On that basis, the DPA put in place a proper on-site investigation and found out that GTL did not provide the information requested by the complainant because they did not have the mentioned information available either in their paper or digital database. The company affirmed that it replied to the complainant 'orally', without any proof or recording of it.
Dispute
The Italian DPA had to understand whether there was a breach of art. 12 and 15 of the GDPR in relation to an access request of the complainant.
Holding
The Garante confirmed that, even if there was no information to provide, the company should have responded to the data subject in writing and, if appropriate, with electronic means.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
