Garante per la protezione dei dati personali (Italy) - 9993531

From GDPRhub
Garante per la protezione dei dati personali - 9993531
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 12 GDPR
Article 15 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started: 01.09.2021
Decided: 24.01.2024
Published:
Fine: 2,000 EUR
Parties: Emme ci.service s.r.l.
National Case Number/Name: 9993531
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: im

The DPA imposed a €2,000 fine on a controller that failed to reply to an access request. A lawyer is allowed to file the request on behalf of the data subject insofar as the controller can authenticate the latter.

English Summary

Facts

Two of the former employees, technicians of Emme ci.service s.r.l. (‘controller’) filed a complaint with the DPA due to the processing of their personal data after the termination of the employment relationship with the controller.

The data processing involved the use of their names and contact details in the header of the company’s bulletins. The processing occurred after informing the controller of this situation, too. Additionally, the controller kept the data subject’s e-mail accounts active for 7 months after the termination of the employment contract. Lastly, the data subjects stated that the controller failed to deliver certificates of attendance at a basic course for the driving of elevating platforms which took place in 2009.

The controller claimed that, firstly, in view of the sudden and unforeseen resignation of the employees, the company continued using the old bulletins until the new ones arrived which no longer made any reference to the data subjects. The controller highlighted that they promptly removed their details from the bulletins upon a request of the data subjects’ lawyer.

Secondly, they never had access to the data subjects' e-mail accounts during their employment nor the period after the termination of the employment. The controller argued that the data subjects e-mail accounts do not constitute a ‘company account’ in a strict sense as it was not provided or created by the controller but the data subjects themselves. The address was not used for the official communications on behalf of the controller and the data subjects could have deleted the account at any time.

Thirdly, the controller claimed that they were not in possession of the certificates of attendance and emphasized that the certificates were only valid for four years. For that reason, the controller held the course in an updated form in 2018 and was not obliged to keep the expired certificates for such a long period.

Moreover, the controller argued that the request for certificates was sent by the data subject’s lawyer, a third party. In their view, such request cannot be regarded as a right to access under Article 15 GDPR.

Holding

Regarding the processing of data subject’s data in the header of company’s bulletins, the DPA ascertained that the continuation of such processing even after the end of employment constituted a breach of Article 6(1)(b) GDPR and Article 6(1)(c) GDPR. At that time, the controller lacked an appropriate legal basis due to a lack of any binding employment contract or obligations arising from the sectoral labor regulations.

The DPA also noted that this conduct is not in accordance with the principle of fairness under Article 5(1)(a) GDPR as well as provisions of Articles 12 and 17 GDPR. As the employer processed data that was no longer necessary outside the employment relationship, the controller was supposed to meet the obligations for erasure under Article 17 GDPR. The controller shall facilitate the exercise of data subjects right as per Article 12 GDPR which did not happen in this case. In fact, the controller continued to use their data on the bulletins subsequent to the request for erasure by the data subjects' lawyer which stems from the documentation provided.

Regarding the controller’s retention of the data subjects’ e-mail accounts, the DPA considered that no evidence of a breach of data protection rules has emerged.

Regarding the data subject’s request for course certificates, the DPA found a violation of Articles 12 and 15 GDPR. It was established that the controller did not provide adequate feedback to the request for access to the certificates. More specifically, the controller was obliged to inform the data subject that they were unable to provide the certificates in question and state the reasons for non-compliance with their right to access. In the present case, the controller was not in possession of the requested document as they expired more than ten years ago. However, these circumstances do not relief the controller from its duty to respond to data subject and inform them of the possibility to lodge a complaint with the DPA.

Lastly, the DPA rejected the argument of the controller that there was no obligation to respond to request sent by a third party, the data subjects’ lawyer. In fact, the controller, with respect to the Guidelines 01/2022 on data subjects’ rights, may verify the identity of the third party acting in the name and on behalf of the data subject. Although the right of access is generally exercised by data subjects’ themselves, it is possible to authorize a proxy acting on their behalf.

In the light of the above, the DPA imposed a fine of €2,000 for violations of Article 5(1)(a), 6, 12, 15 and 17 GPDR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9993531]

Provision of 24 January 2024

Register of measures
n. 41 of 24 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

GIVEN the complaints presented pursuant to art. 77 of the Regulation by Mr. XX and Mr. XX towards 2 Emme.ci Service s.r.l.;

EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

PREMISE

1. Complaints against the company and preliminary investigations.

On 1 September 2021, Messrs. XX and XX presented two complaints to the Authority pursuant to art. 77 of the Regulation against 2 Emme.ci Service s.r.l. (hereinafter, the Company), regularized on 8 July 2022, following an invitation to regularize.

The complaints alleged violations of the Regulation and in particular the use, following the termination of the employment relationship, of company bills also showing the names of the complainants, the having kept the XX and XX accounts active "for a good 7 months after the termination of the employment relationship" as well as "the failure to deliver certificates of attendance at a basic course held in 2009 relating to the operation of mobile elevating platforms (MEWPs) carried out by the complainant[s] at Union Teleo s.r.l. as an employee[s] of Ali-car service s.r.l. now Emme ci.service s.r.l. and to date still in possession of the latter with related processing of the personal data of [the] former employees".

On 22 March 2023, the Company, following a request for information dated 8 August 2022, sent again on 20 March 2023, provided its response with reference to the complaint presented by Mr. XX and on that occasion declared that:

- the complainant "worked for 2 EMME.CI., as a maintenance worker from 1 March 2005 until 30 May 2020, the date on which the resignation submitted on 19 May 2020 took effect" (see note 22.3 .2023 cit., p. 3);

- “upon termination of the employment relationship, 2 EMME.CI […], with a warning sent by registered mail with return receipt. on 8 June 2020 [...], accused the worker of a series of unfair competition behaviors carried out by him to the detriment of the company" (see note cit., p. 3);

- "the dispute relating to the disputed violations and the claim for compensation was settled by the parties in a settlement agreement with the conciliation report signed on 6 August 2020 [...], before the Territorial Labor Inspectorate of Udine-Pordenone" (see note cit., p. 4);

- "during the conciliation the parties declared the definitive extinction of any dispute arising during the employment relationship or connected to it, mutually renouncing any action and expressly attributing the nature of a general settlement to the conciliation report" (see note cit ., p. 4);

- "the company 2 EMME.CI no longer processes the personal data of the [complainant]" (see note cit., p. 4);

- "as regards the company email account, referring to the [complainant], it should be highlighted that it was canceled on 28 December 2020 [...]. The company therefore proceeded with the cancellation, giving feedback [...], as soon as it received the relevant request forwarded by the lawyer. [of the complainant]” (see note cit., p. 5);

- "the [complainant] was the only person to have access to the company account [attributed to the complainant], as access was protected by a password which has always been available only to the worker. Therefore, the employing company never had the possibility of accessing the e-mail of the [complainant's] company account, neither during the period in which he was employed by the company nor, even less so, in the period following the termination of the employment relationship. work” (see note cit., p. 5);

- "taking into account the sudden and unexpected resignation of the employee, it may have happened that while waiting to receive the new bills rigorously prepared without any reference to the former employee, some of the old bills were used after the termination of the employment relationship with the [complainant]" (see note cit., p. 5, 6);

- "when on 28 December 2020, through communication from the lawyer. [of the complainant], the presence of the bills containing the old reference to the complainant was reported to the undersigned defender, the company promptly proceeded with the elimination of the remaining old bills" (see note cit., p. 6);

- "the Company 2 EMME.CI does not have the certificate relating to participation in the basic course for the operation of elevating platforms carried out in 2009 by the [complainant] and requested by the complainant from the company through his lawyer only in April 2021" (see note cit., p. 6);

- “the company 2 EMME.CI SERVICE s.r.l. was established on 2 February 2018 [...] the participation in the course to which the [complainant] refers took place when he was employed by another company, ALI-CAR SERVICE s.r.l." (see note cit., p. 6, 7);

- "2 EMME.CI delivered the certificate of participation in the course for elevating platforms held in 2018 and which constituted an update of the course held in 2009, while the previous version, invalid and unusable, is not available neither of the Company nor of the provider, as the certificate in question has expired, as it lasts four years" (see note cit., p. 7);

- "the Company would not have been required to keep an expired certificate of a former employee for a period exceeding ten years" (see note cit., p. 7);

- "the company immediately responded to the [complainant's] request relating to the certificates of participation in the training courses, transmitting, on the same day of the request, all the certificates available to 2 EMME.CI" (see note cit., p. 7);

- "the company 2 EMME.CI, through the lawyer. […], had already responded to the request for access pursuant to art. 15 of the Regulation concerning all the attendance certificates of the [complainant] already dated 26 August and 7 September 2020" (see note cit., p. 8);

- “the company 2 EMME.CI SERVICE s.r.l. in fact, it has always undertaken to collaborate with the [complainant] to correctly manage the aspects related to the termination of the employment relationship with the same, giving a prompt response to the requests formulated by them" (see note cit., p. 8 ).

On 3 April 2023, the complainant sent his counterarguments.

On May 11, 2023, the Company, following a further request for information dated April 14, 2023, represented that:

- "the e-mail account [subject of complaint] does not constitute a "company account" in the strict sense, even if, for mere explanatory clarity, in previous writings reference was made to the same account in these terms, having been thus manner named in the complaint filed by the [complainant] through [his lawyer]" (see note 11.5.2023 cit., p. 2);

- “this email address had not been provided, nor created, by 2 EMME.CI, but had rather been activated during the employment relationship by the [complainant] himself, who had created the relevant password for registration and 'access, without communicating it to the company' (see note cit., p. 2);

- "for this reason, the employing company has never had access to the e-mail contained therein, said password-protected account being available only to the worker, neither in the period in which the complainant was employed by the Company, nor, much less , in the period following the termination of the employment relationship" (see note cit., p. 2);

- "the address was not used for official communications from the Company, which rather used the different addresses XX and [the one assigned to the managing partner], as also proven by the company bills which reported these email accounts, without instead making reference anyone to the account [subject of complaint]” (see note cit., p. 2);

- "the former employee, just as he had activated the account in question, could have proceeded with its cancellation at any time" (see note cit., p. 2, 3);

- "during the period between the transfer of the employment relationship and the conciliation which took place before the Territorial Labor Inspectorate of Udine-Pordenone, i.e. from 20 May 2020 until 6 August 2020, the parties were in contact with each other through the respective defenders, in order to reach an agreement to settle any dispute and/or pending matter arising during the employment relationship and [...] in the aforementioned period no request was made to 2 EMME.CI regarding the cancellation of the aforementioned account ” (see note cit., p. 3);

- "the request was received, in fact, only after the signing of the conciliation agreement and 2 EMME.CI responded immediately" (see note cit., p. 3);

- "the Company's bills containing the reference to the [complainant's] surname were not prepared after the termination of his employment relationship with the Company, but rather had been ordered and delivered to the same by the supplier when the [complainant] was still working dependencies of 2 EMME.CI.” (see note cit., p. 5);

- "the bills used previously did not, indeed, refer to the [complainant] (who would later resign from 2 EMME.CI in May 2020) but had been updated just before the sudden and unexpected resignation of the worker. For this reason [...] it may have happened that they were mistakenly used after the termination of the employment relationship with the same" (see note cit., p. 5);

- "2 EMME.CI was not in possession of the certificate relating to the basic course for the operation of mobile elevating platforms held in 2009, which expired over a decade ago and carried out by the worker when he was employed by another company, ALI -CAR SERVICE s.r.l. […] 2 EMME.CI has purchased the business unit of ALI-CAR SERVICE s.r.l. with deed of transfer dated 26 April 2018. The same company therefore took over the previous relationships of the transferring company, but could not have been in possession of a certificate that had already expired before the transfer of the business branch (being of a four-year duration) and, probably no longer owned by ALI-CAR SERVICE s.r.l.” (see note cit., p. 6).

On 12 May 2023, the complainant sent an addition to the complaint containing a copy of the page of a Company bill book, referring to an order dated 9 March 2023 (page which is filled in in the part relating to the description of the intervention but in which the box referring to the date is not populated). On 6 August 2023, he sent his counterarguments.

Regarding the complaint presented by Mr. XX, on 6 October 2022 the Company, following a request for information dated 8 August 2022, provided its feedback and on that occasion declared that:

- "the [complainant] worked for 2 EMME.CI., as a maintenance worker from 1 March 2005 until 22 May 2020, the date on which the resignation submitted on 13 May 2020 took effect" (see note 6.10.2022 cit., p. 2);

- "upon the termination of the employment relationship, 2 EMME.CI [...] accused the worker of a series of unfair competition behaviors carried out by him to the detriment of the company" (see note cit., p. 3);

- "the dispute relating to the disputed violations and the claim for compensation was settled by the parties in a settlement with the conciliation report signed on 6 August 2020, no. 166, before the Territorial Labor Inspectorate of Udine-Pordenone, Udine office" (see note cit., p. 3);

- "during the conciliation the parties declared the definitive extinction of any dispute arising during the employment relationship or connected to it, mutually renouncing any action and expressly attributing the nature of a general settlement to the conciliation report" (see note cit ., p. 4);

- “the company 2 EMME.CI no longer processes the personal data of the [complainant]. Furthermore, [...] the parties with the conciliation report [...] have definitively settled every issue, none excluded, relating to the existing employment relationship (points 6 and 7 of the agreement), therefore including the data processed in relation to the same" (see note cit., p. 4);

- "as regards the company email account, referring to the [complainant], it should be highlighted that it was canceled on 28 December 2020" (see note cit., p. 4);

- "the company therefore proceeded with the cancellation, giving feedback through [its lawyer], as soon as it received the relevant request forwarded by the lawyer. [of the complainant]” (see note cit., p. 4);

- "the [complainant] was the only person to have access to the company account [the subject of the complaint], as access was protected by a password which was always available only to the worker" (see note cit. , p. 4, 5);

- "the employing company never had the opportunity to access the e-mail of the [complainant's] company account, neither in the period in which he was an employee of the company, nor, much less, in the period following the termination of the employment relationship work” (see note cit., p. 5);

- "taking into account the sudden and unexpected resignation of the employee, it may have happened that while waiting to receive the new bills rigorously prepared without any reference to the former employee, some of the old bills were used after the termination of the employment relationship with the [complainant]" (see note cit., p. 5);

- "when on 28 December 2020, through communication from the lawyer. [of the complainant], the presence of the bills containing the old reference to the complainant was reported to the undersigned defender, the company promptly proceeded with the elimination of the remaining old bills" (see note cit., p. 6);

- "The Company 2 EMME.CI does not have the certificate relating to participation in the basic course for the operation of elevating platforms carried out in 2009 by the [complainant] and requested by the complainant from the company through his lawyer only in April 2021. […] the company 2 EMME.CI SERVICE s.r.l. was established on 2 February 2018 [...] the participation in the course to which the [complainant] refers took place when he was employed by another company, ALI-CAR SERVICE s.r.l." (see note cit., p. 6);

- "2 EMME.CI delivered the certificate of participation in the course for elevating platforms held in 2018 and which constituted an update of the course held in 2009, while the previous version, invalid and unusable, is not available neither of the Company nor of the granting party, as the certificate in question has expired, as it lasts four years" (see note cit., p. 6, 7);

- "the company immediately responded to the [complainant's] request relating to the certificates of participation in the training courses, transmitting, on the same day of the request, all the certificates available to 2 EMME.CI" (see note cit., p. 7);

- “the company 2 EMME.CI, through [its lawyer], had already responded to the request for access pursuant to art. 15 of the Regulation concerning all the attendance certificates of the [complainant] already dated 26 August and 7 September 2020" (see note cit., p. 8);

- “the company 2 EMME.CI SERVICE s.r.l. in fact, it has always undertaken to collaborate with the [complainant] to correctly manage the aspects related to the termination of the employment relationship with the same, giving a prompt response to the requests formulated by them" (see note cit., p. 8 ).

On 3 April 2023, the complainant sent his counterarguments. On 11 May 2023, the Company, following a further request for information dated 14 April 2023, highlighted that:

- "the e-mail account [subject of complaint] does not constitute a "company account" in the strict sense, even if, for mere explanatory clarity, in previous writings reference was made to the same account in these terms, having been thus manner named in the complaint filed by the [complainant] through the lawyer" (see note 11.5.2023 cit., p. 2);

- "this email address had neither been provided nor created by 2 EMME.CI, but had rather been activated by the [complainant's] work colleague, [the other complainant], who created two accounts - for for themselves and for their colleague - when they were employed by the Company, as well as the relevant password for registration and access, without communicating it to the company" (see note cit., p. 2);

- "the employing company has never had access to the e-mail contained therein, the password-protected account being available only to the worker, neither in the period in which the complainant was employed by the Company, nor in the subsequent period upon termination of the employment relationship" (see note cit., p. 2);

- "the address was not used for official communications from the Company, which rather used the different addresses XX and [the one assigned to the managing partner], as also proven by the company bills which reported these email accounts, without instead making reference anyone to the account [subject of complaint] [...] the former employee could well have proceeded with its cancellation at any time" (see note cit., p. 2, 3);

- "only following the request to delete the account [subject of complaint] forwarded by the lawyer. [of the complainant] the Company remembered the existence of the account itself and, having noted that it was evidently still active, took steps to proceed with its cancellation" (see note cit., p. 3);

- "during the period between the transfer of the employment relationship and the conciliation which took place before the Territorial Labor Inspectorate of Udine-Pordenone, i.e. from 22 May 2020 until 6 August 2020, the parties were in contact with each other, through the respective defenders, in order to reach an agreement to settle any dispute and/or pending matter arising during the employment relationship and that in the aforementioned period no request had been made to 2 EMME.CI regarding the cancellation of the aforementioned account. [...] the request was in fact received only after the signing of the conciliation agreement and 2 EMME.CI responded immediately" (see note cit., p. 3);

- "the Company's bills containing the reference to the [complainant's] surname were not prepared after the termination of his employment relationship with the Company, but rather had been ordered and delivered to the same by the supplier when the [complainant] was still employed of the 2 EMME.CI” (see note cit., p. 5);

- "the company 2 EMME.CI had no obligation to communicate to the former employee the reasons for the failure to make available a document which it did not possess and, therefore, data which it did not process" (see note cit., p. 7);

- "2 EMME.CI has, among other things, promptly delivered the certificate of participation in the course for elevating platforms held in 2018 and therefore still valid" (see note cit., p. 7).

On 12 May 2023, the complainant sent an addition to the complaint containing a copy of the page of a company bill referring to an order dated 9 March 2023 (page which is filled in in the part relating to the description of the intervention with the reference, precisely, to an order dated 9.3.2023, but in which the box referring to the date is not populated). On 6 August 2023 he sent his counterarguments.

2. The opening of the proceedings.

On 1 September 2023, the Office, having assessed all the elements acquired as part of the investigation, following the merger of the procedures relating to the two complaints, carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 5, par. 1, letter. a), 6, 12, 15 and 17 of the Regulation.

On 2 October 2023, the Company presented its defense writings in which it represented that:

- "deals with maintenance, assistance, repair and sale of forklifts, overhead cranes and lifting equipment inside and outside company premises and has a total of four people employed in it, the managing partner [...], the partner and employee [ ...] and two other employed workers" (see note 2.10.2023 cit., p. 2);

- "the share capital amounts to 10,000.00 euros" (see note cit., p. 2);

- "the complained company therefore falls into the category of micro-enterprises, does not process data on a large scale and is, therefore, exempt from the obligation of various obligations, including the appointment of the Data Protection Officer and the data protection impact assessment ” (see note cit., p. 2);

- "the few data processed by 2 EMME.CI fall within the so-called common data" (see note cit., p. 2);

- "neither sensitive data nor other types of data which by their nature may be at greater risk in the event of a violation and which, due to their sensitivity, are subject to particular legal processing are processed" (see note cit., p. 2, 3);

- "using the risk parameters established by ENISA as a reference [...] for cases of data breach, possible violations of personal data processed by 2 EMME.CI can, at most, fall into the «low risk» category" (see note cit., p. 3);

- "personal data of the complainants contained in the company bills consisted of the initials of the names [...], their surnames (as well as the company telephone numbers, deactivated upon termination of the employment relationship)"; (see note cit., p. 3);

- "the request for access was never formulated by the complainants directly to the Data Controller and, in any case, referred to the certificate relating to a course whose validity had expired over a decade ago, which made the request formulated manifestly unfounded" (see note cit., p. 4);

- "none of the aforementioned violations of the complainants' personal data is capable of causing any prejudice to the former employees" (see note cit., p. 4);

- "the company 2 EMME.CI has always shown itself to be collaborative towards the Guarantor Authority, making itself available to it and providing all the information and clarifications requested" (see note cit., p. 4);

- "the company 2 EMME.CI has never been convicted for violations relating to the processing of personal data, nor have there been complaints relating to non-compliance with the processing of the same, other than those formulated by the [complainants]" (see note cit ., p. 4);

- "the [...] defender [of the Company] has always taken steps to communicate to the complainants, through [his lawyer], all the information he was aware of and provided all the documentation available to the company" (see note cit., p. 5);

- "the subjects involved, whose data is being discussed, are only the [complainants] and the subjects who may have become aware of the data - in particular the initials of the name and surname of the complainants although they are no longer part of the staff - there are only a few customers of the company, who, moreover, were already aware of the data of the former employees, as the latter had maintained relationships with the same during their employment relationship with the complained company" (see note cit., p. 5);

- "as regards the intentional or negligent nature of the violation, it is noted that the use of the old bills by the company is the result of a mere forgetfulness on the part of the same in verifying that all the bills in use were replaced with the new ones ongoing and that the old ones, instead, were definitively eliminated. In no way, therefore, can it be considered that the contested conduct could have assumed a malicious nature and, rather, demonstrates, at most, mere negligence on the part of 2 EMME.CI" (see note cit., p. 6 );

- "the company, in order to avoid a repetition of the conduct which is assumed to be harmful, has provided itself with new bill books [...], in which [...] there is no longer any reference to the [complainants] and the contact details indicated therein are those of the partner […] and the other employees of 2 EMME.CI” (see note cit., p. 6);

- "it is excluded that the contested conduct may be repeated in the future" (see note cit., p. 6);

- “the request was rather forwarded by the lawyer. [of the complainants] to the [...] defender [of the Company], in the context of correspondence relating to another dispute arising between the parties (concerning the unfair competition conduct carried out by former employees). In this communication it was highlighted that its customers had unsuccessfully turned to the CAF CISL FVG to obtain certificates relating to the basic course for the operation of mobile elevating platforms (carried out by the [complainants] in 2009). She therefore turned to the company's defender to obtain the aforementioned documents, assuming, without any foundation, that 2 EMME.CI was in possession of the certificates in question" (see note cit., p. 7);

- “the art. 12 of the Regulation […] in fact provides that, if the requests of the interested party are manifestly unfounded or excessive, the Data Controller may, among other things, refuse to satisfy the request. Furthermore, in the communication received, the lawyer. [of the complainants] did not specify in any way that the same was formulated as a request for access pursuant to art. 15 of the Regulation” (see note cit., p. 7);

- "although the Regulation [...] does not establish specific formal requirements, it is at least appropriate that the request is made using the most appropriate communication channels and is formulated in a clear and understandable way also for the person receiving the request, so that he can perceive its nature" (see note cit., p. 8);

- “[the] defender [of the Company] and the lawyer. [of the complainants] were in frequent telephone contact at that time for the resolution of the dispute pending between the parties in relation to the acts of unfair competition carried out by the complainants to the detriment of the company and already in that context the groundlessness of such claims" (see note cit., p. 8);

- "2 EMME.CI had promptly delivered both the certificates of participation in the course for elevating platforms held in 2018 and which were still valid, as well as any other certificate in the company's possession regarding the [complainants]. This circumstance certainly demonstrates the good faith of the claimed company which, despite everything, made available to the appellants what it had in its possession" (see note cit., p. 9).

3. The outcome of the investigation.

3.1. Established facts and observations on the legislation regarding the protection of personal data.

Given that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", based on the elements acquired during the preliminary investigation as well as the subsequent evaluations of this Department, it is ascertained that the Company , as owner, has behaved in a way that does not comply with data protection regulations with reference to the processing of the complainants' data in its bill books following the termination of the employment relationship and by not providing adequate feedback to requests for exercise of the rights presented by the complainants.

In this regard, it is noted that on the basis of data protection regulations it is necessary that the processing of personal data is carried out in compliance with the general principles set out in the art. 5 of the Regulation.

In accordance with the principle of lawfulness of processing, the so-called personal data municipalities can be processed in the presence of a suitable condition of lawfulness among those indicated by the art. 6 of the Regulation.

The art. 12 of the Regulation, to be read also in conjunction with the rules relating to the specific rights recognized by the law to the interested party, provides that "the data controller adopts appropriate measures to provide the interested party with all the information referred to in articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, in simple and clear language […]. The information is provided in writing or by other means, including, where appropriate, by electronic means. If requested by the interested party, the information may be provided orally, provided that the identity of the interested party is proven by other means” (para. 1).

It is also provided that "the data controller facilitates the exercise of the interested party's rights pursuant to articles 15 to 22" (para. 2).

Paragraph 3 of the same article specifies that "the data controller provides the interested party with information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests. The data controller informs the interested party of this extension, and of the reasons for the delay, within one month of receiving the request. If the interested party submits the request by electronic means, the information is provided, where possible, by electronic means, unless otherwise indicated by the interested party".

According to paragraph 4 of the same article, the data controller, if he does not comply with the request of the interested party, "informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and lodging a judicial appeal".

Based on the art. 15 of the Regulation "the interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, in this case, to obtain access to the personal data" and to a series of information indicated in the same article (para. 1). Furthermore, based on par. 3 of the same article “the data controller provides a copy of the personal data being processed. […] If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in an electronic and commonly used format” (para. 3).

The art. 17 of the Regulation provides that "The interested party has the right to obtain from the data controller the deletion of personal data concerning him without unjustified delay and the data controller has the obligation to delete the personal data without unjustified delay, if there is an of the reasons [indicated in the same article]".

3.2. Violations confirmed.

Based on the elements acquired during the preliminary investigation as well as the subsequent assessments of this Department, it is established that the Company has engaged in conduct in conflict with the data protection regulations towards the two complainants.

First of all, it is remembered that the power of investigation attributed to the Guarantor is not subordinate to the initiative of a party; the same art. 57 of the Regulation, among the multiple tasks recognized to the supervisory authorities regarding the protection of personal data, indicates, in addition to the handling of complaints lodged by an interested party (see art. 57 par. 1 letter f) of the Regulation) also that to monitor and ensure the application of the Regulation (see art. 57 par. 1 letter a) of the Regulation).

In this regard, internal regulation no. 1 of 2019 (concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data) specifies in the art. 21 (“Controls and measures adopted without request from a party”) that “In the exercise of control tasks or in any case exercisable by the Guarantor, having evaluated the elements in its possession and even in the absence of a complaint, report or notification of violation of personal data, the Authority may officially initiate a preliminary investigation to verify the existence of suitable elements regarding possible violations of the relevant regulations on the protection of personal data".

Again as a preliminary matter, given what was stated by the Company regarding the conciliation reached between the parties before the Labor Inspectorate, reference is made to the provisions of the art. 2113 c.c. (“The waivers and transactions, which have as their object rights of the employee deriving from mandatory provisions of the law and collective contracts or agreements concerning the relationships referred to in article 409 of the code of civil procedure, are not valid”) and in any case, it is underlined that the facts complained of in the complaint occurred subsequent to, or in any case continued even after, the aforementioned conciliation between the parties on 6 August 2020. Considering this, it is not relevant as regards the subject of the complaints presented to the Authority, what is supported by the Company regarding the conciliation.

3.2.1. Processing of complainants' data in the header of bills.

The conduct of the Company does not comply with data protection regulations, in particular as the Company has continued to process the data of the complainants (initial of the full name and surname) in its bill books - particularly in the header of these last, within the contact details of the Company's technicians who can be contacted - even after the termination of the employment relationship (which occurred on 30.5.2020 as regards one of the two complainants and on 22.5.2020 as regards the other).

This is in the absence of a suitable legal basis, therefore in violation of the art. 6 of the Regulation, given that the data processed are among the so-called data. municipalities, an article which constitutes a direct corollary of the principle of lawfulness of the processing set out in the art. 5 par. 1 letter a) of the Regulation.

With regard to the conditions of lawfulness of the processing, it is recalled that, within the scope of the employment relationship, the employer carries out - as a rule - the processing necessary for the execution of the employment contract and to fulfill the obligations deriving from the labor disciplines of sector (see art. 6, par. 1, letters b) and c), of the Regulation).

None of the aforementioned conditions can be considered the basis of the processing of complainants' data carried out by the Company in the heading of bill books following the termination of the employment relationship.

In relation to the aforementioned conduct, it is also noted that the Company did not act in accordance with the provisions of the articles. 12 and 17 of the Regulation as well as the principle of correctness (art. 5 par. 1 letter a) of the Regulation): in response to the request for cancellation presented by the complainants (dated 28.12.2020) the Company, in fact, although it communicated them, through their lawyer (on 12.30.2020), that "it is true that completely inadvertently my client continued to use old bills printed in December 2019 containing the data highlighted by you [...]; […] these are old bills and not new bills which will obviously no longer be used. The old bills will be immediately eliminated", has, however, continued to use, following this confirmation, bills also containing the personal data (initial of the full name and surname) of the complainants, as emerges from the documentation in the documents (including the bill of 14.12.2020, of 15.12.2020, 13.7.2021, 29.11.2021, 17.12.2021; furthermore, although not in the box relating to the date, a bill has been filled out with the heading of which is discussed referring to an order dated 9.3. 2023).

3.2.2. Right of access to data.

The conduct that the Company has adopted with reference to the request to exercise the right of access to data presented by the complainants is also contrary to data protection regulations.

In particular, it was ascertained that the Company did not provide adequate feedback to the request for access to the basic course certificates for the operation of mobile elevating platforms (MEWP) formulated by the complainants on 28 April 2021 and reiterated on 8 May 2021.

The conduct of the Company, given, among other things, art. 2112 c.c. (“Maintenance of workers' rights in the event of company transfer”), is in conflict with the provisions of the articles. 12 and 15 of the Regulation: based on art. 12 par. 4 of the Regulation, if the data controller believes that he cannot satisfy the request to exercise the rights presented by the interested party (including the right of access pursuant to art. 15 of the Regulation), he is required to communicate to the instant without delay and, at the latest, within one month of receipt of the request "the reasons for non-compliance and [the] possibility of lodging a complaint with a supervisory authority and bringing a judicial appeal".

In this case, in fact, although the Company, based on what it declared, was not in possession of the requested document, also considering that, again based on what it declared, the aforementioned certificate had expired for more than a decade , should have provided feedback to the complainants' request, albeit limited to informing them of the reasons for the refusal as well as the possibility of submitting a complaint to the Guarantor for the protection of personal data or appealing to the ordinary judicial authority.

This is in compliance with the requirements of the art. 12 of the Regulation also with reference to the requests referred to in art. 15 of the Regulation. However, it does not appear that the Company has provided any type of feedback, not even expressing its refusal, in response to the request of 28 April 2021, reiterated on 8 May 2021.

The feedback provided by the Company to the complainants on 26 August 2020 and 7 September 2020 is, in fact, prior to the requests of 28 April and 8 May 2021 and in the same there is no indication regarding the impossibility, with indication of the reasons, of deliver to the complainants the basic course certificates for operating mobile elevating platforms.

Furthermore, the Company's finding that it was not required to acknowledge the request to exercise the right of access as it had been presented to the Company's lawyer cannot be accepted.

This is because the request was not sent to any third party, but to the Company's lawyer with whom the complainants' lawyer, also according to what was declared by the Company - a circumstance confirmed by the documentation in the documents -, was in contact for resolve various issues relating to the relationship between the Company and the complainants following the termination of the employment relationship.

In fact, it is the same lawyer of the Company who, with respect to the requests of 25 August 2020 and 7 August 2020 presented by the complainants' lawyer, provided feedback on 26 August and 7 September 2020.

In this regard, it is also underlined and in any case that the Regulation does not impose any requirements on interested parties regarding the format of the request for access to personal data.

In this regard, the Guidelines 01/2022 on data subject rights – Right of access, EDPB, 28 March 2023, clarified that interested parties are not obliged to adopt a certain format to present requests to exercise the right of access (see Guidelines 01/2022 cit., point 52 "the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are, in principle, no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller", unofficial translation "the General Data Protection Regulation does not impose any requirements on data subjects regarding the format of the request for access to personal data. Therefore, in principle, there are no requirements that the interested party is required to comply with when choosing a communication channel through which to contact the data controller").

The aforementioned Guidelines also provide that the access request can be presented by a third party and in this regard specify that the data controller is responsible for verifying the identity of the third party acting in the name and on behalf of the interested party and the his authorization.

To this end, the aforementioned Guidelines refer to national laws on legal representation (see Guidelines 01/2022 cit., point 80 "Although the right of access is generally exercised by the data subjects as it pertains to them, it is possible for a third party to make a request on behalf of the data subject. […] This may apply to, among others, acting through a proxy or legal guardians on behalf of minors, as well as acting through other entities via online portals. In some circumstances, the identity of the person authorized to exercise the right of access as well as authorization to act on behalf of the data subject may require verification, where it is suitable and proportionate”, unofficial translation “Although the right of access is generally exercised by the interested party as it falls within his competence, a third party may submit a request on behalf of the interested party. This can occur, among other things, through a representative or a legal guardian on behalf of minors, as well as the intermediary of other subjects through online portals. In such situations, the identity of the person authorized to exercise the right of access and the authorization to act on behalf of the data subject require authentication/verification, where appropriate and proportionate”; point 81 “In doing so, national laws governing legal representation (e.g. powers of attorney), which may impose specific requirements for demonstrating authorization to make a request on behalf of the data subject, should be taken into account […]. In accordance with the principle of accountability, as well as of the other data protection principles, controllers shall be able to demonstrate the existence of the relevant authorization to make a request on behalf of the data subject, and to receive the requested information, except if national law differs (e.g. national law contains specific rules regarding the trustworthiness of lawyers) leaving the controller to verify the identity of the proxy (e.g. in the case of lawyers checking enrollment at the bar) […]”, trad. non-official “To this end, national laws governing legal representation (e.g. powers of attorney) should be taken into account, which may impose specific requirements to demonstrate authorization to make a request on behalf of the data subject […] . In accordance with the principle of accountability and other data protection principles, data controllers must be able to demonstrate the existence of the relevant authorization to submit a request on behalf of the data subject, unless national law provides otherwise ( for example, specific rules on the reliability of lawyers) leaving the data controller with the sole obligation to verify the identity of the delegate (for example, in the case of lawyers, verifying registration in the relevant register) [...]" ).

Furthermore, the complainants' request was clear in content, even though there was no explicit reference to the art. 15 of the Regulation.

In this regard, the aforementioned Guidelines 01/2022 on data subject rights - Right of access specify that it is not necessary for the request to exercise the right of access to contain the reference to the art. 15 of the Regulation if the content of the same is clear (point 50 “It should be noted that the GDPR does not introduce any formal requirements for persons requesting access to data. In order to make the access request, it is sufficient for the requesting persons to specify that they want to know what personal data concerning them the controller processes. Therefore, the controller cannot refuse to provide the data by referring to the lack of indication of the legal basis of the request, especially to the lack of a specific reference to the right of access or to the GDPR […]”, unofficial translation “It should be noted that the General Data Protection Regulation does not introduce any formal requirements for persons requesting access to data. In order to submit the request access, it is sufficient for the requesting person to specify that they wish to know which personal data are being processed by the data controller. Therefore, the data controller cannot refuse to provide the data by referring to the failure to indicate the legal basis, in particular the lack of a specific reference to the right of access or to the GDPR […]").

Even the further observation raised by the Company according to which the requested certificates had expired does not justify the absence of feedback from the data controller who, as already argued, could have (lawfully) limited himself to justifying his inability to comply with the request making known to the interested parties the right, recognized by the law, to lodge an appeal with the ordinary judicial authority or a complaint with the Guarantor.

Among other things, in this regard, we recall the orientation of the jurisprudence of legitimacy, constantly taken up by the Guarantor, according to which the subjective legal position of the worker to access his personal file constitutes a subjective right protectable as such which derives the its source from the employment relationship.

According to the judges of legitimacy, in fact, the aforementioned right derives, as well as from the legislation on the protection of personal data, from "respect for the canons of good faith and correctness that is incumbent on the parties to the employment relationship pursuant to articles. 1175 and 1375 of the Civil Code, as is confirmed by the fact that, for some time, the collective bargaining of the sector in question provides that the employing company must keep, in a specific personal file, all the deeds and documents produced by the entity or by the employee himself, which relate to the professional career, the activity carried out and the most significant facts concerning him and that the employee has the right to freely view the deeds and documents included in his personal file" (Court of Cassation 7 April 2016, n. 6775).

Furthermore, the right of access "cannot be understood, in a restrictive sense, as the mere right to knowledge of any new and additional data compared to those already entered into the wealth of knowledge and, therefore, in the disposal of the same subject interested in the processing of the own data, given that the purpose of the [right] is to guarantee, to protect the dignity and confidentiality of the interested party, the verification ratione temporis of the insertion, permanence or removal of data, regardless of the circumstance that such events had already been brought to the attention of the interested party in another way, verification implemented through access to the data collected about one's person at any and all times of one's relational life" (Court of Cassation 14 December 2018, n. 32533).

For all the reasons set out, the Company has violated the articles. 12 and 15 of the Regulation.

Finally, with reference to the complained of conduct relating to email accounts, it is believed that no evidence of a violation of data protection regulations has emerged, therefore the conditions for adopting a measure by the Authority do not exist and it is therefore the archiving of complaints with reference to the aforementioned profile, pursuant to articles. 140-bis, 142, 143 of the Code, 8, 9, 11 paragraph 1 of internal regulation no. 1 of 2019.

4.    Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller, during the investigation, do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and which are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

The conduct implemented by the Company which consisted in continuing to process data of the complainants in the header of the company bills following the termination of the employment relationship, even after the specific request for cancellation presented by the interested parties and despite the reassurances provided by the Company, as well as in not providing any response to the access request presented by the complainants on 28 April 2021 and reiterated on 8 May 2021, it is in fact illicit, within the terms set out above, in relation to the articles. 5, par. 1 letter a), 6, 12, 15 and 17 of the Regulation.

The violation, ascertained within the terms set out in the motivation, cannot be considered "minor", taking into account the nature, the seriousness of the violation itself, the degree of responsibility and the way in which the supervisory authority became aware of the violation ( cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the specific case, the application of a pecuniary administrative sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company declared that it had adopted new bills without the data of the complainants and that during the proceedings it declared that it was not in possession of the certificates of participation in the basic course for the operation of mobile elevating platforms (MEWP), the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

5.    Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" by adopting an injunction order (art. 18, l. 11.24.1981, n. 689) and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides in order for the application of the accessory administrative sanction of its publication, in full or in extract, on the Guarantor's website pursuant to article 166, paragraph 7, of the Code” (article 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this case, the Company has implemented two distinct behaviors, which must be considered separately for the purposes of quantifying the administrative sanction to be applied. Therefore, with reference to each of the aforementioned conducts, the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.

Taking into account that the findings referred to in paragraphs 3.2.1 and 3.2.2., relating to the processing of data in company bills and the exercise of the right of access, relate to various violations that took place as a consequence of a single conduct (same treatment or related treatments), art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered which concerned the principle of lawfulness of processing and the principle of correctness as well as the exercise of the rights of the interested party; the prolonged duration of the violation was also considered;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct was taken into consideration which consisted, in one case, in the use of bills containing data relating to the complainants even following the termination of the relationship of work and despite the response provided to the request for cancellation and, in the other case, in not providing response to the request to exercise the right of access;

c) there are no previous relevant violations committed by the data controller or previous measures referred to in the art. 58 of the Regulation.

It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the abbreviated financial statements for the year 2021. Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to therefore apply the administrative sanction of the payment of a sum equal to 1,000 (one thousand) euros, for each of the violations referred to in the previous paragraphs 3.2.1 and 3.2.2., for a total total of 2,000 (two thousand) euros

In this framework it is also considered, in consideration of the type of violations ascertained which concerned the general principles of processing and the exercise of the rights of the interested party that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THE WHEREAS, THE GUARANTOR

notes the unlawfulness of the processing carried out by 2 Emme.ci Service s.r.l., with registered office in Viale Duodo, 44, Udine, VAT number 02916510304, pursuant to art. 143 of the Code, for the violation of articles. 5, par. lit. a), 6, 12, 15 and 17 of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter. i) of the Regulation to 2 Emme.ci Service s.r.l., to pay the sum of 2,000.00 (two thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

ORDERS

a 2 Emme.ci Service s.r.l. to pay the aforementioned sum of 2,000.00 (two thousand) euros, according to the

methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 24 January 2024

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei

[doc. web no. 9993531]

Provision of 24 January 2024

Register of measures
n. 41 of 24 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

GIVEN the complaints presented pursuant to art. 77 of the Regulation by Mr. XX and Mr. XX towards 2 Emme.ci Service s.r.l.;

EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

PREMISE

1. Complaints against the company and preliminary investigations.

On 1 September 2021, Messrs. XX and XX presented two complaints to the Authority pursuant to art. 77 of the Regulation against 2 Emme.ci Service s.r.l. (hereinafter, the Company), regularized on 8 July 2022, following an invitation to regularize.

The complaints alleged violations of the Regulation and in particular the use, following the termination of the employment relationship, of company bills also showing the names of the complainants, the having kept the XX and XX accounts active "for a good 7 months after the termination of the employment relationship" as well as "the failure to deliver certificates of attendance at a basic course held in 2009 relating to the operation of mobile elevating platforms (MEWPs) carried out by the complainant[s] at Union Teleo s.r.l. as an employee[s] of Ali-car service s.r.l. now Emme ci.service s.r.l. and to date still in possession of the latter with related processing of the personal data of [the] former employees".

On 22 March 2023, the Company, following a request for information dated 8 August 2022, sent again on 20 March 2023, provided its response with reference to the complaint presented by Mr. XX and on that occasion declared that:

- the complainant "worked for 2 EMME.CI., as a maintenance worker from 1 March 2005 until 30 May 2020, the date on which the resignation submitted on 19 May 2020 took effect" (see note 22.3 .2023 cit., p. 3);

- “upon termination of the employment relationship, 2 EMME.CI […], with a warning sent by registered mail with return receipt. on 8 June 2020 [...], accused the worker of a series of unfair competition behaviors carried out by him to the detriment of the company" (see note cit., p. 3);

- "the dispute relating to the disputed violations and the claim for compensation was settled by the parties in a settlement agreement with the conciliation report signed on 6 August 2020 [...], before the Territorial Labor Inspectorate of Udine-Pordenone" (see note cit., p. 4);

- "during the conciliation the parties declared the definitive extinction of any dispute arising during the employment relationship or connected to it, mutually renouncing any action and expressly attributing to the conciliation report the nature of a general settlement" (see note cit ., p. 4);

- "the company 2 EMME.CI no longer processes the personal data of the [complainant]" (see note cit., p. 4);

- "as regards the company email account, referring to the [complainant], it should be highlighted that it was canceled on 28 December 2020 [...]. The company therefore proceeded with the cancellation, giving feedback [...], as soon as it received the relevant request forwarded by the lawyer. [of the complainant]” (see note cit., p. 5);

- "the [complainant] was the only person to have access to the company account [attributed to the complainant], as access was protected by a password which has always been available only to the worker. Therefore, the employing company never had the possibility of accessing the e-mail of the [complainant's] company account, neither during the period in which he was employed by the company nor, even less so, in the period following the termination of the employment relationship. work" (see note cit., p. 5);

- "taking into account the sudden and unexpected resignation of the employee, it may have happened that while waiting to receive the new bills rigorously prepared without any reference to the former employee, some of the old bills were used after the termination of the employment relationship with the [complainant]" (see note cit., p. 5, 6);

- "when on 28 December 2020, through communication from the lawyer. [of the complainant], the presence of the bills containing the old reference to the complainant was reported to the undersigned defender, the company promptly proceeded with the elimination of the remaining old bills" (see note cit., p. 6);

- "the Company 2 EMME.CI does not have the certificate relating to participation in the basic course for the operation of elevating platforms carried out in 2009 by the [complainant] and requested by the complainant from the company through his lawyer only in April 2021" (see note cit., p. 6);

- “the company 2 EMME.CI SERVICE s.r.l. was established on 2 February 2018 [...] the participation in the course to which the [complainant] refers took place when he was employed by another company, ALI-CAR SERVICE s.r.l." (see note cit., p. 6, 7);

- "2 EMME.CI delivered the certificate of participation in the course for elevating platforms held in 2018 and which constituted an update of the course held in 2009, while the previous version, invalid and unusable, is not available neither of the Company nor of the provider, as the certificate in question has expired, as it lasts four years" (see note cit., p. 7);

- "the Company would not have been required to keep an expired certificate of a former employee for a period exceeding ten years" (see note cit., p. 7);

- "the company immediately responded to the [complainant's] request relating to the certificates of participation in the training courses, transmitting, on the same day of the request, all the certificates available to 2 EMME.CI" (see note cit., p. 7);

- "the company 2 EMME.CI, through the lawyer. […], had already responded to the request for access pursuant to art. 15 of the Regulation concerning all the attendance certificates of the [complainant] already dated 26 August and 7 September 2020" (see note cit., p. 8);

- “the company 2 EMME.CI SERVICE s.r.l. in fact, it has always undertaken to collaborate with the [complainant] to correctly manage the aspects related to the termination of the employment relationship with the same, giving a prompt response to the requests formulated by them" (see note cit., p. 8 ).

On 3 April 2023, the complainant sent his counterarguments.

On May 11, 2023, the Company, following a further request for information dated April 14, 2023, represented that:

- "the e-mail account [subject of complaint] does not constitute a "company account" in the strict sense, even if, for mere explanatory clarity, in previous writings reference was made to the same account in these terms, having been thus manner named in the complaint filed by the [complainant] through [his lawyer]" (see note 11.5.2023 cit., p. 2);

- “this email address had not been provided, nor created, by 2 EMME.CI, but had rather been activated during the employment relationship by the [complainant] himself, who had created the relevant password for registration and 'access, without communicating it to the company' (see note cit., p. 2);

- "for this reason, the employing company has never had access to the e-mail contained therein, said password-protected account being available only to the worker, neither in the period in which the complainant was employed by the Company, nor, much less , in the period following the termination of the employment relationship" (see note cit., p. 2);

- "the address was not used for official communications from the Company, which rather used the different addresses XX and [the one assigned to the managing partner], as also proven by the company bills which reported these email accounts, without instead making reference anyone to the account [subject of complaint]” (see note cit., p. 2);

- "the former employee, just as he had activated the account in question, could have proceeded with its cancellation at any time" (see note cit., p. 2, 3);

- "during the period between the transfer of the employment relationship and the conciliation which took place before the Territorial Labor Inspectorate of Udine-Pordenone, i.e. from 20 May 2020 until 6 August 2020, the parties were in contact with each other through the respective defenders, in order to reach an agreement to settle any dispute and/or pending matter arising during the employment relationship and [...] in the aforementioned period no request was made to 2 EMME.CI regarding the cancellation of the aforementioned account ” (see note cit., p. 3);

- "the request was received, in fact, only after the signing of the conciliation agreement and 2 EMME.CI responded immediately" (see note cit., p. 3);

- "the Company's bills containing the reference to the [complainant's] surname were not prepared after the termination of his employment relationship with the Company, but rather had been ordered and delivered to the same by the supplier when the [complainant] was still working dependencies of 2 EMME.CI.” (see note cit., p. 5);

- "the bills used previously did not, indeed, refer to the [complainant] (who would later resign from 2 EMME.CI in May 2020) but had been updated just before the sudden and unexpected resignation of the worker. For this reason [...] it may have happened that they were mistakenly used after the termination of the employment relationship with the same" (see note cit., p. 5);

- "2 EMME.CI was not in possession of the certificate relating to the basic course for the operation of mobile elevating platforms held in 2009, which expired over a decade ago and carried out by the worker when he was employed by another company, ALI -CAR SERVICE s.r.l. […] 2 EMME.CI has purchased the business unit of ALI-CAR SERVICE s.r.l. with deed of transfer dated 26 April 2018. The same company therefore took over the previous relationships of the transferring company, but could not have been in possession of a certificate that had already expired before the transfer of the business branch (being of a four-year duration) and, probably no longer owned by ALI-CAR SERVICE s.r.l.” (see note cit., p. 6).

On 12 May 2023, the complainant sent an addition to the complaint containing a copy of the page of a Company bill book, referring to an order dated 9 March 2023 (page which is filled in in the part relating to the description of the intervention but in which the box referring to the date is not populated). On 6 August 2023, he sent his counterarguments.

Regarding the complaint presented by Mr. XX, on 6 October 2022 the Company, following a request for information dated 8 August 2022, provided its feedback and on that occasion declared that:

- "the [complainant] worked for 2 EMME.CI., as a maintenance worker from 1 March 2005 until 22 May 2020, the date on which the resignation submitted on 13 May 2020 took effect" (see note 6.10.2022 cit., p. 2);

- "upon the termination of the employment relationship, 2 EMME.CI [...] accused the worker of a series of unfair competition behaviors carried out by him to the detriment of the company" (see note cit., p. 3);

- "the dispute relating to the disputed violations and the claim for compensation was settled by the parties in a settlement with the conciliation report signed on 6 August 2020, no. 166, before the Territorial Labor Inspectorate of Udine-Pordenone, Udine office" (see note cit., p. 3);

- "during the conciliation the parties declared the definitive extinction of any dispute arising during the employment relationship or connected to it, mutually renouncing any action and expressly attributing the nature of a general settlement to the conciliation report" (see note cit ., p. 4);

- “the company 2 EMME.CI no longer processes the personal data of the [complainant]. Furthermore, [...] the parties with the conciliation report [...] have definitively settled every issue, none excluded, relating to the existing employment relationship (points 6 and 7 of the agreement), therefore including the data processed in relation to the same" (see note cit., p. 4);

- "as regards the company email account, referring to the [complainant], it should be highlighted that it was canceled on 28 December 2020" (see note cit., p. 4);

- "the company therefore proceeded with the cancellation, giving feedback through [its lawyer], as soon as it received the relevant request forwarded by the lawyer. [of the complainant]” (see note cit., p. 4);

- "the [complainant] was the only person to have access to the company account [the subject of the complaint], as access was protected by a password which was always available only to the worker" (see note cit. , p. 4, 5);

- "the employing company never had the opportunity to access the e-mail of the [complainant's] company account, neither in the period in which he was an employee of the company, nor, much less, in the period following the termination of the employment relationship work” (see note cit., p. 5);

- "taking into account the sudden and unexpected resignation of the employee, it may have happened that while waiting to receive the new bills rigorously prepared without any reference to the former employee, some of the old bills were used after the termination of the employment relationship with the [complainant]” (see note cit., p. 5);

- "when on 28 December 2020, through communication from the lawyer. [of the complainant], the presence of the bills containing the old reference to the complainant was reported to the undersigned defender, the company promptly proceeded with the elimination of the remaining old bills" (see note cit., p. 6);

- "The Company 2 EMME.CI does not have the certificate relating to participation in the basic course for the operation of elevating platforms carried out in 2009 by the [complainant] and requested by the complainant from the company through his lawyer only in April 2021. […] the company 2 EMME.CI SERVICE s.r.l. was established on 2 February 2018 [...] the participation in the course to which the [complainant] refers took place when he was employed by another company, ALI-CAR SERVICE s.r.l." (see note cit., p. 6);

- "2 EMME.CI delivered the certificate of participation in the course for elevating platforms held in 2018 and which constituted an update of the course held in 2009, while the previous version, invalid and unusable, is not available neither of the Company nor of the granting party, as the certificate in question has expired, as it lasts four years" (see note cit., p. 6, 7);

- "the company immediately responded to the [complainant's] request relating to the certificates of participation in the training courses, transmitting, on the same day of the request, all the certificates available to 2 EMME.CI" (see note cit., p. 7);

- “the company 2 EMME.CI, through [its lawyer], had already responded to the request for access pursuant to art. 15 of the Regulation concerning all the attendance certificates of the [complainant] already dated 26 August and 7 September 2020" (see note cit., p. 8);

- “the company 2 EMME.CI SERVICE s.r.l. in fact, it has always undertaken to collaborate with the [complainant] to correctly manage the aspects related to the termination of the employment relationship with the same, giving a prompt response to the requests formulated by them" (see note cit., p. 8 ).

On 3 April 2023, the complainant sent his counterarguments. On 11 May 2023, the Company, following a further request for information dated 14 April 2023, highlighted that:

- "the e-mail account [subject of complaint] does not constitute a "company account" in the strict sense, even if, for mere explanatory clarity, in previous writings reference was made to the same account in these terms, having been thus manner named in the complaint filed by the [complainant] through the lawyer" (see note 11.5.2023 cit., p. 2);

- "this email address had neither been provided nor created by 2 EMME.CI, but had rather been activated by the [complainant's] work colleague, [the other complainant], who created two accounts - for for themselves and for their colleague - when they were employed by the Company, as well as the relevant password for registration and access, without communicating it to the company" (see note cit., p. 2);

- "the employing company has never had access to the e-mail contained therein, the password-protected account being available only to the worker, neither in the period in which the complainant was employed by the Company, nor in the subsequent period upon termination of the employment relationship" (see note cit., p. 2);

- "the address was not used for official communications from the Company, which rather used the different addresses XX and [the one assigned to the managing partner], as also proven by the company bills which reported these email accounts, without instead making reference anyone to the account [subject of complaint] [...] the former employee could well have proceeded with its cancellation at any time" (see note cit., p. 2, 3);

- "only following the request to delete the account [subject of complaint] forwarded by the lawyer. [of the complainant] the Company remembered the existence of the account itself and, having noted that it was evidently still active, took steps to proceed with its cancellation" (see note cit., p. 3);

- "during the period between the transfer of the employment relationship and the conciliation which took place before the Territorial Labor Inspectorate of Udine-Pordenone, i.e. from 22 May 2020 until 6 August 2020, the parties were in contact with each other, through the respective defenders, in order to reach an agreement to settle any dispute and/or pending matter arising during the employment relationship and that in the aforementioned period no request had been made to 2 EMME.CI regarding the cancellation of the aforementioned account. [...] the request was in fact received only after the signing of the conciliation agreement and 2 EMME.CI responded immediately" (see note cit., p. 3);

- "the Company's bills containing the reference to the [complainant's] surname were not prepared after the termination of his employment relationship with the Company, but rather had been ordered and delivered to the same by the supplier when the [complainant] was still employed of the 2 EMME.CI” (see note cit., p. 5);

- "the company 2 EMME.CI had no obligation to communicate to the former employee the reasons for the failure to make available a document which it did not possess and, therefore, data which it did not process" (see note cit., p. 7);

- "2 EMME.CI has, among other things, promptly delivered the certificate of participation in the course for elevating platforms held in 2018 and therefore still valid" (see note cit., p. 7).

On 12 May 2023, the complainant sent an addition to the complaint containing a copy of the page of a Company bill book referring to an order dated 9 March 2023 (page which is filled in in the part relating to the description of the intervention with the reference, precisely, to an order dated 9.3.2023, but in which the box referring to the date is not populated). On 6 August 2023 he sent his counterarguments.

2. The opening of the proceedings.

On 1 September 2023, the Office, having assessed all the elements acquired as part of the investigation, following the merger of the procedures relating to the two complaints, carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 5, par. 1, letter. a), 6, 12, 15 and 17 of the Regulation.

On 2 October 2023, the Company presented its defense writings in which it represented that:

- "deals with maintenance, assistance, repair and sale of forklifts, overhead cranes and lifting equipment inside and outside company premises and has a total of four people employed in it, the managing partner [...], the partner and employee [ …] and two other employed workers” (see note 2.10.2023 cit., p. 2);

- "the share capital amounts to 10,000.00 euros" (see note cit., p. 2);

- "the complained company therefore falls into the category of micro-enterprises, does not process data on a large scale and is, therefore, exempt from the obligation of various obligations, including the appointment of the Data Protection Officer and the data protection impact assessment ” (see note cit., p. 2);

- "the few data processed by 2 EMME.CI fall within the so-called common data" (see note cit., p. 2);

- "neither sensitive data nor other types of data which by their nature may be at greater risk in the event of a violation and which, due to their sensitivity, are subject to particular legal processing are processed" (see note cit., p. 2, 3);

- "using the risk parameters established by ENISA as a reference [...] for cases of data breach, possible violations of personal data processed by 2 EMME.CI can, at most, fall into the «low risk» category" (see note cit., p. 3);

- "personal data of the complainants contained in the company bills consisted of the initials of the names [...], their surnames (as well as the company telephone numbers, deactivated upon termination of the employment relationship)"; (see note cit., p. 3);

- "the request for access was never formulated by the complainants directly to the Data Controller and, in any case, referred to the certificate relating to a course whose validity had expired over a decade ago, which made the request formulated manifestly unfounded" (see note cit., p. 4);

- "none of the aforementioned violations of the complainants' personal data is capable of causing any prejudice to the former employees" (see note cit., p. 4);

- "the company 2 EMME.CI has always shown itself to be collaborative towards the Guarantor Authority, making itself available to it and providing all the information and clarifications requested" (see note cit., p. 4);

- "the company 2 EMME.CI has never been convicted for violations relating to the processing of personal data, nor have there been complaints relating to non-compliance with the processing of the same, other than those formulated by the [complainants]" (see note cit ., p. 4);

- "the [...] defender [of the Company] has always taken steps to communicate to the complainants, through [his lawyer], all the information he was aware of and provided all the documentation available to the company" (see note cit., p. 5);

- "the subjects involved, whose data is being discussed, are only the [complainants] and the subjects who may have become aware of the data - in particular the initials of the name and surname of the complainants although they are no longer part of the staff - there are only a few customers of the company, who, moreover, were already aware of the data of the former employees, as the latter had maintained relationships with the same during their employment relationship with the complained company" (see note cit., p. 5);

- "as regards the intentional or negligent nature of the violation, it is noted that the use of the old bills by the company is the result of a mere forgetfulness on the part of the same in verifying that all the bills in use were replaced with the new ones ongoing and that the old ones, instead, were definitively eliminated. In no way, therefore, can it be considered that the contested conduct could have assumed a malicious nature and, rather, demonstrates, at most, mere negligence on the part of 2 EMME.CI" (see note cit., p. 6 );

- "the company, in order to avoid a repetition of the conduct which is assumed to be harmful, has provided itself with new bill books [...], in which [...] there is no longer any reference to the [complainants] and the contact details indicated therein are those of the partner […] and the other employees of 2 EMME.CI” (see note cit., p. 6);

- "it is excluded that the contested conduct may be repeated in the future" (see note cit., p. 6);

- “the request was rather forwarded by the lawyer. [of the complainants] to the [...] defender [of the Company], in the context of correspondence relating to another dispute arising between the parties (concerning the unfair competition conduct carried out by former employees). In this communication it was highlighted that its customers had unsuccessfully turned to the CAF CISL FVG to obtain certificates relating to the basic course for the operation of mobile elevating platforms (carried out by the [complainants] in 2009). She therefore turned to the company's defender to obtain the aforementioned documents, assuming, without any foundation, that 2 EMME.CI was in possession of the certificates in question" (see note cit., p. 7);

- “the art. 12 of the Regulation […] in fact provides that, if the requests of the interested party are manifestly unfounded or excessive, the Data Controller may, among other things, refuse to satisfy the request. Furthermore, in the communication received, the lawyer. [of the complainants] did not specify in any way that the same was formulated as a request for access pursuant to art. 15 of the Regulation” (see note cit., p. 7);

- "although the Regulation [...] does not establish specific formal requirements, it is at least appropriate that the request is made using the most appropriate communication channels and is formulated in a clear and understandable way also for the person receiving the request, so that he can perceive its nature" (see note cit., p. 8);

- “[the] defender [of the Company] and the lawyer. [of the complainants] were in frequent telephone contact at that time for the resolution of the dispute pending between the parties in relation to the acts of unfair competition carried out by the complainants to the detriment of the company and already in that context the groundlessness of such claims" (see note cit., p. 8);

- "2 EMME.CI had promptly delivered both the certificates of participation in the course for elevating platforms held in 2018 and which were still valid, as well as any other certificate in the company's possession regarding the [complainants]. This circumstance certainly demonstrates the good faith of the claimed company which, despite everything, made available to the appellants what it had in its possession" (see note cit., p. 9).

3. The outcome of the investigation.

3.1. Established facts and observations on the legislation regarding the protection of personal data.

Given that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", based on the elements acquired during the preliminary investigation as well as the subsequent evaluations of this Department, it is ascertained that the Company , as owner, has behaved in a way that does not comply with data protection regulations with reference to the processing of the complainants' data in its bill books following the termination of the employment relationship and by not providing adequate feedback to requests for exercise of the rights presented by the complainants.

In this regard, it is noted that on the basis of data protection regulations it is necessary that the processing of personal data is carried out in compliance with the general principles set out in the art. 5 of the Regulation.

In accordance with the principle of lawfulness of processing, the so-called personal data municipalities can be processed in the presence of a suitable condition of lawfulness among those indicated by the art. 6 of the Regulation.

The art. 12 of the Regulation, to be read also in conjunction with the rules relating to the specific rights recognized by the law to the interested party, provides that "the data controller adopts appropriate measures to provide the interested party with all the information referred to in articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, in simple and clear language […]. The information is provided in writing or by other means, including, where appropriate, by electronic means. If requested by the interested party, the information may be provided orally, provided that the identity of the interested party is proven by other means” (para. 1).

It is also provided that "the data controller facilitates the exercise of the rights of the interested party pursuant to articles 15 to 22" (para. 2).

Paragraph 3 of the same article specifies that "the data controller provides the interested party with information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests. The data controller informs the interested party of this extension, and of the reasons for the delay, within one month of receiving the request. If the interested party submits the request by electronic means, the information is provided, where possible, by electronic means, unless otherwise indicated by the interested party".

According to paragraph 4 of the same article, the data controller, if he does not comply with the request of the interested party, "informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and of lodging a judicial appeal".

Based on the art. 15 of the Regulation "the interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, in this case, to obtain access to the personal data" and to a series of information indicated in the same article (para. 1). Furthermore, based on par. 3 of the same article “the data controller provides a copy of the personal data being processed. […] If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in an electronic and commonly used format” (para. 3).

The art. 17 of the Regulation provides that "The interested party has the right to obtain from the data controller the deletion of personal data concerning him without unjustified delay and the data controller has the obligation to delete the personal data without unjustified delay, if there is an of the reasons [indicated in the same article]".

3.2. Violations confirmed.

Based on the elements acquired during the preliminary investigation as well as the subsequent assessments of this Department, it is established that the Company has engaged in conduct in conflict with the data protection regulations towards the two complainants.

First of all, it is recalled that the power of investigation attributed to the Guarantor is not subordinate to the initiative of a party; the same art. 57 of the Regulation, among the multiple tasks recognized to the supervisory authorities regarding the protection of personal data, indicates, in addition to the handling of complaints lodged by an interested party (see art. 57 par. 1 letter f) of the Regulation) also that to monitor and ensure the application of the Regulation (see art. 57 par. 1 letter a) of the Regulation).

In this regard, internal regulation no. 1 of 2019 (concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data) specifies in the art. 21 (“Controls and measures adopted without request from a party”) that “In the exercise of control tasks or in any case exercisable by the Guarantor, having evaluated the elements in its possession and even in the absence of a complaint, report or notification of violation of personal data, the Authority may officially initiate a preliminary investigation to verify the existence of suitable elements regarding possible violations of the relevant regulations on the protection of personal data".

Again as a preliminary matter, given what was stated by the Company regarding the conciliation reached between the parties before the Labor Inspectorate, reference is made to the provisions of the art. 2113 c.c. (“The waivers and transactions, which have as their object rights of the employee deriving from mandatory provisions of the law and collective contracts or agreements concerning the relationships referred to in article 409 of the code of civil procedure, are not valid”) and in any case, it is underlined that the facts complained of in the complaint occurred subsequent to, or in any case continued even after, the aforementioned conciliation between the parties on 6 August 2020. Considering this, it is not relevant as regards the subject of the complaints presented to the Authority, what is supported by the Company regarding the conciliation.

3.2.1. Processing of complainants' data in the header of bills.

The conduct of the Company does not comply with data protection regulations, in particular as the Company has continued to process the data of the complainants (initial of the full name and surname) in its bill books - particularly in the header of these last, within the contact details of the Company's technicians who can be contacted - even after the termination of the employment relationship (which occurred on 30.5.2020 as regards one of the two complainants and on 22.5.2020 as regards the other).

This is in the absence of a suitable legal basis, therefore in violation of the art. 6 of the Regulation, given that the data processed are among the so-called data. municipalities, an article which constitutes a direct corollary of the principle of lawfulness of the processing set out in the art. 5 par. 1 letter a) of the Regulation.

With regard to the conditions of lawfulness of the processing, it is recalled that, within the scope of the employment relationship, the employer carries out - as a rule - the processing necessary for the execution of the employment contract and to fulfill the obligations deriving from the labor disciplines of sector (see art. 6, par. 1, letters b) and c), of the Regulation).

None of the aforementioned conditions can be considered the basis of the processing of complainants' data carried out by the Company in the heading of bill books following the termination of the employment relationship.

In relation to the aforementioned conduct, it is also noted that the Company did not act in accordance with the provisions of the articles. 12 and 17 of the Regulation as well as the principle of correctness (art. 5 par. 1 letter a) of the Regulation): in response to the request for cancellation presented by the complainants (dated 28.12.2020) the Company, in fact, although it communicated them, through their lawyer (on 12.30.2020), that "it is true that completely inadvertently my client continued to use old bills printed in December 2019 containing the data highlighted by you [...]; […] these are old bills and not new bills which will obviously no longer be used. The old bills will be immediately eliminated", has, however, continued to use, following this confirmation, bills also containing the personal data (initial of the full name and surname) of the complainants, as emerges from the documentation in the documents (including the bill of 14.12.2020, of 15.12.2020, 13.7.2021, 29.11.2021, 17.12.2021; furthermore, although not in the box relating to the date, a bill has been filled out with the heading of which is discussed referring to an order dated 9.3. 2023).

3.2.2. Right of access to data.

The conduct that the Company has adopted with reference to the request to exercise the right of access to data presented by the complainants is also contrary to data protection regulations.

In particular, it was ascertained that the Company did not provide adequate feedback to the request for access to the basic course certificates for the operation of mobile elevating platforms (MEWP) formulated by the complainants on 28 April 2021 and reiterated on 8 May 2021.

The conduct of the Company, given, among other things, art. 2112 c.c. (“Maintenance of workers' rights in the event of company transfer”), is in conflict with the provisions of the articles. 12 and 15 of the Regulation: based on art. 12 par. 4 of the Regulation, if the data controller believes that he cannot satisfy the request to exercise the rights presented by the interested party (including the right of access pursuant to art. 15 of the Regulation), he is required to communicate to the instant without delay and, at the latest, within one month of receipt of the request "the reasons for non-compliance and [the] possibility of lodging a complaint with a supervisory authority and bringing a judicial appeal".

In this case, in fact, although the Company, based on what it declared, was not in possession of the requested document, also considering that, again based on what it declared, the aforementioned certificate had expired for more than a decade , should have provided feedback to the complainants' request, albeit limited to informing them of the reasons for the refusal as well as the possibility of submitting a complaint to the Guarantor for the protection of personal data or appealing to the ordinary judicial authority.

This is in compliance with the requirements of the art. 12 of the Regulation also with reference to the requests referred to in art. 15 of the Regulation. However, it does not appear that the Company has provided any type of feedback, not even expressing its refusal, in response to the request of 28 April 2021, reiterated on 8 May 2021.

The feedback provided by the Company to the complainants on 26 August 2020 and 7 September 2020 is, in fact, prior to the requests of 28 April and 8 May 2021 and in the same there is no indication regarding the impossibility, with indication of the reasons, of deliver to the complainants the basic course certificates for operating mobile elevating platforms.

Furthermore, the Company's finding that it was not required to acknowledge the request to exercise the right of access as it had been presented to the Company's lawyer cannot be accepted.

This is because the request was not sent to any third party, but to the Company's lawyer with whom the complainants' lawyer, also according to what was declared by the Company - a circumstance confirmed by the documentation in the documents -, was in contact for resolve various issues relating to the relationship between the Company and the complainants following the termination of the employment relationship.

In fact, it is the same lawyer of the Company who, with respect to the requests of 25 August 2020 and 7 August 2020 presented by the complainants' lawyer, provided feedback on 26 August and 7 September 2020.

In this regard, it is also underlined and in any case that the Regulation does not impose any requirements on interested parties regarding the format of the request for access to personal data.

In this regard, the Guidelines 01/2022 on data subject rights – Right of access, EDPB, 28 March 2023, clarified that interested parties are not obliged to adopt a certain format to present requests to exercise the right of access (see Guidelines 01/2022 cit., point 52 "the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are, in principle, no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller", unofficial translation "the General Data Protection Regulation does not impose any requirements on data subjects regarding the format of the request for access to personal data. Therefore, in principle, there are no requirements that the interested party is required to comply with when choosing a communication channel through which to contact the data controller").

The aforementioned Guidelines also provide that the access request can be presented by a third party and in this regard specify that the data controller is responsible for verifying the identity of the third party acting in the name and on behalf of the interested party and the his authorization.

To this end, the aforementioned Guidelines refer to national laws on legal representation (see Guidelines 01/2022 cit., point 80 "Although the right of access is generally exercised by the data subjects as it pertains to them, it is possible for a third party to make a request on behalf of the data subject. […] This may apply to, among others, acting through a proxy or legal guardians on behalf of minors, as well as acting through other entities via online portals. In some circumstances, the identity of the person authorized to exercise the right of access as well as authorization to act on behalf of the data subject may require verification, where it is suitable and proportionate”, unofficial translation “Although the right of access is generally exercised by the interested party as it falls within his competence, a third party may submit a request on behalf of the interested party. This can occur, among other things, through a representative or a legal guardian on behalf of minors, as well as the intermediary of other subjects through online portals. In such situations, the identity of the person authorized to exercise the right of access and the authorization to act on behalf of the data subject require authentication/verification, where appropriate and proportionate”; point 81 “In doing so, national laws governing legal representation (e.g. powers of attorney), which may impose specific requirements for demonstrating authorization to make a request on behalf of the data subject, should be taken into account […]. In accordance with the principle of accountability, as well as of the other data protection principles, controllers shall be able to demonstrate the existence of the relevant authorization to make a request on behalf of the data subject, and to receive the requested information, except if national law differs (e.g. national law contains specific rules regarding the trustworthiness of lawyers) leaving the controller to verify the identity of the proxy (e.g. in the case of lawyers checking enrollment at the bar) […]”, trad. non-official “To this end, national laws governing legal representation (e.g. powers of attorney) should be taken into account, which may impose specific requirements to demonstrate authorization to make a request on behalf of the data subject […] . In accordance with the principle of accountability and other data protection principles, data controllers must be able to demonstrate the existence of the relevant authorization to submit a request on behalf of the data subject, unless national law provides otherwise ( for example, specific rules on the reliability of lawyers) leaving the data controller with the sole obligation to verify the identity of the delegate (for example, in the case of lawyers, verifying registration in the relevant register) [...]" ).

Furthermore, the complainants' request was clear in content, even though there was no explicit reference to the art. 15 of the Regulation.

In this regard, the aforementioned Guidelines 01/2022 on data subject rights - Right of access specify that it is not necessary for the request to exercise the right of access to contain the reference to the art. 15 of the Regulation if the content of the same is clear (point 50 “It should be noted that the GDPR does not introduce any formal requirements for persons requesting access to data. In order to make the access request, it is sufficient for the requesting persons to specify that they want to know what personal data concerning them the controller processes. Therefore, the controller cannot refuse to provide the data by referring to the lack of indication of the legal basis of the request, especially to the lack of a specific reference to the right of access or to the GDPR […]”, unofficial translation “It should be noted that the General Data Protection Regulation does not introduce any formal requirements for persons requesting access to data. In order to submit the request access, it is sufficient for the requesting person to specify that they wish to know which personal data are being processed by the data controller. Therefore, the data controller cannot refuse to provide the data by referring to the failure to indicate the legal basis, in particular the lack of a specific reference to the right of access or to the GDPR […]").

Even the further observation raised by the Company according to which the requested certificates had expired does not justify the absence of feedback from the data controller who, as already argued, could have (lawfully) limited himself to justifying his inability to comply with the request making known to the interested parties the right, recognized by the law, to lodge an appeal with the ordinary judicial authority or a complaint with the Guarantor.

Among other things, in this regard, we recall the orientation of the jurisprudence of legitimacy, constantly taken up by the Guarantor, according to which the subjective legal position of the worker to access his personal file constitutes a subjective right protectable as such which derives the its source from the employment relationship.

According to the judges of legitimacy, in fact, the aforementioned right derives, as well as from the legislation on the protection of personal data, from "respect for the canons of good faith and correctness that is incumbent on the parties to the employment relationship pursuant to articles. 1175 and 1375 of the Civil Code, as is confirmed by the fact that, for some time, the collective bargaining of the sector in question provides that the employing company must keep, in a specific personal file, all the deeds and documents produced by the entity or by the employee himself, which relate to the professional career, the activity carried out and the most significant facts concerning him and that the employee has the right to freely view the deeds and documents included in his personal file" (Court of Cassation 7 April 2016, n. 6775).

Furthermore, the right of access "cannot be understood, in a restrictive sense, as the mere right to knowledge of any new and additional data compared to those already entered into the wealth of knowledge and, therefore, in the disposal of the same subject interested in the processing of the own data, given that the purpose of the [right] is to guarantee, to protect the dignity and confidentiality of the interested party, the verification ratione temporis of the insertion, permanence or removal of data, regardless of the circumstance that such events had already been brought to the attention of the interested party in another way, verification implemented through access to the data collected about one's person at any and all times of one's relational life" (Court of Cassation 14 December 2018, n. 32533).

For all the reasons set out, the Company has violated the articles. 12 and 15 of the Regulation.

Finally, with reference to the complained of conduct relating to email accounts, it is believed that no evidence of a violation of data protection regulations has emerged, therefore the conditions for adopting a measure by the Authority do not exist and it is therefore the archiving of complaints with reference to the aforementioned profile, pursuant to articles. 140-bis, 142, 143 of the Code, 8, 9, 11 paragraph 1 of internal regulation no. 1 of 2019.

4.    Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller, during the investigation, do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and which are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

The conduct implemented by the Company which consisted in continuing to process data of the complainants in the header of the company bills following the termination of the employment relationship, even after the specific request for cancellation presented by the interested parties and despite the reassurances provided by the Company, as well as in not providing any response to the access request presented by the complainants on 28 April 2021 and reiterated on 8 May 2021, it is in fact illicit, within the terms set out above, in relation to the articles. 5, par. 1 letter a), 6, 12, 15 and 17 of the Regulation.

The violation, ascertained within the terms set out in the motivation, cannot be considered "minor", taking into account the nature, the seriousness of the violation itself, the degree of responsibility and the way in which the supervisory authority became aware of the violation ( cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the specific case, the application of a pecuniary administrative sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company declared that it had adopted new bills without the data of the complainants and that during the proceedings it declared that it was not in possession of the certificates of participation in the basic course for the operation of mobile elevating platforms (MEWP), the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

5.    Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" by adopting an injunction order (art. 18, l. 11.24.1981, n. 689) and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also provides in order for the application of the accessory administrative sanction of its publication, in full or in extract, on the Guarantor's website pursuant to article 166, paragraph 7, of the Code” (article 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this case, the Company has implemented two distinct behaviors, which must be considered separately for the purposes of quantifying the administrative sanction to be applied. Therefore, with reference to each of the aforementioned conducts, the total amount of the fine is calculated so as not to exceed the legal maximum provided for by the same art. 83, par. 5.

Taking into account that the findings referred to in paragraphs 3.2.1 and 3.2.2., relating to the processing of data in company bills and the exercise of the right of access, relate to various violations that took place as a consequence of a single conduct (same treatment or related treatments), art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered which concerned the principle of lawfulness of processing and the principle of correctness as well as the exercise of the rights of the interested party; the prolonged duration of the violation was also considered;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct was taken into consideration which consisted, in one case, in the use of bills containing data relating to the complainants even following the termination of the relationship of work and despite the response provided to the request for cancellation and, in the other case, in not providing response to the request to exercise the right of access;

c) there are no previous relevant violations committed by the data controller or previous measures referred to in the art. 58 of the Regulation.

It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the abbreviated financial statements for the year 2021. Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to therefore apply the administrative sanction of the payment of a sum equal to 1,000 (one thousand) euros, for each of the violations referred to in the previous paragraphs 3.2.1 and 3.2.2., for a total total of 2,000 (two thousand) euros

In this framework it is also considered, in consideration of the type of violations ascertained which concerned the general principles of processing and the exercise of the rights of the interested party that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THE WHEREAS, THE GUARANTOR

notes the unlawfulness of the processing carried out by 2 Emme.ci Service s.r.l., with registered office in Viale Duodo, 44, Udine, VAT number 02916510304, pursuant to art. 143 of the Code, for the violation of articles. 5, par. lit. a), 6, 12, 15 and 17 of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter. i) of the Regulation to 2 Emme.ci Service s.r.l., to pay the sum of 2,000.00 (two thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

ORDERS

a 2 Emme.ci Service s.r.l. to pay the aforementioned sum of 2,000.00 (two thousand) euros, according to the

methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 24 January 2024

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei