Garante per la protezione dei dati personali (Italy) - 10122998
From GDPRhub
| Garante per la protezione dei dati personali - 10122998 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 25.06.2024 |
| Decided: | 27.02.2025 |
| Published: | |
| Fine: | n/a |
| Parties: | Security Service s.r.l. |
| National Case Number/Name: | 10122998 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GPDP (in IT) |
| Initial Contributor: | cci |
The DPA issued a warning against a company for failing to respond timely to a former employee's access request. The DPA clarified that the right of access applies to all personal data, including information already known to the data subject.
English Summary
Facts
In 2024 an individual (the data subject) filed an access request with his former employer Security Service s.r.l. (the controller). The data subject requested access to two of his employment contracts, as well as two pay slips for each year of employment.
The controller failed to reply despite the data subject's reminder two months later. The controller eventually filed a complaint with the DPA. After the complaint was filed, the controller honored the data subject's request.
During the procedure, the controller claimed that it was no longer the controller of the data subject's data because he was not longer its employee. For this reason, the controller argued that it was no longer required to respond to the data subject's request.
The controller also claimed that the documents, requested by the data subject, had already been provided to him during the employment relationship. On this basis, the controller argued that the data subject's request was unfounded and could be refused under Article 12(5) GDPR.
Holding
The DPA held that an employer is a controller of employee data for as long as it controls the personal data of employees. So, the end of the employment relationship does not automatically release the employer from its obligations under the GDPR: this is only the case when the employer has erased or anonymized the data. In this regard, the DPA referenced the EDPB Guidelines on the right of access[1].
The DPA also held that the data subject's access request was not unfounded. In this regard, the DPA reference the case law of Corte di Cassazione[2] (Italy's last instance court). According to Cassazione, the right of access is not merely the right to learn new information; instead, it covers all personal data, including information already known to the data subject.
For these reasons, the DPA held that the controller failed to respond to the data subject's request in a timely manner. So, the DPA issued a warning for violating Articles 12(3) and 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10122998] Provision of 27 February 2025 Register of provisions no. 93 of 27 February 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”); HAVING SEEN the complaint submitted by Mr. XX on 07/01/2024, pursuant to art. 77 of the Regulation, which complained of a violation of the rules on personal data protection by Security Service s.r.l.; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Prof. Ginevra Cerrina Feroni; WHEREAS 1. The complaint against the Company and the initiation of the investigation. With the complaint submitted to this Authority on 01/07/2024, Mr. XX complained that he had submitted a request to exercise his rights against Security Service s.r.l. (hereinafter “the company”) formulated pursuant to art. 15 of EU Regulation 679/2016, and that he had not received a timely response. In particular, with the request notified by email on 09/05/2023 and subsequently requested on 10/17/2023, the complainant requested access to his personal data and, in particular, to those contained in the following documentation: “first employment contract January 2015; subsequent permanent contract; two pay slips for each working year from January 2015 to July 2019”. These requests remained unanswered by the Company. With a note dated 01/02/2024, the Guarantor invited the Company to provide observations, in relation to the facts that are the subject of the complaint, as well as to adhere to the request to exercise the rights advanced by the complainant. The Company, with the note dated 13/02/2024, acknowledged the invitation received from this Authority, stating that: - “the cessation of the use of the personal data [of the interested party] exempts the undersigned from the duties envisaged for the case of processing and from any burden even of identification of the same pursuant to art. 11 Regulation no. 2016/679 EU”; - “the request [of the interested party] was examined by us and revealed to be relevant to documents that had already been delivered: The first fixed-term employment contract was delivered on 01/17/2015 and signed for receipt [by the interested party], the same occurred on 02/17/15 for the extension of said contract as well as on 05/30/15 for the permanent contract, the pay slips were delivered using a personal password assigned [to the interested party] to access our digital platform. The correspondence between the undersigned and [the interested party] as well as the appeal pursuant to art. 414 c.p.c. filed by the aforementioned person prove that delivery took place”; - “the above observations demonstrate the groundlessness of the complaint and the abusive nature of the request since it is pertinent to documentation already provided [to the interested party] during the employment relationship, with manifest repetitiveness that allows not to follow up on the request also pursuant to art. 12 of Regulation no. 2016/679/EU”; - “out of respect for the Guarantor Authority and in order to avoid longer proceedings, the requested documents relating to the employment relationship [of the interested party] and the pay slips from 2015 to 2019 are attached hereto in the amount of two per year as requested; as well as the documentation certifying the termination of the employment relationship as well as the appeal pursuant to art. 414 of the Italian Code of Civil Procedure and certifying possession of the pay slips by [the interested party]”. 2. The initiation of the proceedings. For the above, the Office notified the Company, with a note dated 06/25/2024, of the act of initiation of the proceeding, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of arts. 12, par. 3, and 15 of the Regulation. On 07/08/2024, the Company sent its defensive documents, pursuant to art. 18 of Law no. 689/1981, with which he argued that: - “[the interested party] renounced the complaint and the proceedings in question with a note dated 06.26.24 already sent to you by the aforementioned and which is attached to this. With said note [the interested party] also declared that he had found the documents for which he initiated the complaint on the occasion of the filing of the legal action in January 2024, i.e. filed before the notification of the complaint to the undersigned and the response referred to in our note dated 02.09.24”; - “The renouncement [of the interested party] eliminates the interest in continuing the proceedings and creates the need for its archiving without issuing provisions, much less to the detriment of the undersigned”; - “It should, however, be reiterated that the employment relationship [of the interested party] ended due to resignation on 07.23.19, the date from which both the needs and reasons legitimizing the processing of the personal data of the aforementioned by us ceased; as well as the authorization already granted to us [by the interested party], limited to the period of service, for the processing of his data”; - “From the date of 07.23.19, the undersigned does not carry out any processing of the personal data [of the interested party] nor is it legitimized and authorized to do so and cannot, therefore, be identified as the owner/responsible for the processing of the aforementioned personal data. With the further consequence that from 07.23.19, the undersigned is not subject to the obligations already deriving from this position”; - “Cass. Civ. n. 32533 of 2018 cited in the note in response has ruled on cases relating to employees in service who, precisely during the employment relationship, had not received access to certain documents. The ruling confirms that the employer is subject to the obligations arising from the processing of employees' personal data, as the data controller, only when the employment relationships are in place since only during the employment relationship does the need and legal cause exist that legitimises the employer's use of the related personal data, thus identifying him as the data controller. In these terms, art. 88 of Reg. n.2016/679/EU which limits the protection and processing of employees' data within the scope of the employment relationship, i.e. exclusively during it. Otherwise, imposing on the employer the processing of data of workers who have now ceased service would be not only abusive because it lacks a cause but also in clear violation of art. 41 of the Constitution, causing the company to be subjected to extremely burdensome, albeit unjustified, burdens”; - “Hence the groundlessness of the complaint presented [by the interested party] who had already received the documents during the employment relationship and certainly before the complaint itself and had no right, in any case, to demand from the undersigned the fulfillment of the obligations foreseen for the data controller for the termination of his employment relationship and with this any legitimacy of the undersigned in this regard pursuant to art. 6 and 11 of Reg. n.2016/679 EU, no longer holding the position of data controller already held during the employment relationship”; - “It is quite gradually highlighted that the same [interested party] has acknowledged having "found" the documents which, therefore, had already been delivered to the aforementioned during the employment relationship. Furthermore, this is the first and only case of a complaint to this Authority notified to the undersigned, a circumstance which demonstrates the extreme levity and the absolute lack of intentionality of the conduct, to this end it must be considered that the undersigned's staff exceeds one thousand units. The methods used by the undersigned to allow employees to access documents and work information - namely the personal password given to each employee that allows immediate connection to the digital platform for collecting documentation - demonstrates the full implementation of measures to protect personal data and, at the same time, immediate collection of the same by the interested parties"; - "Finally, the documents requested [by the interested party] (employment contract and some pay slips) collect technical data without falling into the category of personal data, much less special data, which confirms the minimal importance of the conduct unjustly attributed to the undersigned to be examined also taking into account the immediate cooperation shown to the Authority in question through the delivery of the documents attached to the previous note of 13.02.24". 3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures. : Following the examination of the statements made to the Authority during the proceedings and the documentation acquired, it appears that the Company, as data controller, has carried out some processing operations, relating to the complainant, which are not compliant with the regulations on the protection of personal data. In this regard, it should be noted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor". On the merits, it emerged that the Company did not respond to the request to exercise the rights, presented by the complainant pursuant to art. 15 of the Regulation, and that, only following the submission of the complaint and the opening of the investigation by the Guarantor, was access to the personal data and further information relating to the employment relationship with the party granted. The fulfillment therefore occurred beyond the deadline set by art. 12, par. 3 of the Regulation, which provides that the data controller must provide "the data subject with information relating to the action taken on a request pursuant to Articles 15 to 22 without undue delay and, in any event, no later than one month after receipt of the request". In particular, from the documents of the investigation it is noted that the Company did not adequately respond to the request for access pursuant to art. 15 of the Regulation submitted by the complainant in relation to the personal data contained in the following documentation: "first employment contract January 2015; subsequent permanent contract; two pay slips for each working year from January 2015 to July 2019". It should be noted that if the owner cannot or does not deem it necessary to follow up on a request to exercise rights (including, therefore, those to exercise the right of access), he must in any case communicate to the interested party the specific reasons for the refusal, as well as the possibility of filing a complaint with the Guarantor or appealing to the ordinary judicial authority pursuant to art. 12 par. 4 of the Regulation. In this case, the Company did not follow the aforementioned conduct. Furthermore, as confirmed by the actions taken by the Company during the investigation, the Company was able to recover the documentation containing the personal data relating to the interested party and the subject of a specific request for access. In this regard, it is emphasized that the aforementioned EDPB Guidelines 1/2022 on the rights of data subjects - Right of access regarding the subject matter of the request for access to data specify that "the assessment of the data being processed reflects as closely as possible the situation at the time the data controller receives the request, and the response should include all data available at that time. This means that the data controller must try to identify all data processing activities concerning the data subject without undue delay. Data controllers are therefore not required to provide personal data that they have processed in the past but no longer have. For example, the data controller may have deleted personal data in accordance with its data retention policy and/or legal provisions and therefore may no longer be able to provide the requested personal data. It should be recalled in this context that the period of time for which the data are retained should be established in accordance with Article 5, paragraph 1, letter e), GDPR, since any retention of data must be objectively justifiable” (see point 37, par. 2.3.3.)”. This therefore confirms that if the controller still has the personal data of the data subject, he is required to satisfy the requests made pursuant to Articles 15-22 of the Regulation. In fact, the interruption of the employment relationship does not necessarily coincide with the cessation of the processing of the worker’s personal data. With regard to the circumstance that, according to what was claimed, the data subject had already received the requested documentation during the employment relationship and therefore the Company was excluded from the obligation to respond to the request to exercise the rights under Article 15 of the Regulation, it is noted that this assumption is unfounded. In fact, this is not one of those cases in which the data controller can refrain from providing the interested party with information relating to the action taken in relation to his/her request, pursuant to art. 12 of the Regulation. On this point, we recall what has already been established by the legitimate case law, according to which the right of access to one's personal data, even in the context of the employment relationship, "cannot be understood, in a restrictive sense, as the mere right to know any new and additional data with respect to those already entered into the knowledge base and, therefore, in the disposition of the same subject interested in the processing of their data, given that the purpose of the rule [which attributes the relative right] is to guarantee, in order to protect the dignity and confidentiality of the interested party, the verification ratione temporis of the insertion, permanence or removal of data, regardless of the circumstance that such events had already been brought to the attention of the interested party in another way" (see Court of Cassation 14/12/2018, no. 32533). 4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation. For the above reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the procedure to be overcome and are therefore unsuitable to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. It is therefore established that the conduct carried out by the data controller, with reference to the failure to respond to the request for access presented by the complainant, is in fact unlawful, in the terms set out above, in relation to art. 12, par. 3, and 15 of the Regulation. Having taken note of all the elements acquired during the investigation, in particular taking into account the negligent nature of the infringement, the absence of previous relevant infringements and the overall conduct of the data controller, also taking into account the specific circumstances of the case, in particular the fact that, with the note of 26/06/2024, the interested party renounced the complaint and, pending the proceedings, found the requested documentation, before the notification of the complaint against the company, it is considered that the case can be classified as a "minor infringement" pursuant to art. 83, par. 2 and recital 148 of the Regulation. Also taking into account that, pursuant to recital 148 of the Regulation, "in the case of a minor infringement or if the financial penalty that would have to be imposed would constitute a disproportionate burden for a natural person, a warning could be issued instead of imposing a financial penalty", it is considered sufficient to warn the data controller pursuant to art. 58, par. 2, letter b), of the Regulation. It is also stated that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. GIVEN ALL THE ABOVE, THE GUARANTOR determines the unlawfulness of the processing carried out by Security Service s.r.l., with registered office in Rome, Via Cristoforo Colombo, 163, P.I. 01281061000, pursuant to art. 143 of the Code, for the violation of arts. 12, par. 3, and 15 of the Regulation; pursuant to art. 58, par. 2, letter b), of the Regulation warns Security Service s.r.l., as the data controller in question, for having processed personal data in violation of the regulations on the protection of personal data; ORDERS the annotation in the internal register of the Authority of the violations and measures adopted pursuant to art. 58, par. 2, of the Regulation with this provision, as provided for by art. 17 of the Regulation of the Guarantor no. 1/2019. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 27 February 2025 THE PRESIDENT Stanzione THE REPORTER Cerrina Feroni THE SECRETARY GENERAL Mattei [web doc. no. 10122998] Measure of 27 February 2025 Register of measures no. 93 of 27 February 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”); HAVING SEEN the complaint submitted by Mr. XX on 07/01/2024, pursuant to art. 77 of the Regulation, which complained of a violation of the rules on personal data protection by Security Service s.r.l.; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Prof. Ginevra Cerrina Feroni; WHEREAS 1. The complaint against the Company and the initiation of the investigation. With the complaint submitted to this Authority on 01/07/2024, Mr. XX complained that he had submitted a request to exercise his rights against Security Service s.r.l. (hereinafter “the company”) formulated pursuant to art. 15 of EU Regulation 679/2016, and that he had not received a timely response. In particular, with the request notified by email on 09/05/2023 and subsequently requested on 10/17/2023, the complainant requested access to his personal data and, in particular, to those contained in the following documentation: “first employment contract January 2015; subsequent permanent contract; two pay slips for each working year from January 2015 to July 2019”. These requests remained unanswered by the Company. With a note dated 01/02/2024, the Guarantor invited the Company to provide observations, in relation to the facts that are the subject of the complaint, as well as to adhere to the request to exercise the rights advanced by the complainant. The Company, with the note dated 13/02/2024, acknowledged the invitation received from this Authority, stating that: - “the cessation of the use of the personal data [of the interested party] exempts the undersigned from the duties envisaged for the case of processing and from any burden even of identification of the same pursuant to art. 11 Regulation no. 2016/679 EU”; - “the request [of the interested party] was examined by us and revealed to be relevant to documents that had already been delivered: The first fixed-term employment contract was delivered on 01/17/2015 and signed for receipt [by the interested party], the same occurred on 02/17/15 for the extension of said contract as well as on 05/30/15 for the permanent contract, the pay slips were delivered using a personal password assigned [to the interested party] to access our digital platform. The correspondence between the undersigned and [the interested party] as well as the appeal pursuant to art. 414 c.p.c. filed by the aforementioned person prove that delivery took place”; - “the above observations demonstrate the groundlessness of the complaint and the abusive nature of the request since it is pertinent to documentation already provided [to the interested party] during the employment relationship, with manifest repetitiveness that allows not to follow up on the request also pursuant to art. 12 of Regulation no. 2016/679/EU”; - “out of respect for the Guarantor Authority and in order to avoid longer proceedings, the requested documents relating to the employment relationship [of the interested party] and the pay slips from 2015 to 2019 are attached hereto in the amount of two per year as requested; as well as the documentation certifying the termination of the employment relationship as well as the appeal pursuant to art. 414 of the Italian Code of Civil Procedure and certifying possession of the pay slips by [the interested party]”. 2. The initiation of the proceedings. For the above, the Office notified the Company, with a note dated 06/25/2024, of the act of initiation of the proceeding, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of arts. 12, par. 3, and 15 of the Regulation. On 07/08/2024, the Company sent its defensive documents, pursuant to art. 18 of Law no. 689/1981, with which he argued that: - “[the interested party] renounced the complaint and the proceedings in question with a note dated 06.26.24 already sent to you by the aforementioned and which is attached to this. With said note [the interested party] also declared that he had found the documents for which he initiated the complaint on the occasion of the filing of the legal action in January 2024, i.e. filed before the notification of the complaint to the undersigned and the response referred to in our note dated 02.09.24”; - “The renouncement [of the interested party] eliminates the interest in continuing the proceedings and creates the need for its archiving without issuing provisions, much less to the detriment of the undersigned”; - “It should, however, be reiterated that the employment relationship [of the interested party] ended due to resignation on 07.23.19, the date from which both the needs and reasons legitimizing the processing of the personal data of the aforementioned by us ceased; as well as the authorization already granted to us [by the interested party], limited to the period of service, for the processing of his data”; - “From the date of 07.23.19, the undersigned does not carry out any processing of the personal data [of the interested party] nor is it legitimized and authorized to do so and cannot, therefore, be identified as the owner/responsible for the processing of the aforementioned personal data. With the further consequence that from 07.23.19, the undersigned is not subject to the obligations already deriving from this position”; - “Cass. Civ. n. 32533 of 2018 cited in the note in response has ruled on cases relating to employees in service who, precisely during the employment relationship, had not received access to certain documents. The ruling confirms that the employer is subject to the obligations arising from the processing of employees' personal data, as the data controller, only when the employment relationships are in place since only during the employment relationship does the need and legal cause exist that legitimises the employer's use of the related personal data, thus identifying him as the data controller. In these terms, art. 88 of Reg. n.2016/679/EU which limits the protection and processing of employees' data within the scope of the employment relationship, i.e. exclusively during it. Otherwise, imposing on the employer the processing of data of workers who have now ceased service would be not only abusive because it lacks a cause but also in clear violation of art. 41 of the Constitution, causing the company to be subjected to extremely burdensome, albeit unjustified, burdens”; - “Hence the groundlessness of the complaint presented [by the interested party] who had already received the documents during the employment relationship and certainly before the complaint itself and had no right, in any case, to demand from the undersigned the fulfillment of the obligations foreseen for the data controller for the termination of his employment relationship and with this any legitimacy of the undersigned in this regard pursuant to art. 6 and 11 of Reg. n.2016/679 EU, no longer holding the position of data controller already held during the employment relationship”; - “It is quite gradually highlighted that the same [interested party] has acknowledged having "found" the documents which, therefore, had already been delivered to the aforementioned during the employment relationship. Furthermore, this is the first and only case of a complaint to this Authority notified to the undersigned, a circumstance which demonstrates the extreme levity and the absolute lack of intentionality of the conduct, to this end it must be considered that the undersigned's staff exceeds one thousand units. The methods used by the undersigned to allow employees to access documents and work information - namely the personal password given to each employee that allows immediate connection to the digital platform for collecting documentation - demonstrates the full implementation of measures to protect personal data and, at the same time, immediate collection of the same by the interested parties"; - "Finally, the documents requested [by the interested party] (employment contract and some pay slips) collect technical data without falling into the category of personal data, much less special data, which confirms the minimal importance of the conduct unjustly attributed to the undersigned to be examined also taking into account the immediate cooperation shown to the Authority in question through the delivery of the documents attached to the previous note of 13.02.24". 3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures. : Following the examination of the statements made to the Authority during the proceedings and the documentation acquired, it appears that the Company, as data controller, has carried out some processing operations, relating to the complainant, which are not compliant with the regulations on the protection of personal data. In this regard, it should be noted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor". On the merits, it emerged that the Company did not respond to the request to exercise the rights, presented by the complainant pursuant to art. 15 of the Regulation, and that, only following the submission of the complaint and the opening of the investigation by the Guarantor, was access to the personal data and further information relating to the employment relationship with the party granted. The fulfillment therefore occurred beyond the deadline set by art. 12, par. 3 of the Regulation, which provides that the data controller must provide "the data subject with information relating to the action taken on a request pursuant to Articles 15 to 22 without undue delay and, in any event, no later than one month after receipt of the request". In particular, from the documents of the investigation it is noted that the Company did not adequately respond to the request for access pursuant to art. 15 of the Regulation submitted by the complainant in relation to the personal data contained in the following documentation: "first employment contract January 2015; subsequent permanent contract; two pay slips for each working year from January 2015 to July 2019". It should be noted that if the owner cannot or does not deem it necessary to follow up on a request to exercise rights (including, therefore, those to exercise the right of access), he must in any case communicate to the interested party the specific reasons for the refusal, as well as the possibility of filing a complaint with the Guarantor or appealing to the ordinary judicial authority pursuant to art. 12 par. 4 of the Regulation. In this case, the Company did not follow the aforementioned conduct. Furthermore, as confirmed by the actions taken by the Company during the investigation, the Company was able to recover the documentation containing the personal data relating to the interested party and the subject of a specific request for access. In this regard, it is emphasized that the aforementioned EDPB Guidelines 1/2022 on the rights of data subjects - Right of access regarding the subject matter of the request for access to data specify that "the assessment of the data being processed reflects as closely as possible the situation at the time the data controller receives the request, and the response should include all data available at that time. This means that the data controller must try to identify all data processing activities concerning the data subject without undue delay. Data controllers are therefore not required to provide personal data that they have processed in the past but no longer have. For example, the data controller may have deleted personal data in accordance with its data retention policy and/or legal provisions and therefore may no longer be able to provide the requested personal data. It should be recalled in this context that the period for which data are retained should be established in accordance with Article 5(1)(e) GDPR, since any retention of data must be objectively justifiable” (see point 37, par. 2.3.3.)”. This therefore confirms that if the data controller still has the personal data of the interested party, he is required to satisfy the requests made pursuant to Articles 15-22 of the Regulation. In fact, the interruption of the employment relationship does not necessarily coincide with the cessation of the processing of the worker's personal data. With regard to the circumstance that, according to what was claimed, the interested party had already received the requested documentation during the employment relationship and therefore the Company was excluded from the obligation to respond to the request to exercise the rights pursuant to Article 15 of the Regulation, it is observed that this assumption is unfounded. In fact, this is not one of those cases in which the data controller can exempt himself from providing the interested party with information relating to the action taken in relation to his request, pursuant to Article 12 of the Regulation. On this point, we recall what has already been established by the legitimate case law, according to which the right of access to one's personal data, even in the context of the employment relationship, "cannot be understood, in a restrictive sense, as the mere right to know any new and additional data with respect to those already entered into the knowledge base and, therefore, in the disposition of the same subject interested in the processing of their data, given that the purpose of the rule [which attributes the relative right] is to guarantee, in order to protect the dignity and confidentiality of the interested party, the verification ratione temporis of the insertion, permanence or removal of data, regardless of the circumstance that such events had already been brought to the attention of the interested party in another way" (see Court of Cassation 14/12/2018, no. 32533). 4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation. For the above reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the procedure to be overcome and are therefore unsuitable to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. It is therefore established that the conduct carried out by the data controller, with reference to the failure to respond to the request for access presented by the complainant, is in fact unlawful, in the terms set out above, in relation to art. 12, par. 3, and 15 of the Regulation. Having taken note of all the elements acquired during the investigation, in particular taking into account the negligent nature of the infringement, the absence of previous relevant infringements and the overall conduct of the data controller, also taking into account the specific circumstances of the case, in particular the fact that, with the note of 26/06/2024, the interested party renounced the complaint and, pending the proceedings, found the requested documentation, before the notification of the complaint against the company, it is considered that the case can be classified as a "minor infringement" pursuant to art. 83, par. 2 and recital 148 of the Regulation. Also taking into account that, pursuant to recital 148 of the Regulation, "in the case of a minor infringement or if the financial penalty that would have to be imposed would constitute a disproportionate burden for a natural person, a warning could be issued instead of imposing a financial penalty", it is considered sufficient to warn the data controller pursuant to art. 58, par. 2, letter b), of the Regulation. It is also stated that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. GIVEN ALL THE ABOVE, THE GUARANTOR determines the unlawfulness of the processing carried out by Security Service s.r.l., with registered office in Rome, Via Cristoforo Colombo, 163, P.I. 01281061000, pursuant to art. 143 of the Code, for the violation of arts. 12, par. 3, and 15 of the Regulation; pursuant to art. 58, par. 2, letter b), of the Regulation warns Security Service s.r.l., as the data controller in question, for having processed personal data in violation of the regulations on the protection of personal data; ORDERS the annotation in the internal register of the Authority of the violations and measures adopted pursuant to art. 58, par. 2, of the Regulation with this provision, as provided for by art. 17 of the Regulation of the Guarantor no. 1/2019. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 27 February 2025 THE PRESIDENT Stanzione THE REPORTER Cerrina Feroni THE SECRETARY GENERAL Mattei
