Garante per la protezione dei dati personali (Italy) - 9795350

From GDPRhub
Garante per la protezione dei dati personali - 9795350
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 15 GDPR
PERSONAL DATA PROTECTION CODE enacted via Law No 178 of 23 November 2021
Type: Complaint
Outcome: Upheld
Started:
Decided: 16.06.2022
Published: 16.06.2022
Fine: 70000 EUR
Parties: XXX
Unicredit S.p.A.
National Case Number/Name: 9795350
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: Samuel Uzoigwe

The Italian DPA fined UniCredit S.p.A. €70,000 for requiring that a data subject submit their access request via a designated form, and for not providing all information required under Article 15 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

An employee (the data subject) sent a letter to his employer, Unicredit s.p.a (the controller), exercising his right of access. The controller replied and asked the data subject to send the access request by filling out a form available on the controller's website. The data subject did not reply or fill out the form on the portal, but filed a complaint with the Italian DPA. He claimed that his right to access was not granted by the controller.

After the controller was notified of the complaint by the DPA, it granted the access request. The controller told the DPA that because the data subject did not contest the controller's request to fill out the form, it believed that the data subject was no longer interested in exercising the right of access. However, the data subject claimed that the controller did not provide all information required under Article 15 GDPR.

The controller argued that the information provided was sufficient. It stated that (1) the data subject's request for "any information on the processing of personal data" was manifestly unfounded and excessive. The controller further claimed that (2) it did not include the information that the data subject could download directly from the controller's system and (3) the information requested by the data subject were already provided in the privacy statement available on the company website.

Holding[edit | edit source]

The DPA held that the controller may use forms as a part of the procedure to respond to a data subject's request. However, the submission of a form could not be a necessary condition for the data subject to exercise his rights. The controller still had a duty to respond to request communicated by the data subject through different means. In addition, the DPA further noted that the form in question did not cover the full content of the data subject's right of access under Article 15 GDPR.

The DPA rejected the controller’s argument that the data subject’s request was manifestly unfounded and excessive. It held that Article 15 GDPR did not provide for any limitation on the personal information that can be accessed. The DPA also clarified that the term "excessive", as used in the GDPR, typically refers to repetitive requests.

The DPA observed that the considerable amount of paper documentation sent belatedly to the data subject after the complaint had been made before the DPA, was not provided in such a way as to facilitate access request and understanding by the data subject as required by Article 12 GDPR.

The DPA clarified that the right of information and the right of access are distinct. An access request under Article 15 GDPR is not satisfied merely because the controller provided the information under Articles 13 and 14 when collecting the data. The DPA followed that the information needed to be "updated and tailored for the processing operations actually carried out with regards to the data subject making the request".[1] Thus, making reference to one’s privacy policy during processing would not be a sufficient, unless the "tailored" information is the same as the "general" information."

The DPA held that the controller violated Articles 5(1), 12 and 15 and fined the controller €70,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9795350]

Injunction order against Unicredit S.p.A. - June 16, 2022

Record of measures
n. 225 of June 16, 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint submitted pursuant to art. 77 of the Regulation dated October 15, 2019 by Mr. XX towards Unicredit S.p.A .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

RAPPORTEUR Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

1.1. With a complaint of 15 October 2019, Mr. XX complained about alleged violations of the Regulation by Unicredit S.p.A. (hereinafter, the Company), with reference to the failure to respond to the request to access personal data processed in the context of the employment relationship pursuant to art. 15 of the Regulation. In particular, the complainant complains of having submitted an application for access, on 28 March 2019, to which the Company replied on 3 April 2019 with a merely interlocutory reply.

The complainant also complains about the violation of articles The Judicial authority, the disciplinary sanction imposed by the Company against the complainant and the ineffectiveness of the negative judgment for 2008 formulated against the same.

With the complaint, the Authority was asked to order the Company to satisfy the request to exercise the right of access pursuant to art. 15 of the Regulations as well as to "warn or warn that the form prepared for the exercise of the rights of the interested party" has violated or may violate the provisions on the subject and to order to rectify and / or delete the personal data of the interested party "in relation to the negative judgment for 2008 (declared ineffective) and the disciplinary sanction (declared illegitimate) ".

1.2. The Company, in responding to the invitation to join the Authority of 3 December 2019, with a note of 9 January 2020 stated that:

to. "On the date of receipt of the [...] letter [sent by the Office] the request for access presented by the [complainant] was not answered because, having not given any action - not even to contest it - to our communication of 3 April 2019, with which we asked him to send us the request by filling out the form on the bank's Privacy Portlet, we felt he was no longer interested in exercising the right of access and had canceled the request. Following receipt of the [...] letter [sent by the Office], on 23 December 2019, we delivered the requested information by courier [...] "(note 9/1/2020 cit., P. 1) ;

b. with reference to the methods through which the Company checks the requests for exercising the rights provided for by Regulation (EU) 2016/679 (hereinafter the "Regulation") "Unicredit has prepared differentiated methods of verification by type of interested party, distinguishing between employees in service , former employees, other interested parties (customers, potential customers, etc.). With specific reference to the right of access: for employees in service, the request is provided through the HR web ticket channel [...] attaching the form [...] which can be retrieved in a specific section [...] of the Privacy Portlet of the Intranet of the group "(cit. Note, p. 1, 2);

c. “For former employees, the request is expected to be sent by email to an address of the HR function, attaching the form […]. The answer is provided by e-mail or ordinary post "(cit. Note, p. 2);

d. "Filling out the form provided has the sole purpose of facilitating the applicant and making the subject of the request more easily intelligible, reducing the risk of having to ask for clarification or provide inappropriate answers" (cit. Note, p. 2);

And. "As regards customer requests, they have always been accepted even if formulated without using the form prepared by the bank, while for employee requests, considering that [...] the form can be easily downloaded from the portal, the compilation of the same was considered a necessary condition for accepting the requests. We have also decided to provide that, without prejudice to the current process, where the request without the form still contains all the information necessary to process it correctly, it will still be accepted, and we are proceeding to give instructions to this effect to the office that processes these requests. "(Cit. Note, p. 2);

f. "Unicredit complied with the judgment of the Court of Appeal by reimbursing the [complainant] for the ten days' salary relating to the period of suspension from service, and had already communicated [...], in May [of 2019], [...] that the "underperformance" rating was ineffective. This assessment has now been corrected in the file of the [complainant], passing it to «overall performance in line with expectations» ”(cit. Note, p. 2);

g. "The documents relating to the assessments are stored as pdf scanned and inserted in the digital file of each employee up to the year 2010, while, with reference to the company assessments and professional assessments relating to the years from 2011 onwards, the data are visible in the applications HR in self-service mode "(cit. Note, p. 2);

h. "The correction of the data referred to the evaluation for the year 2008 and the" cancellation "of the suspension from the service did not lead to the elimination of the previous data" (cit. Note, p. 2);

the. the Company "considered that it was correct and in the best interest of both the owner and the interested party to keep the record of the events that occurred over time, so as to be able to reconstruct them in case of need, integrating the records with notes that clarify that the old data - in this case, the suspension and judgment of insufficient performance - was corrected in compliance with a judicial decision. Of course, any documents to be produced externally will only report the corrected data "(cit. Note, p. 2).

On 14 May 2020, the complainant sent his counter arguments, stating that:

to. "Personal data sent late by Unicredit S.p.A. (only after the complaint and the consequent invitation to check by the Guarantor) did not however satisfy the right of access of the interested party [...]. Unicredit S.p.A. limited itself to sending a set of indistinct and undifferentiated data, extracted from the company archives, without however providing the information required by [the] art. 15 and requests from the interested party. In particular, no information was provided on: purposes of the processing of the personal data of the person concerned; categories of personal data being processed; recipients or categories of recipients of personal data; retention period of personal data or at least criteria that can be used to determine this period; information on the origin of personal data not collected from the data subject; existence of automated decision-making processes and significant information on the logic used, as well as the importance and expected consequences of such automated processing for the data subject "(note 14/5/2020 cit., p. 2);

b. "Unicredit S.p.A. incurs [...] in a further violation, as the so-called "evaluation step" took place with the insertion of a personal data once again inaccurate. In fact, the replacement of the judgment placed in the void by the sentence of the Court of Appeal of Milan, labor section (which had to be canceled) had as a prerequisite and necessary act the convocation of the [complainant] by the hierarchical superiors and the carrying out of the procedure with the which, in contradiction between the parties, the new assessment would be formulated "(cit. note, p. 3).

On 22 July 2020, following a request for further clarifications sent by this Department (on 18/6/2020), the Company declared that:

to. “On 23 December 2019 we sent [to the complainant] a package containing all the required documentation. We are sending the same documentation […] to these Authorities, confirming that it is all the information concerning the [complainant], held by Unicredit as an employer. On the other hand, we have not sent the documents that the [complainant], like any other employee in service, can independently download from the system, such as company evaluations and professional judgments relating to the years from 2011 onwards "(note 22/7/2020 cit. , p. 1);

b. "With regard to the methods and purposes of the processing carried out, we recalled the content of the information, provided to the [complainant] and attached to the documentation sent, which indicates the purposes of the processing, the categories of personal data processed, the categories of recipients of the data personal, the data retention period. There is no information on automated decision-making processes because Unicredit does not use these processes in the processing of employee data ”(cit. Note, p. 1);

c. with reference to the "complained persistent inaccuracy of the data referred to the" evaluation step "" "we believed it was correct, and in the best interest of both the owner and the interested party, to keep the recording of the events that occurred over time, so as to be able to reconstruct them in case of necessity. In fact, in the case [...] there is no right to cancellation pursuant to art. 17 of the GDPR, but a correction pursuant to art. 16 "(cit. Note, p. 1, 2);

d. the Company has "rectified the assessment in the [complainant's] file, inserting the first non-negative assessment (" Overall performance in line with expectations ") and supplementing the records with notes clarifying that the old data - in this case , the suspension and the judgment of insufficient performance - was corrected in fulfillment of a judicial decision "(cit. note, p. 2).

On 21 September 2020, following the call for further clarifications of 4 September 2020, the complainant stated that:

to. "The owner limited himself to communicating, on April 3, 2019, that he had taken charge of the access request of March 27, 2019, without then following this communication or the communication to the interested party of the information pursuant to art. 15 GDPR, nor the communication of a reasoned postponement of the terms given the complexity of the information to be provided to the interested party "(note 21/9/2020 cit., P. 1);

b. "The owner [...] has not communicated the existence of the treatment relating to the employee performance evaluation process (so-called Unicredit Performance Management [...])" (cit. Note, p. 3);
c. with reference to the evaluation of the employee's performance "the interested party was subjected to a decision based solely on automated processing (without human intervention), a decision that produces legal effects that concerned him or that in any case significantly affected his person" (note cit., p. 5).

On 13 January 2021, following a further request for elements from the Authority, the Company finally declared that:

to. "Unfortunately, we are not able to say whether or not the text of the information was attached to the package of documents sent [...] last July but, in any case, the [complainant] already had it and could and can at any time easily download it from the company website "(note 13/1/2021 cit., p. 1);

b. "The information that pursuant to art. 15 of the Regulations, the interested party has the right to obtain [are] all already contained in the information. […]. The information already clearly indicates what the purposes of the processing are (Section 2 of the information), which are the categories of data processed (Section 3 of the information), which are the recipients or categories of recipients to whom the data may be communicated (Section 4 of the information), and what is the retention period Section 7.1 of the information), as well as lists the rights of the interested party and the possibility of proposing a complaint to Sections 7 and 10 "(cit. Note, p.1);

c. “an automated procedure, without human intervention, was not carried out in the processing of employee data. The attribution to the [complainant] of an assessment "overall in line with expectations" was not the result of an automated decision-making process without human intervention, but a decision taken by an employee of Unicredit, Head of Operations Italy, and it is a correct application of the decision of the Court of Appeal of Milan as confirmed by the Court of Cassation, which only provided for the ineffectiveness of the negative judgment for the year 2008 and not the "reconstruction of the professional history" of the [complainant]. All the elements to proceed with the replacement of the evaluation declared ineffective had already been acquired; no new call by the employee was therefore necessary [...] nor any cross-examination "(cit. note, p.1, 2).

2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On 1 March 2021, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulations found, with reference to Articles 5, par. 1, lett. a), 12 and 15 of the Regulations.

With defense briefs sent on March 29, 2021, the Company stated that:

to. "The methods followed [by the Company] in finding the access request by the [complainant] are the result of the generic nature of the request sent"; in fact, the complainant formulated "an access request that referred to any type of data, processing and information that can be requested pursuant to the Regulations, which evidently did not allow the Company, due to its breadth and generality, to understand precisely what personal data and what information the [complainant] was interested in obtaining "(note 29/3/2021, point 2);

b. "UniCredit took charge and followed up on the request of the [complainant] within 4 days of the request, informing the interested party of the need to fill in the form made available on the company portal"; "The compilation of this form [...] was [...] aimed [...] to facilitate the exercise of rights through the adoption of a suitable organizational system capable of allowing the same interested party, who had made a generic request, to indicate with precisely what information was needed by the same "(cit. note, point 2.1);

c. "The Company certainly processes a considerable amount of personal data not only with respect to the individual interested parties who have an ongoing relationship with it (such as in the case of the [complainant], an employee of the company for 18 years) but also, being one of the most large European banks with over 8 million customers and about 34 thousand employees, compared to numerous subjects "(cit. note, point 2.1);

d. "The fact that the [complainant] never sent the form and that his lawyer's request included any information on the processing of his client's personal data confirms [...] that we are faced with a" manifestly unfounded "request and" excessive "by the [complainant]" (cit. note, point 2.1);

And. “The way in which the information requested was provided to the [complainant] is due to the fact that he did not clarify which information he was interested in without filling in the form provided by UniCredit. In any case, the information provided is certainly intelligible by the [complainant] because it concerned his working life which he certainly knows in depth ”(cit. Note, point 2.2);

f. the information prepared by the Company, provided to employees at the time of hiring and made available "on the company website accessible directly and at any time to the employee [...], outlines, in detail and in an exhaustive manner, the processing activities carried out by companies, including information about the purposes of the processing, the categories of personal data processed, the categories of recipients to whom the personal data are communicated, the retention period of personal data "(cit. note, point 2.3);

g. therefore the company "specifically indicated to the [complainant] where this information was accessible in the context of the disclosure. In the presence of sufficient information on the methods of processing personal data in the context of the information, it is not clear what further information should have been provided to the [complainant] "(cit. Note, point 2.3);

h. “There was no delay in UniCredit's response to the [complainant's] access request. The Company promptly sent the [complainant] the form aimed at understanding in detail the information he was interested in and did not receive any feedback from the same. In the absence of a reply, the deadline for exercising the rights must be considered suspended because the data controller is not in a position to be able to follow up on the same "(cit. Note, point 3);

the. the Company "asks the Guarantor [...] to recognize and declare that the conditions for the application of administrative sanctions for the violation of articles (i) 5 par. 1, letter a) of the Regulation, (ii) 12, par 2 and 3 of the Regulation or, subordinately, that the conditions for the application of sanctions to the minimum extent required by law exist ".

On June 15, 2021, the hearing of the Company was held at the request of the same. The party stated that "on the basis of company provisions, in order to verify the requests for exercise of rights by its employees, Unicredit has arranged for the activation of a ticketing function within which the compilation of a module. The request is taken care of even in the absence of filling in the form, provided that the type of data you are interested in accessing and, possibly, the underlying purposes are clearly indicated. This is in compliance with the principle expressed by the GDPR according to which requests must not be specious ". The Company underlined "the fully collaborative approach taken towards the applicant and towards the Authority [...] and the lack of any damage suffered by the applicant who received all the requested information". Finally, it was specified that according to the procedures in use "the company provides a copy of the personal data processed, while with reference to the other information referred to in art. 15 of the GDPR refers to the content of the information, considering that the information is already transparent in itself ".

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

3.1. Outcome of the investigation.

Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which do not comply with the regulations on the matter of protection of personal data. In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

In this regard, it emerged that the Company, on 3 April 2019, provided the request for access to its personal data, presented on 28 March 2019 by the complainant, with a merely interlocutory reply ("we have taken charge of the request [...] to to which we will reply within the time limits provided for by art. 12 of the Regulations "), accompanied by the request to the applicant to fill in and sign a predefined form" to process the access request ".

Only following the submission of a complaint to the Authority and the initiation of the related administrative procedure, the Company collaborated with the Guarantor and provided the interested party with effective feedback by sending documentation containing the personal data already subject to the request. access and, with regard to the indication of information relating to the processing and rights of the data subject (pursuant to art.15, lett. from a) to h) of the Regulation), by referring to the content of the general information provided to employees.

3.2. Violation of articles 12 and 15 of the Regulations in relation to the obligation to fill out a predefined form.

The Company has provided, both in the concrete case subject to the complaint and in general terms, on the basis of a procedure concerning all the requests submitted by its employees and former employees which, in order to process the access request pursuant to art. 15 of the Regulation, the interested party must necessarily fill in a predefined form with multiple fields, this with the stated purpose of "facilitating the applicant and making the subject of the request more easily intelligible, reducing the risk of having to ask for clarifications or provide inappropriate answers ".

Given that the preparation of a form can, in general terms, constitute an organizational method aimed at facilitating the interested parties in the presentation of the requests, it is not, however, in compliance with the current legislation on the protection of personal data to condition the prior sending of the aforementioned completed form, the start of the preordained procedure to give effect to the exercise of the right, and not to take into consideration the requests presented in free form on the merits.

This is even more so if, as in the case of the complaint, the application presented indicates in detail - by referring to the content of art. 15 - the number of personal data in relation to which the right was exercised. This regardless of the right of the owner to ask the interested party - if necessary - for clarification on the subject of the application.

It is also noted that the model made available by the Company (in particular the one sent to the complainant attached to the reply of 3/4/2019), as regards the section concerning access ("Access to personal data - Art. 15 of Regulation (EU) 2016/679 "), does not report the complete and detailed list of the information indicated in art. 15 of the Regulation, with the consequent possibility of misleading the interested parties about the actual content of the enforceable right and, in any case, providing a partial representation (the aforementioned model contains only reference to the possibility of requesting confirmation that a treatment and to request the communication of the same data, indicating specifically "the personal data, the categories of data or the treatment to which reference is made"; moreover, two of the categories of information specifically mentioned in art. 15 are included in the different section "Request for information on the processing of personal data - Articles 13 and 14 of Regulation (EU) 2016/679", in particular the purposes of the processing and the subjects or categories of subjects to whom they may be communicated).

The exercise of the right of access to personal data is closely related to the identification of the specific methods and time limits with which the owner is required to satisfy the requests of the interested party, identified by art. 12 of the Regulation in order to make the principles of transparency and correctness effective (cons. 58 and 60 of the Regulation). In particular, the owner is required to "facilitate [re] the exercise of the rights of the interested party pursuant to articles 15 to 22" (article 12, par. 2, of the Regulation), and to "provide [re] to interested in the information relating to the action taken regarding a request pursuant to articles 15 to 22 without undue delay and, in any case, at the latest within one month of receipt of the request "(term that can be extended by two months, giving adequate information to the interested party, in the case of complexity and high number of requests received; Article 12, paragraph 3, of the Regulation).

Conversely, the obligation to fill in a predefined form in addition and regardless of the specific content of an application to exercise a right recognized by the legal system aggravates (rather than facilitating through the adoption of appropriate measures) the exercise of the right itself, moreover distinguishing the categories of interested parties subject to this obligation (employees and former employees) and the categories exempt from this constraint (customers), on the basis of considerations that do not appear to comply with the principle of reasonableness (in particular, according to what is inferred by the Company, the circumstance that, as regards employees, the default form is "easily downloadable from the portal").

Nor can the Company's thesis be shared on the basis of which, in the case of a complaint, the failure to fill in the form by the interested party and the circumstance that the request presented had as its object "any information on the processing of personal data" of the complainant were in themselves an indication of a "manifestly unfounded" and "excessive" request.

On the one hand, in fact, the request made by the complainant does not appear "unfounded" given that art. 15 of the Regulation does not provide for any limitation with regard to the information that can be accessed, it could well be the hypothesis that the interested party requests to know the entire range of data processed by the owner (so much so that art. paragraph 3 of the Regulations provides for the extension of the deadlines for providing feedback to the request "taking into account the complexity and number of requests"). This also in consideration of the fact that the right of access, in the data protection system, allows the interested party to exercise control over personal data concerning him, also placing himself in a preliminary relationship with respect to possible further activities aimed at protecting his rights. (cons. 63 of the Regulation).

Nor could the request of the interested party be considered "excessive" considering that this term, also read in the light of the subsequent wording ("in particular due to the [...] repetitive nature"), mostly refers to the hypothesis of plurality of requests submitted and, in the present case, it does not appear that the complainant had previously formulated requests for access.

In any case, finally, it is represented that based on art. 12, paragraph 4, of the Regulations, the owner "If he does not comply with the request of the interested party, [...] informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for the non-compliance and the possibility to lodge a complaint with a supervisory authority and to propose a judicial appeal ".

In the present case, the owner should therefore have informed the interested party about the reasons for which the application was not initiated and the remedies provided for by the legislation against this decision.

The Company, for the reasons set out above, has therefore violated Articles 15 and 12, par. 2, of the Regulation. The Authority acknowledges that the Company, during the procedure, declared that at present "the request is taken care of even in the absence of filling in the form".

3.3. Violation of articles 5, par. 1, lett. a), 12 and 15 of the Regulations in relation to the reference to the content of the information.

It also emerged that the Company, following the opening of an administrative procedure by the Authority, sent the complainant copies of the documents in its possession containing the personal data relating to the interested party. In this regard, it should be noted that the considerable amount of paper documentation sent in copy to the complainant - and also transmitted to the supervisory authority for information - does not appear to have been provided in such a way as to facilitate access and understanding by the interested party, allowing for even minimal organic use.

With the reply, however, the information relating to the processing of data requested by the complainant was not provided pursuant to art. 15 of the Regulations (par. 1, letters from a) to h) and par. 2). The Company has in fact declared that it believes that it has already complied with the provisions of the Regulations in this regard, given that all the information requested by the complainant can be found in the text of the information on the processing of data that the same "could and can easily download at any time [and] from the company website ".

In this last regard, it should be noted that the right, recognized to the interested party, to access the information provided for by art. 15 of the Regulation, in application of the principles of transparency and fairness (Article 5, paragraph 1, letter a) of the Regulation), cannot be considered satisfied for the sole fact of having provided the information referred to in Articles 13 and 14 of the Regulation. The right of access and the so-called right to information, albeit related, are, in fact, different rights, sanctioned by separate provisions of the legal system, responding to the protection and guarantee needs of the interested party that cannot be completely overlapped.

As recently clarified also by the Guidelines 01/2022 on data subject rights - Right of access, adopted on January 18, 2022 (subject to public consultation concluded on March 11, 2022), when checking the request for access, the owner must adapt to the specific condition of the interested party as indicated in necessarily general terms in the information (or in the treatment register). Therefore all the information provided in the information, when communicating the information to the interested party pursuant to art. 15 of the Regulation, must be verified and declined in the light of the concrete processing operations carried out against the applicant (see Guidelines 01/2022 cit., Point 110 et seq .; in general terms, see paragraph 111 "In the context of an access request under Art. 15, any information on the processing available to the controller may therefore have to be updated and tailored for the processing operations actually carried out with regard to the data subject making the request. Thus, referring to the wording of its privacy policy would not be a sufficient way for the controller to give information required by Art. 15 (1) (a) to (h) and (2) unless the «tailored» information is the same as the «general» information ", (unofficial translation: "In the context of the communication of information referred to in Article 15, all information on the processing available to the data controller must therefore be updated and adapted to the actual processing operations. entity carried out against the interested party who submits the request. Therefore, the reference to the general privacy policy (privacy policy) would not be a sufficient means to allow the data controller to provide the information referred to in Article 15, paragraph 1, letters a) -h), and (2), unless the "tailored" information coincides with the "general" information).

On the basis of the above reasons, the Company has violated the principles of transparency and correctness (see Article 5, paragraph 1, letter a) of the Regulation) and, in particular, the obligation to provide intelligible and easily accessible feedback ( art.12 of the Regulation) to the request for access presented pursuant to art. 15 of the Regulation, containing all the specific information requested by the interested party with reference to the categories of data referred to him / her processed by the owner.

The Authority acknowledges that in the course of the proceedings, the Company provided feedback to the complainant regarding the information indicated in art. 15, par. 1, lett. h) of the Regulations with regard to the concrete processing activities carried out on the data of the interested party (absence of decisions based solely on automated processing, also with reference to the evaluation procedures).

3.4. Fulfillment of the request for rectification of the data relating to the interested party.

Lastly, it emerged that the Company, during the procedure before the Authority, completed the rectification of the data relating to the complainant, contained in the personal file, following the decision of the judicial authority, modifying the assessment ( declared ineffective), formulated at the time as part of the appellant's performance appraisal procedure. The conduct of the data controller who rectified the data, and also inserted internal notes in the file aimed at representing that "the old data [...] has been corrected in fulfillment of a judicial decision", also specifying that " any documents to be produced for the outside will only report the corrected data ", is in compliance with the provisions of the Regulation on rectification and cancellation, also taking into account that, with the complaint, the request was made to the Authority, in in relation to the aforementioned data, alternatively "order to rectify and / or cancel", and which in any case the complainant, even during the proceedings, did not represent the specific reasons, among those indicated in art. 17 of the Regulation, by virtue of which there is an obligation for the owner to proceed with the cancellation of personal data.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure and that they are therefore unsuitable. to allow the filing of this proceeding, although none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company and in particular the failure to reply to the request for access presented by the complainant, is in fact illegal, in the terms set out above, in relation to Articles 5, par. 1, lett. a), 12 and 15 of the Regulations.

The violation ascertained in the terms set out in the motivation cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the way in which the supervisory authority has become aware of the violation and previous relevant violations (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation:

the owner is enjoined to satisfy the requests of the interested party regarding access to the information indicated in art. 15, par. 1, lett. a) - g) (given that in relation to the provisions of letter h) the Company has already provided, during the procedure, a reply referring to the concrete processing activities carried out on the data of the interested party) (Article 58, par . 2, letter c) of the Regulations);

a pecuniary administrative sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

At the outcome of the procedure, it appears that Unicredit S.p.A. has violated Articles 5, par. 1, lett. a), 12 and 15 of the Regulations. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. a) and b) of the Regulations, through the adoption of an injunction order (Article 18, Law 11/24/1981, n. 689).

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", the total amount of the sanction is calculated in such a way as not to exceed the legal maximum provided for by the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), it is stated that , in the present case, the following circumstances were considered:

a) in relation to the nature, severity and duration of the violation, the nature of the violation was considered relevant, affecting the general principles of processing as well as the exercise of the rights of the interested party;

b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same that has not complied with the rules on data protection relating to a plurality of provisions;

c) that the Company was the recipient of four measures adopted by the Guarantor, one of which, in particular, following the ascertainment of the violation of the obligation to provide feedback on the exercise of the rights of the interested parties with the specific procedures set out in art . 12 of the Regulation (see Provision 25/11/2021, n. 408, web doc. N. 9731887); the previous ascertained violation denotes the insufficient provision of measures aimed at allowing the interested parties to exercise control over their personal data, through the provision of information elements relating to the processing, as well as, in the present case, the interested party is not control over one's data has been permitted by exercising the right of access (in relation to the parameter referred to in Article 83, paragraph 2, letter e), v. Article 29 Working Group for Data Protection, Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679, 3.10.2017);

d) in favor of the Company, the cooperation with the Supervisory Authority and the circumstance that the ascertained violation concerned only the complainant was taken into account.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2021. Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments carried out, it is considered, in the present case, to apply the administrative sanction of payment of a sum equal to Euro 70,000 (seventy thousand) to Unicredit S.p.A.

In this context, it is also believed, in consideration of the type of violations ascertained that concerned the general principles of processing and the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Unicredit S.p.A., in the person of its legal representative, with registered office in Piazza Gae Aulenti, 3, Tower A, Milan (MI), C.F. 00348170101, pursuant to art. 143 of the Code, for the violation of art. 12 and 15 of the Regulations;

INJUNCES

pursuant to art. 58, par. 2, lett. c) of the Regulation to Unicredit S.p.A. to satisfy the interested party's request regarding access to the information indicated in art. 15, par. 1, lett. a) - g), within the terms specified in the motivation, within 60 days of receipt of this provision;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Unicredit S.p.A., to pay the sum of Euro 70,000 (seventy thousand) as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

then to the same Company to pay the aforementioned sum of 70,000 (seventy thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

Request from Unicredit S.p.A. to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide, in any case, adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any non-response may result in the application of the administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, June 16, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei

[doc. web n. 9795350]

Injunction order against Unicredit S.p.A. - June 16, 2022

Record of measures
n. 225 of June 16, 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint submitted pursuant to art. 77 of the Regulation dated October 15, 2019 by Mr. XX towards Unicredit S.p.A .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

RAPPORTEUR Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

1.1. With a complaint of 15 October 2019, Mr. XX complained about alleged violations of the Regulation by Unicredit S.p.A. (hereinafter, the Company), with reference to the failure to respond to the request to access personal data processed in the context of the employment relationship pursuant to art. 15 of the Regulation. In particular, the complainant complains of having submitted an application for access, on 28 March 2019, to which the Company replied on 3 April 2019 with a merely interlocutory reply.

The complainant also complains about the violation of articles The Judicial authority, the disciplinary sanction imposed by the Company against the complainant and the ineffectiveness of the negative judgment for 2008 formulated against the same.

With the complaint, the Authority was asked to order the Company to satisfy the request to exercise the right of access pursuant to art. 15 of the Regulations as well as to "warn or warn that the form prepared for the exercise of the rights of the interested party" has violated or may violate the provisions on the subject and to order to rectify and / or delete the personal data of the interested party "in relation to the negative judgment for 2008 (declared ineffective) and the disciplinary sanction (declared illegitimate) ".

1.2. The Company, in responding to the invitation to join the Authority of 3 December 2019, with a note of 9 January 2020 stated that:

to. "On the date of receipt of the [...] letter [sent by the Office] the request for access presented by the [complainant] was not answered because, having not given any action - not even to contest it - to our communication of 3 April 2019, with which we asked him to send us the request by filling out the form on the bank's Privacy Portlet, we felt he was no longer interested in exercising the right of access and had canceled the request. Following receipt of the [...] letter [sent by the Office], on 23 December 2019, we delivered the requested information by courier [...] "(note 9/1/2020 cit., P. 1) ;

b. with reference to the methods through which the Company checks the requests for exercising the rights provided for by Regulation (EU) 2016/679 (hereinafter the "Regulation") "Unicredit has prepared differentiated methods of verification by type of interested party, distinguishing between employees in service , former employees, other interested parties (customers, potential customers, etc.). With specific reference to the right of access: for employees in service, the request is provided through the HR web ticket channel [...] attaching the form [...] which can be retrieved in a specific section [...] of the Privacy Portlet of the Intranet of the group "(cit. Note, p. 1, 2);

c. “For former employees, the request is expected to be sent by email to an address of the HR function, attaching the form […]. The answer is provided by e-mail or ordinary post "(cit. Note, p. 2);

d. "Filling out the form provided has the sole purpose of facilitating the applicant and making the subject of the request more easily intelligible, reducing the risk of having to ask for clarification or provide inappropriate answers" (cit. Note, p. 2);

And. "As regards customer requests, they have always been accepted even if formulated without using the form prepared by the bank, while for employee requests, considering that [...] the form can be easily downloaded from the portal, the compilation of the same was considered a necessary condition for accepting the requests. We have also decided to provide that, without prejudice to the current process, where the request without the form still contains all the information necessary to process it correctly, it will still be accepted, and we are proceeding to give instructions to this effect to the office that processes these requests. "(Cit. Note, p. 2);

f. "Unicredit complied with the judgment of the Court of Appeal by reimbursing the [complainant] for the ten days' salary relating to the period of suspension from service, and had already communicated [...], in May [of 2019], [...] that the "underperformance" rating was ineffective. This assessment has now been corrected in the file of the [complainant], passing it to «overall performance in line with expectations» ”(cit. Note, p. 2);

g. "The documents relating to the assessments are stored as pdf scanned and inserted in the digital file of each employee up to the year 2010, while, with reference to the company assessments and professional assessments relating to the years from 2011 onwards, the data are visible in the applications HR in self-service mode "(cit. Note, p. 2);

h. "The correction of the data referred to the evaluation for the year 2008 and the" cancellation "of the suspension from the service did not lead to the elimination of the previous data" (cit. Note, p. 2);

the. the Company "considered that it was correct and in the best interest of both the owner and the interested party to keep the record of the events that occurred over time, so as to be able to reconstruct them in case of need, integrating the records with notes that clarify that the old data - in this case, the suspension and judgment of insufficient performance - was corrected in compliance with a judicial decision. Of course, any documents to be produced externally will only report the corrected data "(cit. Note, p. 2).

On 14 May 2020, the complainant sent his counter arguments, stating that:

to. "Personal data sent late by Unicredit S.p.A. (only after the complaint and the consequent invitation to check by the Guarantor) did not however satisfy the right of access of the interested party [...]. Unicredit S.p.A. limited itself to sending a set of indistinct and undifferentiated data, extracted from the company archives, without however providing the information required by [the] art. 15 and requests from the interested party. In particular, no information was provided on: purposes of the processing of the personal data of the person concerned; categories of personal data being processed; recipients or categories of recipients of personal data; retention period of personal data or at least criteria that can be used to determine this period; information on the origin of personal data not collected from the data subject; existence of automated decision-making processes and significant information on the logic used, as well as the importance and expected consequences of such automated processing for the data subject "(note 14/5/2020 cit., p. 2);

b. "Unicredit S.p.A. incurs [...] in a further violation, as the so-called "evaluation step" took place with the insertion of a personal data once again inaccurate. In fact, the replacement of the judgment placed in the void by the sentence of the Court of Appeal of Milan, labor section (which had to be canceled) had as a prerequisite and necessary act the convocation of the [complainant] by the hierarchical superiors and the carrying out of the procedure with the which, in contradiction between the parties, the new assessment would be formulated "(cit. note, p. 3).

On 22 July 2020, following a request for further clarifications sent by this Department (on 18/6/2020), the Company declared that:

to. “On 23 December 2019 we sent [to the complainant] a package containing all the required documentation. We are sending the same documentation […] to these Authorities, confirming that it is all the information concerning the [complainant], held by Unicredit as an employer. On the other hand, we have not sent the documents that the [complainant], like any other employee in service, can independently download from the system, such as company evaluations and professional judgments relating to the years from 2011 onwards "(note 22/7/2020 cit. , p. 1);

b. "With regard to the methods and purposes of the processing carried out, we recalled the content of the information, provided to the [complainant] and attached to the documentation sent, which indicates the purposes of the processing, the categories of personal data processed, the categories of recipients of the data personal, the data retention period. There is no information on automated decision-making processes because Unicredit does not use these processes in the processing of employee data ”(cit. Note, p. 1);

c. with reference to the "complained persistent inaccuracy of the data referred to the" evaluation step "" "we believed it was correct, and in the best interest of both the owner and the interested party, to keep the recording of the events that occurred over time, so as to be able to reconstruct them in case of necessity. In fact, in the case [...] there is no right to cancellation pursuant to art. 17 of the GDPR, but a correction pursuant to art. 16 "(cit. Note, p. 1, 2);

d. the Company has "rectified the assessment in the [complainant's] file, inserting the first non-negative assessment (" Overall performance in line with expectations ") and supplementing the records with notes clarifying that the old data - in this case , the suspension and the judgment of insufficient performance - was corrected in fulfillment of a judicial decision "(cit. note, p. 2).

On 21 September 2020, following the call for further clarifications of 4 September 2020, the complainant stated that:

to. "The owner limited himself to communicating, on April 3, 2019, that he had taken charge of the access request of March 27, 2019, without then following this communication or the communication to the interested party of the information pursuant to art. 15 GDPR, nor the communication of a reasoned postponement of the terms given the complexity of the information to be provided to the interested party "(note 21/9/2020 cit., P. 1);

b. "The owner [...] has not communicated the existence of the treatment relating to the employee performance evaluation process (so-called Unicredit Performance Management [...])" (cit. Note, p. 3);
c. with reference to the evaluation of the employee's performance "the interested party was subjected to a decision based solely on automated processing (without human intervention), a decision that produces legal effects that concerned him or that in any case significantly affected his person" (note cit., p. 5).

On 13 January 2021, following a further request for elements from the Authority, the Company finally declared that:

to. "Unfortunately, we are not able to say whether or not the text of the information was attached to the package of documents sent [...] last July but, in any case, the [complainant] already had it and could and can at any time easily download it from the company website "(note 13/1/2021 cit., p. 1);

b. "The information that pursuant to art. 15 of the Regulations, the interested party has the right to obtain [are] all already contained in the information. […]. The information already clearly indicates what the purposes of the processing are (Section 2 of the information), which are the categories of data processed (Section 3 of the information), which are the recipients or categories of recipients to whom the data may be communicated (Section 4 of the information), and what is the retention period Section 7.1 of the information), as well as lists the rights of the interested party and the possibility of proposing a complaint to Sections 7 and 10 "(cit. Note, p.1);

c. “an automated procedure, without human intervention, was not carried out in the processing of employee data. The attribution to the [complainant] of an assessment "overall in line with expectations" was not the result of an automated decision-making process without human intervention, but a decision taken by an employee of Unicredit, Head of Operations Italy, and it is a correct application of the decision of the Court of Appeal of Milan as confirmed by the Court of Cassation, which only provided for the ineffectiveness of the negative judgment for the year 2008 and not the "reconstruction of the professional history" of the [complainant]. All the elements to proceed with the replacement of the evaluation declared ineffective had already been acquired; no new call by the employee was therefore necessary [...] nor any cross-examination "(cit. note, p.1, 2).

2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On 1 March 2021, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulations found, with reference to Articles 5, par. 1, lett. a), 12 and 15 of the Regulations.

With defense briefs sent on March 29, 2021, the Company stated that:

to. "The methods followed [by the Company] in finding the access request by the [complainant] are the result of the generic nature of the request sent"; in fact, the complainant formulated "an access request that referred to any type of data, processing and information that can be requested pursuant to the Regulations, which evidently did not allow the Company, due to its breadth and generality, to understand precisely what personal data and what information the [complainant] was interested in obtaining "(note 29/3/2021, point 2);

b. "UniCredit took charge and followed up on the request of the [complainant] within 4 days of the request, informing the interested party of the need to fill in the form made available on the company portal"; "The compilation of this form [...] was [...] aimed [...] to facilitate the exercise of rights through the adoption of a suitable organizational system capable of allowing the same interested party, who had made a generic request, to indicate with precisely what information was needed by the same "(cit. note, point 2.1);

c. "The Company certainly processes a considerable amount of personal data not only with respect to the individual interested parties who have an ongoing relationship with it (such as in the case of the [complainant], an employee of the company for 18 years) but also, being one of the most large European banks with over 8 million customers and about 34 thousand employees, compared to numerous subjects "(cit. note, point 2.1);

d. "The fact that the [complainant] never sent the form and that his lawyer's request included any information on the processing of his client's personal data confirms [...] that we are faced with a" manifestly unfounded "request and" excessive "by the [complainant]" (cit. note, point 2.1);

And. “The way in which the information requested was provided to the [complainant] is due to the fact that he did not clarify which information he was interested in without filling in the form provided by UniCredit. In any case, the information provided is certainly intelligible by the [complainant] because it concerned his working life which he certainly knows in depth ”(cit. Note, point 2.2);

f. the information prepared by the Company, provided to employees at the time of hiring and made available "on the company website accessible directly and at any time to the employee [...], outlines, in detail and in an exhaustive manner, the processing activities carried out by companies, including information about the purposes of the processing, the categories of personal data processed, the categories of recipients to whom the personal data are communicated, the retention period of personal data "(cit. note, point 2.3);

g. therefore the company "specifically indicated to the [complainant] where this information was accessible in the context of the disclosure. In the presence of sufficient information on the methods of processing personal data in the context of the information, it is not clear what further information should have been provided to the [complainant] "(cit. Note, point 2.3);

h. “There was no delay in UniCredit's response to the [complainant's] access request. The Company promptly sent the [complainant] the form aimed at understanding in detail the information he was interested in and did not receive any feedback from the same. In the absence of a reply, the deadline for exercising the rights must be considered suspended because the data controller is not in a position to be able to follow up on the same "(cit. Note, point 3);

the. the Company "asks the Guarantor [...] to recognize and declare that the conditions for the application of administrative sanctions for the violation of articles (i) 5 par. 1, letter a) of the Regulation, (ii) 12, par 2 and 3 of the Regulation or, subordinately, that the conditions for the application of sanctions to the minimum extent required by law exist ".

On June 15, 2021, the hearing of the Company was held at the request of the same. The party stated that "on the basis of company provisions, in order to verify the requests for exercise of rights by its employees, Unicredit has arranged for the activation of a ticketing function within which the compilation of a module. The request is taken care of even in the absence of filling in the form, provided that the type of data you are interested in accessing and, possibly, the underlying purposes are clearly indicated. This is in compliance with the principle expressed by the GDPR according to which requests must not be specious ". The Company underlined "the fully collaborative approach taken towards the applicant and towards the Authority [...] and the lack of any damage suffered by the applicant who received all the requested information". Finally, it was specified that according to the procedures in use "the company provides a copy of the personal data processed, while with reference to the other information referred to in art. 15 of the GDPR refers to the content of the information, considering that the information is already transparent in itself ".

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

3.1. Outcome of the investigation.

Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which do not comply with the regulations on the matter of protection of personal data. In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

In this regard, it emerged that the Company, on 3 April 2019, provided the request for access to its personal data, presented on 28 March 2019 by the complainant, with a merely interlocutory reply ("we have taken charge of the request [...] to to which we will reply within the time limits provided for by art. 12 of the Regulations "), accompanied by the request to the applicant to fill in and sign a predefined form" to process the access request ".

Only following the submission of a complaint to the Authority and the initiation of the related administrative procedure, the Company collaborated with the Guarantor and provided the interested party with effective feedback by sending documentation containing the personal data already subject to the request. access and, with regard to the indication of information relating to the processing and rights of the data subject (pursuant to art.15, lett. from a) to h) of the Regulation), by referring to the content of the general information provided to employees.

3.2. Violation of articles 12 and 15 of the Regulations in relation to the obligation to fill out a predefined form.

The Company has provided, both in the concrete case subject to the complaint and in general terms, on the basis of a procedure concerning all the requests submitted by its employees and former employees which, in order to process the access request pursuant to art. 15 of the Regulation, the interested party must necessarily fill in a predefined form with multiple fields, this with the stated purpose of "facilitating the applicant and making the subject of the request more easily intelligible, reducing the risk of having to ask for clarifications or provide inappropriate answers ".

Given that the preparation of a form can, in general terms, constitute an organizational method aimed at facilitating the interested parties in the presentation of the requests, it is not, however, in compliance with the current legislation on the protection of personal data to condition the prior sending of the aforementioned completed form, the start of the preordained procedure to give effect to the exercise of the right, and not to take into consideration the requests presented in free form on the merits.

This is even more so if, as in the case of the complaint, the application presented indicates in detail - by referring to the content of art. 15 - the number of personal data in relation to which the right was exercised. This regardless of the right of the owner to ask the interested party - if necessary - for clarification on the subject of the application.

It is also noted that the model made available by the Company (in particular the one sent to the complainant attached to the reply of 3/4/2019), as regards the section concerning access ("Access to personal data - Art. 15 of Regulation (EU) 2016/679 "), does not report the complete and detailed list of the information indicated in art. 15 of the Regulation, with the consequent possibility of misleading the interested parties about the actual content of the enforceable right and, in any case, providing a partial representation (the aforementioned model contains only reference to the possibility of requesting confirmation that a treatment and to request the communication of the same data, indicating specifically "the personal data, the categories of data or the treatment to which reference is made"; moreover, two of the categories of information specifically mentioned in art. 15 are included in the different section "Request for information on the processing of personal data - Articles 13 and 14 of Regulation (EU) 2016/679", in particular the purposes of the processing and the subjects or categories of subjects to whom they may be communicated).

The exercise of the right of access to personal data is closely related to the identification of the specific methods and time limits with which the owner is required to satisfy the requests of the interested party, identified by art. 12 of the Regulation in order to make the principles of transparency and correctness effective (cons. 58 and 60 of the Regulation). In particular, the owner is required to "facilitate [re] the exercise of the rights of the interested party pursuant to articles 15 to 22" (article 12, par. 2, of the Regulation), and to "provide [re] to interested in the information relating to the action taken regarding a request pursuant to articles 15 to 22 without undue delay and, in any case, at the latest within one month of receipt of the request "(term that can be extended by two months, giving adequate information to the interested party, in the case of complexity and high number of requests received; Article 12, paragraph 3, of the Regulation).

Conversely, the obligation to fill in a predefined form in addition and regardless of the specific content of an application to exercise a right recognized by the legal system aggravates (rather than facilitating through the adoption of appropriate measures) the exercise of the right itself, moreover distinguishing the categories of interested parties subject to this obligation (employees and former employees) and the categories exempt from this constraint (customers), on the basis of considerations that do not appear to comply with the principle of reasonableness (in particular, according to what is inferred by the Company, the circumstance that, as regards employees, the default form is "easily downloadable from the portal").

Nor can the Company's thesis be shared on the basis of which, in the case of a complaint, the failure to fill in the form by the interested party and the circumstance that the request presented had as its object "any information on the processing of personal data" of the complainant were in themselves an indication of a "manifestly unfounded" and "excessive" request.

On the one hand, in fact, the request made by the complainant does not appear "unfounded" given that art. 15 of the Regulation does not provide for any limitation with regard to the information that can be accessed, it could well be the hypothesis that the interested party requests to know the entire range of data processed by the owner (so much so that art. paragraph 3 of the Regulations provides for the extension of the deadlines for providing feedback to the request "taking into account the complexity and number of requests"). This also in consideration of the fact that the right of access, in the data protection system, allows the interested party to exercise control over personal data concerning him, also placing himself in a preliminary relationship with respect to possible further activities aimed at protecting his rights. (cons. 63 of the Regulation).

Nor could the request of the interested party be considered "excessive" considering that this term, also read in the light of the subsequent wording ("in particular due to the [...] repetitive nature"), mostly refers to the hypothesis of plurality of requests submitted and, in the present case, it does not appear that the complainant had previously formulated requests for access.

In any case, finally, it is represented that based on art. 12, paragraph 4, of the Regulations, the owner "If he does not comply with the request of the interested party, [...] informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for the non-compliance and the possibility to lodge a complaint with a supervisory authority and to propose a judicial appeal ".

In the present case, the owner should therefore have informed the interested party about the reasons for which the application was not initiated and the remedies provided for by the legislation against this decision.

The Company, for the reasons set out above, has therefore violated Articles 15 and 12, par. 2, of the Regulation. The Authority acknowledges that the Company, during the procedure, declared that at present "the request is taken care of even in the absence of filling in the form".

3.3. Violation of articles 5, par. 1, lett. a), 12 and 15 of the Regulations in relation to the reference to the content of the information.

It also emerged that the Company, following the opening of an administrative procedure by the Authority, sent the complainant copies of the documents in its possession containing the personal data relating to the interested party. In this regard, it should be noted that the considerable amount of paper documentation sent in copy to the complainant - and also transmitted to the supervisory authority for information - does not appear to have been provided in such a way as to facilitate access and understanding by the interested party, allowing for even minimal organic use.

With the reply, however, the information relating to the processing of data requested by the complainant was not provided pursuant to art. 15 of the Regulations (par. 1, letters from a) to h) and par. 2). The Company has in fact declared that it believes that it has already complied with the provisions of the Regulations in this regard, given that all the information requested by the complainant can be found in the text of the information on the processing of data that the same "could and can easily download at any time [and] from the company website ".

In this last regard, it should be noted that the right, recognized to the interested party, to access the information provided for by art. 15 of the Regulation, in application of the principles of transparency and fairness (Article 5, paragraph 1, letter a) of the Regulation), cannot be considered satisfied for the sole fact of having provided the information referred to in Articles 13 and 14 of the Regulation. The right of access and the so-called right to information, albeit related, are, in fact, different rights, sanctioned by separate provisions of the legal system, responding to the protection and guarantee needs of the interested party that cannot be completely overlapped.

As recently clarified also by the Guidelines 01/2022 on data subject rights - Right of access, adopted on January 18, 2022 (subject to public consultation concluded on March 11, 2022), when checking the request for access, the owner must adapt to the specific condition of the interested party as indicated in necessarily general terms in the information (or in the treatment register). Therefore all the information provided in the information, when communicating the information to the interested party pursuant to art. 15 of the Regulation, must be verified and declined in the light of the concrete processing operations carried out against the applicant (see Guidelines 01/2022 cit., Point 110 et seq .; in general terms, see paragraph 111 "In the context of an access request under Art. 15, any information on the processing available to the controller may therefore have to be updated and tailored for the processing operations actually carried out with regard to the data subject making the request. Thus, referring to the wording of its privacy policy would not be a sufficient way for the controller to give information required by Art. 15 (1) (a) to (h) and (2) unless the «tailored» information is the same as the «general» information ", (unofficial translation: "In the context of the communication of information referred to in Article 15, all information on the processing available to the data controller must therefore be updated and adapted to the actual processing operations. entity carried out against the interested party who submits the request. Therefore, the reference to the general privacy policy (privacy policy) would not be a sufficient means to allow the data controller to provide the information referred to in Article 15, paragraph 1, letters a) -h), and (2), unless the "tailored" information coincides with the "general" information).

On the basis of the above reasons, the Company has violated the principles of transparency and correctness (see Article 5, paragraph 1, letter a) of the Regulation) and, in particular, the obligation to provide intelligible and easily accessible feedback ( art.12 of the Regulation) to the request for access presented pursuant to art. 15 of the Regulation, containing all the specific information requested by the interested party with reference to the categories of data referred to him / her processed by the owner.

The Authority acknowledges that in the course of the proceedings, the Company provided feedback to the complainant regarding the information indicated in art. 15, par. 1, lett. h) of the Regulations with regard to the concrete processing activities carried out on the data of the interested party (absence of decisions based solely on automated processing, also with reference to the evaluation procedures).

3.4. Fulfillment of the request for rectification of the data relating to the interested party.

Lastly, it emerged that the Company, during the procedure before the Authority, completed the rectification of the data relating to the complainant, contained in the personal file, following the decision of the judicial authority, modifying the assessment ( declared ineffective), formulated at the time as part of the appellant's performance appraisal procedure. The conduct of the data controller who rectified the data, and also inserted internal notes in the file aimed at representing that "the old data [...] has been corrected in fulfillment of a judicial decision", also specifying that " any documents to be produced for the outside will only report the corrected data ", is in compliance with the provisions of the Regulation on rectification and cancellation, also taking into account that, with the complaint, the request was made to the Authority, in in relation to the aforementioned data, alternatively "order to rectify and / or cancel", and which in any case the complainant, even during the proceedings, did not represent the specific reasons, among those indicated in art. 17 of the Regulation, by virtue of which there is an obligation for the owner to proceed with the cancellation of personal data.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure and that they are therefore unsuitable. to allow the filing of this proceeding, although none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company and in particular the failure to reply to the request for access presented by the complainant, is in fact illegal, in the terms set out above, in relation to Articles 5, par. 1, lett. a), 12 and 15 of the Regulations.

The violation ascertained in the terms set out in the motivation cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the way in which the supervisory authority has become aware of the violation and previous relevant violations (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation:

the owner is enjoined to satisfy the requests of the interested party regarding access to the information indicated in art. 15, par. 1, lett. a) - g) (given that in relation to the provisions of letter h) the Company has already provided, during the procedure, a reply referring to the concrete processing activities carried out on the data of the interested party) (Article 58, par . 2, letter c) of the Regulations);

a pecuniary administrative sanction is ordered pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

At the outcome of the procedure, it appears that Unicredit S.p.A. has violated Articles 5, par. 1, lett. a), 12 and 15 of the Regulations. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. a) and b) of the Regulations, through the adoption of an injunction order (Article 18, Law 11/24/1981, n. 689).

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", the total amount of the sanction is calculated in such a way as not to exceed the legal maximum provided for by the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), it is stated that , in the present case, the following circumstances were considered:

a) in relation to the nature, severity and duration of the violation, the nature of the violation was considered relevant, affecting the general principles of processing as well as the exercise of the rights of the interested party;

b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same that has not complied with the rules on data protection relating to a plurality of provisions;

c) that the Company was the recipient of four measures adopted by the Guarantor, one of which, in particular, following the ascertainment of the violation of the obligation to provide feedback on the exercise of the rights of the interested parties with the specific procedures set out in art . 12 of the Regulation (see Provision 25/11/2021, n. 408, web doc. N. 9731887); the previous ascertained violation denotes the insufficient provision of measures aimed at allowing the interested parties to exercise control over their personal data, through the provision of information elements relating to the processing, as well as, in the present case, the interested party is not control over one's data has been permitted by exercising the right of access (in relation to the parameter referred to in Article 83, paragraph 2, letter e), v. Article 29 Working Group for Data Protection, Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679, 3.10.2017);

d) in favor of the Company, the cooperation with the Supervisory Authority and the circumstance that the ascertained violation concerned only the complainant was taken into account.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2021. Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments carried out, it is considered, in the present case, to apply the administrative sanction of payment of a sum equal to Euro 70,000 (seventy thousand) to Unicredit S.p.A.

In this context, it is also believed, in consideration of the type of violations ascertained that concerned the general principles of processing and the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Unicredit S.p.A., in the person of its legal representative, with registered office in Piazza Gae Aulenti, 3, Tower A, Milan (MI), C.F. 00348170101, pursuant to art. 143 of the Code, for the violation of art. 12 and 15 of the Regulations;

INJUNCES

pursuant to art. 58, par. 2, lett. c) of the Regulation to Unicredit S.p.A. to satisfy the interested party's request regarding access to the information indicated in art. 15, par. 1, lett. a) - g), within the terms specified in the motivation, within 60 days of receipt of this provision;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Unicredit S.p.A., to pay the sum of Euro 70,000 (seventy thousand) as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

therefore to the same Company to pay the aforementioned sum of 70,000 (seventy thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

Request from Unicredit S.p.A. to communicate what initiatives have been undertaken in order to implement the provisions of this provision and to provide, in any case, adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any non-response may result in the application of the administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, June 16, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei
  1. EDPB Guidelines 01/2022, par. 110 and 111.