Garante per la protezione dei dati personali (Italy) - 9827119

From GDPRhub
Garante per la protezione dei dati personali - 9827119
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 22.03.2021
Decided: 15.09.2022
Published: 15.09.2022
Fine: 40,000 EUR
Parties: FCA Italia s.p.a.
National Case Number/Name: 9827119
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: DPA (in IT)
Initial Contributor: m_g_a

The Italian DPA has sanctioned the company FCA Italy s.p.a. €40,000 for failing to execute the right of access request of a former employee.

English Summary[edit | edit source]

Facts[edit | edit source]

A former employee (the complainant) asked his former company FCA Italy s.p.a. (the data controller), to access his personal data processed in the context of their employment relationship and held in his personal file. Since the company did not reply, on 22 March 2021, the complainant filed a complaint with the Italian DPA, who then requested the company to provide feedback in this regard.

The company provided a first defense note stating that the complainant used to have conversations with the H.R. department and that, after receiving the access request, the data controllerhad considered it possible to resolve the issue in a meeting which, however, due to the COVID-19 emergency, had been postponed several times. Furthermore, according to the company, the data that the complainant requested was already in his possession.

On 05 August 2021, the complainant stated in a note that the feedback provided by the data controller was unsuitable and reiterated his request. The company responded to have carried out the complainant's demands and that the requested documents were already available to the complainant. As the data controller declared itself to have been collaborative by sending what was requested with transparency, it requested the DPA to express a preliminary opinion on the admissibility of the appeal presented by the complainant considering itself not responsible and therefore not punishable.

On 08 April 2022, the Italian DPA notified the data controller of the alleged violations of the GDPR that had been found, specifically of Article 12 GDPR and Article 15 GDPR, and stated that the complaint by the complainant was admissible.

Following a request from the data controller, a hearing took place on 24 May 2022 during which the data controller declared that since November 2020, the data controller had a portal dedicated to the exercise of the rights of interested parties, both employees and customers, which could be accessed also from the company's website. Furthermore, the aforementioned link was automatically sent every time someone wrote to the data controller's DPO. Additionally, on the data controller intranet, after registering on the "The Hub" portal, employees could access their personal file and download them. At the time of submitting the access request, the complainant was registered with "The Hub" since 27 November 2020. The data controller had also made available both a telephone service and a physical counter through which it was possible to request information and exercise the right of access. It was ascertained that the telephone service was used 15 times by the complainant, always receiving a response on the same day the request was made. The complainant had also requested on various occasions for meetings with the data controller which was organised together with the union representative, and during which he had made a request for documents that the company had provided to him. Lastly, it submitted that there was an "obvious conflict" between the company and the complainant, given the constant request for meetings by the complainant.

Holding[edit | edit source]

Following the hearing and an examination of the documentation acquired, the Italian DPA ascertained that the data controller carried out treatments that did not comply with the legislation. In fact, it emerged that on 5 Januray 2021 the complainant had sent a request aimed at obtaining some information to which, however, the company had not provided any response. Only after the complaint was submitted and the relevant procedure was started did the company become available and collaborative by sending the requested documents to the complainant.

The data controller believed it could provide feedback to the complainant's request during a meeting with representatives of H.R., based on a practice established with the complainant. However, this meeting did not take place due to the COVID-19 emergency. However, according to DPA, this conduct did not comply with the provisions of the GDPR. In fact, the data controller is required to facilitate the exercise of the complainant's rights and to provide him with information in relation to the action taken without unjustified delay and in any case within 1 month of receiving the request. Furthermore, the requested information must be provided in writing or by other means. Therefore, the data controller should have responded to the complainant in the manner and within the foreseen deadlines, under Article 12(1) GDPR, Article 12(2) GDPR, Article 12(3) GDPR and Article 12(4) GDPR.

The DPA further stated that regarding the fact that the complainant had already used the tools made available by the data controller, the DPA found that not all the requested information is available through them. Furthermore, the request for access to personal data, pursuant to Article 15 GDPR, can also be requested in relation to data which the interested party already has or which has already been delivered to him.

In closing, if a complainant makes a request and the data controller does not comply with his request, the controller is required to inform him within 30 days of receiving the request of the reasons for non-compliance and the possibility of filing a complaint with the DPA. In this case, therefore, the data controller should have informed the complainant of the reasons why his request was not followed up.

Following the violations of the abovementioned articles of the GDPR, the DPA sanctioned the data controller €40,000 , considering the nature, severity and duration of the violation, the intentional or negligent nature of the violation and a previous provision issued against the company but positively evaluating its cooperation.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9827119]

Injunction order against FCA Italy S.p.A. - September 15, 2022

Register of measures
n. 303 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

GIVEN the complaint presented pursuant to art. 77 of the Regulation dated 22 March 2021 by Mr. XX against FCA Italy S.p.A.;

EXAMINED the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER the lawyer. Guido Scorza;

PREMISE

1. The complaint against the Company and the investigative activity.

With a complaint dated March 22, 2021, Mr. XX complained about alleged violations of the Regulation by FCA Italy S.p.A. (hereinafter, the Company), with reference to the failure to respond to the request to access the personal data processed in the context of the employment relationship pursuant to art. 15 of the Regulation. In particular, the complainant complained that, in response to the exercise of the right of access to his data held in the personal file − as well as in the qualification notes, in the notes and/or evaluations on the activity carried out, in the documents relating to the professional career and activities carried out in execution of the employment relationship and the list, from the date of hiring until the date of submission of the application, of the daily tasks assigned to the line of work, with specification of the line of work - carried out by registered letter with return receipt dated 5 January 2021, the Company did not send any response.

The Company, in providing feedback to the Authority's invitation to join dated 24 June 2021, with a note dated 29 July 2021 (and related attachments whose sending was completed with a note dated 2/8/2021, with which the documents are also sent to the complainant), declared that:

to. the complainant "usually has conversations with the Human Resources office [...] and with the office of the Head of the Prevention and Protection Service (RSPP)"; “All meeting requests have always been quickly handled with specific meetings”;

b. "consistent with this modus operandi, after receiving the request for access to documents dated 11.1.2021, the Plant's Human Resources office believed it could manage the issue through a dedicated individual meeting; however, due to organizational events linked to the suspension of the Plant's activities due to the use of redundancy payments also linked to the Covid emergency, the in-person interview was [...] postponed several times";

c. "the information to which the employee requests access consists mainly of data already available to him and, in part, refers to documents that [...] do not exist in reality as the Company does not prepare them";

d. "in confirming the desire of the [...] Company to adhere to the request for access, as can be seen from what is reported above and from the related documents attached, we believe it is possible to understand how FCA's Verrone plant has never voluntarily had the intention to ignore or evade the access request received from the [complainant's] lawyers".

The complainant, with a note dated 5 August 2021, considered the feedback provided to be unsuitable, reiterating the request to access all the information already indicated. In this regard, the Company, with a note dated 25 August 2021, further declared:

to. to have taken steps to "transmit, within the established timescales and directly to the same [complainant], the documentation available in the company referring to the specific indications reported in the interested party's request";

b. that the complainant has formulated "a more detailed request referable, once again, to documentation that is already available to him, such as the payslips that are delivered to the employee every month, or other documents referring to the evaluation process which in reality do not exist because they are not foreseen by the internal procedures"; furthermore "everything that is referable to the periodic medical visits carried out as part of the health surveillance pursuant to the T.U. 81/08, is not present in the employee's personal file as the data controller is, by law, the Competent Doctor";

c. that the company "with a collaborative attitude is sending everything requested with transparency and without any opposition even though in the specific case there is a legitimate interest on the part of the same connected to the right of defense pursuant to art. 2-undecies, paragraph 1 letter e) of the Legislative Decree. 196/2003 updated to Legislative Decree 101/2018, to maintain confidentiality on internal document production, in the event that there is a risk of litigation and, in the case in question, this hypothesis is completely evident";

d. consequently it asked the Authority to "Preliminarily: express an opinion regarding the admissibility of the Complaint proposed pursuant to art. ex art. 2-undecies, paragraph 1 letter e) of the Legislative Decree. 196/2003 updated to Legislative Decree 101/2018. In the alternative: [...], the Authority considers the behavior of FCA Italy S.p.A. exempt from liability and therefore not sanctionable".

The complainant, with a note dated 12 September 2021, reiterated his requests, believing, among other things, that the Company "confirms that it is in possession of the documentation in relation to which the request for access and obtaining a copy was formalised, but that access is inhibited because, according to them, it is useful for starting a dispute against FCA".

In response to a request from the Authority to provide further clarifications (dated 10.3.2022), the Company with a note dated 29 March 2022 declared:

to. “It is confirmed that FCA has provided everything requested [by the complainant] after receiving your request […]. There is therefore no other information or documents that need to be further produced";

b. "FCA's employment relationship with the [complainant] has [...] ceased since 21 October 2021, the worker having signed a report of consensual termination of the employment relationship with the company".
2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On 8 April 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 12 and 15 of the Regulation.

Preliminarily, the Authority deemed it unable to accept the Company's request, made on 25 August 2021, to declare the complaint inadmissible pursuant to art. 2-undecies, paragraph 1, letter. e) of the Code, considering that the aforementioned article provides that in predetermined and mandatory cases "the rights referred to in the articles. from 15 to 22 of the Regulation cannot be exercised with a request to the data controller or with a complaint pursuant to art. 77 of the Regulation if the exercise of these rights could result in actual and concrete prejudice [...]". Furthermore, the following paragraph 3 specifies that "The exercise of the same rights may, in any case, be delayed, limited or excluded with reasoned communication given without delay to the interested party". In the present case, the Company did not indicate, in its communications to the Authority, what "effective and concrete prejudice" could derive from the exercise of the right of access by the complainant. Indeed, the Company itself took steps to transmit to the complainant the personal data contained in the personal file during the procedure, declaring - most recently with a note dated 29 March 2022 - that "There is [...] no other information or documents that need to be further products".

With a note dated 6 May 2022, the Company requested to be heard at a hearing, with the right to integrate the defenses already proposed there, including through written counterarguments and/or the production of further documentation.

The company, during the hearing, held on May 24, 2022, declared that:

to. "following receipt of the notification of the violations from the Authority, the company deemed it appropriate to report, in support of what has already been indicated in the briefs sent during the proceeding, what it has implemented in order to support its employees in the context of the acquisition of the administrative/accounting documentation relating to the employment relationship, also adopting specific measures to provide feedback to requests for the exercise of rights by the interested parties. It should be noted that the group's employees in Italy are 49,000 and the owner company in Italy has 34,000 employees. In November 2020, the company activated a portal dedicated to the exercise of the rights of interested parties, both employees and customers, which can be accessed through a specific link (Home (fcagroup.com)), which can also be reached from the website of society. The link is automatically sent every time you write to the DPO.” (hearing minutes 5/25/2022, p. 1-2);

b. “Furthermore, as regards employees, information tools relating to the rights of interested parties, the privacy documents produced by the company, the company's obligations regarding privacy and the procedures used are available on the intranet. In particular, within the intranet each employee, after registering on the "The Hub" platform, can access the documents contained in their personal file and download them" (hearing minutes cited, p. 2);

c. "the complainant, at the time of submitting the access request, was registered on the "The Hub" platform and had downloaded his salary slips from it: this detailed data did not emerge previously since registration on "The Hub" did not is among the data contained in the employee's personal file, the subject of the complainant's access request." (hearing minutes cit., p. 2);

d. “Another tool made available to the company is a telephone service (Infocenter) through which it is possible to request information and exercise the right of access. Based on further investigations it emerged that the complainant used this service [...]. Finally, the company provides a physical counter at the plant which carries out the same activity as the telephone service." (hearing minutes cit., p. 2);

And. “the complainant had requested meetings with the company on various occasions, in which he participated together with the union representative, during which he also submitted a request for documents which the company provided him with. For this reason, upon receiving the access request, the company believed it could rely on this practice on this occasion too. The company therefore had no intention of not responding to the interested party. It is therefore believed that the company's conduct cannot be classified as a violation. In any case, if this is not considered configurable, the violation should be classified as a "minor violation", also taking into account previous decisions of the Authority" (hearing minutes cited, p. 2);

f. “The employees were provided with information relating to registration and access to "The Hub" also at the same time as the delivery of their salary slips. Furthermore, the company has organized privacy training courses to raise employee awareness also in relation to the exercise of rights" (hearing minutes cited, p. 3).

With briefs sent on 24 May 2022, the Company finally declared that:

to. the Company has adopted specific measures to provide feedback to requests for the exercise of rights by interested parties, both of an organizational nature (including the adoption of a "management of interested parties' rights" procedure, updated periodically), and aimed at implementing the data protection awareness (including the implementation of the corporate platform "The Hub"), and of a technical organizational nature (creation of a "Privacy Portal" through which all interested parties (including employees) can easily and quickly exercise the rights provided from articles 15 and following of the GDPR"); in particular within The Hub platform there is an area "from which it is possible to directly access all the documentation relating to the employment relationship, in fact (as regards the procedure in question) substantially coinciding with the worker's personal file ”; in particular, through this section it is possible to access the following documents: “slips; unique certifications; 730 models; […] documentation relevant for the purposes of processing the personal data of the interested party in question (information, procedures); corporate statements; award letters; documentation regarding "single allowances"; summary of all the data of the interested party, and of his family members, processed by the Company (including the company position, the salary received, the right to any tax deductions, etc.); supporting documents (for absences and expenses); all institutional communications between the Company and the interested party; any further personal documents transmitted by the interested party to the Company; any further company documents relating to the relationship" (defence briefs 24/5/2022, p. 2-3);

b. “after the necessary checks, it emerged that the [complainant] registered with The Hub on 27 November 2020 and also made use of the download functions provided within this platform (listed previously), for example to obtain a copy of their pay slips" (defense briefs cited, p. 3)

c. the Company has also verified that the complainant has "also exercised his right of access via Infocenter: during the course of the relationship, this happened 15 times (the last of which on 15 October 2021) and the interested party has always received feedback on the same day of the request, obtaining - among other things - information/data relating to: pay slips; attendance; unique certifications; working hours performed; declarations regarding strenuous work; salary received; declarations for salary-backed loans and/or foreclosures; corporate membership; declarations regarding social safety nets; TFR advance; tax deductions; marital leave" (defence briefs cited, p. 3);

d. “The above serves to clarify the Company's statement according to which «the information to which the employee requests access consists mainly of data already available to him»: in the matter which is the subject of the Complaint, in fact, this availability does not refer only to data "already entered into the interested party's wealth of knowledge", with retrospective scope, but on the contrary consisted in current, immediate and constant availability" (defense briefs cited, p. 3);

And. therefore the complainant "could have received feedback on his requests in real time, since all the data he requested from FCA (initially, with a smaller list and, in the course of this proceeding, with a subsequent very extensive integration) were already within of his personal area in "The Hub"” (defense briefs cited, p. 4);

f. between the Company and the complainant "there was an "obvious conflict", [which] also manifested itself with the repeated and constant request for union-assisted meetings [...]. In particular, in addition to the numerous "formal" meetings held in 2019 and 2020 (also in the presence of the RSPP), and the further "informal" meetings at the production line (so-called "UTE", Elementary Technological Unit), between the end of 2020 and the termination of the employment relationship - which occurred in October 2021 - there were five "formal" meetings with the interested party [...]. As already clarified [...], however, in the period preceding the Complaint this practice was hindered both by the use of social safety nets and by the absences of the [complainant]" (defense briefs cited, p. 4);

g. as regards the elements indicated by the art. 83, par. 2 of the Regulation, the Company represented that: the disputed violation concerned only one interested party and was negligent in nature; the Company has periodically updated its policy for the management of data subjects' rights from 25 March 2020, in particular and most recently on 6 April 2022; the Company has adopted various technical and organizational measures pursuant to articles. 25 and 32 of the Regulation and has constantly cooperated with the Supervisory Authority during the procedure; the personal data being processed are "common".

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

3.1. Outcome of the investigation.

Following the examination of the declarations made to the Authority during the procedure as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which are not compliant with the relevant regulations of protection of personal data. In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".

On the merits, it emerged that the Company, in response to a request sent on 5 January 2021, containing the indication of specific information, even if not contained in the personal file, collected and held within the scope of the employment relationship, did not provide response to the complainant.

Only following the submission of a complaint to the Authority and the start of the related administrative procedure, the Company collaborated with the Guarantor and provided the interested party with effective feedback by sending documentation containing the personal data already subject to the request access (with notes dated 2 and 25 August 2021), declaring under their own responsibility not to process any data other than that transmitted.

3.2. Violation of articles 12 and 15 of the Regulation.

The Company stated that it believed it could provide feedback to the interested party's request during a personal meeting with representatives of the Human Resources Office, in accordance with a "practice" that would have been established with the complainant, given that the latter in the past he had repeatedly asked to meet the company. During some of these meetings the Company also provided documents to the interested party, upon his request. However, the meeting would not have taken place due to the "suspension of the Plant's activities due to the use of redundancy payments also linked to the Covid emergency".

This conduct does not comply with the provisions of the Regulation regarding the exercise of rights.

The exercise of the right of access to one's personal data is strictly related to the identification of the specific methods and time limits with which the owner is required to satisfy the requests of the interested party, identified by the art. 12 of the Regulation in order to make the principles of transparency and correctness effective (cons. 58 and 60 of the Regulation). In particular, the owner is required to "facilitate] the exercise of the rights of the interested party pursuant to articles 15 to 22" (art. 12, par. 2, of the Regulation), and to "provide[d] the interested party the information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself" (deadline which may be extended by two months, giving adequate information to the interested party, in the case of complexity and high number of requests received; art. 12, paragraph 3, of the Regulation). The information requested, then, “is provided in writing or by other means, even if appropriate, by electronic means. If requested by the interested party, the information may be provided orally” (art. 12, par. 1, of the Regulation).

Therefore, the Company should have responded to the complainant's request in the manner ("in writing") and within the terms established by law. In relation to the specific case, then, it is noted that unlike in the past in which the same complainant had asked to speak with the company through in-person meetings, in January 2021 the interested party had instead presented a formal request by registered letter with return receipt , through two lawyers, with the specific indication that the requested documentation should have been sent "also via certified e-mail" to the email address of one of the lawyers. Therefore the Company should not have trusted in the "practice" that would be established with the complainant.

The Company also ascertained, during the proceedings, that the complainant would have used some tools made available to employees to directly access some data processed by it during the employment relationship ("The Hub" platform, active since November 2020, and Infocenter telephone system). From this the consequence would be drawn that "the information to which the employee requests access consists mainly of data already available to him".

In this regard, it is noted first of all that, based on the documentation in the documents and as stated by the Company itself, not all the data subject to the access request are available through the aforementioned tools ("The Hub" and Infocenter) (as can be seen also by the same expressions used by the Company: the information being accessed consists "mainly of data already available"; through The Hub it is possible to access the "documentation relating to the employment relationship [...] substantially coinciding with the worker's personal file" , emphasis added). Furthermore, the documentation thus obtained by the complainant, based on what was reconstructed by the Company, constitutes only a part of what was requested.

Furthermore, and above all, the request for access to personal data can also be presented in relation to data already available to the interested party or already delivered to them. This is consistent with the purpose of the right of access, which is to allow the interested party to verify (even at "reasonable intervals" of time: see recital 63 of the Regulation) whether or not a certain processing is in progress and to verify its lawfulness and correctness (also taking into account that the methods and range of data processed may change over time).

The art. 15 of the Regulation does not provide for any limitation regarding the information relating to the interested party that can be accessed and the same Regulation, moreover, expressly provides for the possibility that the interested party presents multiple access requests (except for the possibility for the data controller , in the case of "excessive" requests, in particular due to their repetitive nature, to charge a reasonable expense contribution; art. 12, par. 5, of the Regulation; on the interpretation of the provisions of the Regulation referred to here, see the Guidelines 01/2022 on data subject rights - Right of access, adopted on 18 January 2022 by the European Data Protection Board, subject to public consultation concluded on 11 March 2022).

This reconstruction is also confirmed by the jurisprudence of legitimacy, according to which the right of access to one's personal data, even within the context of the employment relationship, "cannot be understood, in a restrictive sense, as the mere right to knowledge of any new data and additional to those already included in the wealth of knowledge and, therefore, in the disposal of the same interested party for the processing of their data, given that the purpose of the regulation [which attributes the relevant right] is to guarantee, to protect the dignity and confidentiality of the interested party, the verification ratione temporis of the insertion, permanence or removal of data, regardless of the circumstance that such events had already been brought to the attention of the interested party in another way" (see Court of Cassation 14.12.2018, no. 32533).

Finally, it is stated that on the basis of art. 12, paragraph 4, of the Regulation, the owner "If he does not comply with the request of the interested party, [...] informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and the possibility to lodge a complaint with a supervisory authority and to lodge a judicial appeal”. In the present case, therefore, the Company should have in any case, if necessary, informed the interested party of the reasons why the request was not processed and the remedies provided by the law against such decision.

The Company, for the reasons set out above, has therefore violated the articles. 12, par. 1, 2, 3 and 4, and 15 of the Regulation. However, the Authority takes note that, during the procedure, feedback was provided to the interested party's requests.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable for allow the archiving of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company and in particular the failure to respond to the access request presented by the complainant, is in fact illicit, in the terms set out above, in relation to the articles. 12, par. 1, 2, 3 and 4, and 15 of the Regulation.

The violation ascertained within the terms set out in the justification cannot be considered "minor", taking into account the nature, severity and duration of the violation itself, the degree of responsibility, the way in which the supervisory authority became aware of the violation and a previous relevant violation (cons. 148 of the Regulation).

Differently from the previous provisions of the Authority referred to in the defense briefs (provisions 25/3/2021, n. 104, web doc. n. 9583835; 11/2/2021, n. 63, web doc. n. 9567218; 23 /4/2020, n., 76, web doc. n. 9426302), in this case the conduct of the data controller did not consist in an error regarding the transmission of the requested data nor in having provided partial feedback, but in the failure to respond to a formal request for access, on the assumption that the response could have been provided during a meeting which, moreover, does not appear to have been offered to the complainant.

Furthermore, also in consideration of the size of the Company, the number of employees and customers included, and therefore the relevance of the processing carried out as part of its business, it is believed that FCA Italy S.p.A. would have been able to prepare suitable measures to provide effective feedback to requests for the exercise of rights, without allowing misalignments such as the one that occurred in the case subject to the complaint.

This, in particular, taking into account that in a previous provision the Authority has already ascertained, against the same Company, the violation of the provisions of the Regulation regarding the exercise of rights and, in particular, of the right of access (Provision. to n. 439 of 16 December 2021).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation provides for the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

As a result of the proceedings, it therefore appears that FCA Italy S.p.A. has violated the articles. 12, par. 1, 2, 3 and 4, and 15 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, letter. b) of the Regulation, through the adoption of an injunction order (art. 18, l. 11.24.1981, n. 689).

Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is stated that , in this case, the following circumstances were considered:

a) in relation to the nature, severity and duration of the violation (which lasted for approximately seven months, from the date of submission of the request, received on 11/1/2021 to the completion of the response with note dated 25/8/2021 ), the nature of the violation which affected the exercise of the rights by the interested party was considered relevant;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the regulations on data protection in relation to a plurality of provisions regarding the exercise of rights;

c) a previous provision adopted against the Company was considered in the context of "previous relevant violations" committed by the data controller and, for the violation of articles. 12 and 15 of the Regulation, in relation to the right of access to the data of the interested party, therefore in relation to the same violation which is the subject of this provision (see Provision no. 439 of 16 December 2021, web doc. no. 9742908); the previous confirmed violation denotes the insufficient preparation of organizational measures aimed at allowing interested parties effective control over their personal data, through the provision of information relating to the processing carried out;

d) in favor of the Company, the cooperation with the Supervisory Authority was taken into account and the fact that the violation ascertained concerned only the complainant, being an isolated case, and that the invocation of the protection of personal data, in the case of species, appears to be in some respects emulative in relation to the events that concerned the interested party.

It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2021. Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply the administrative sanction of the payment of a sum equal to 40,000 (forty thousand) euros against FCA Italy S.p.A..

In this framework, it is also believed, in consideration of the type of violations ascertained which concerned the general principles of processing and the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THE WHEREAS, THE GUARANTOR

notes the unlawfulness of the processing carried out by FCA Italy S.p.A., in the person of its legal representative, with registered office in Corso Giovanni Agnelli, 300, Turin (TO), C.F. 07973780013, pursuant to art. 143 of the Code, for the violation of articles. 12 and 15 of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter. i) of the Regulation to FCA Italy S.p.A., to pay the sum of 40,000 euros (forty thousand as a pecuniary administrative sanction for the violations indicated in this provision;

ORDERS

therefore to the same Company to pay the aforementioned sum of 40,000 (forty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 15 September 2022

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei