Garante per la protezione dei dati personali (Italy) - 9843805: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Count...")
 
(formatting and spellcheck)
Line 69: Line 69:
}}
}}


The Italian DPA fined Amazon Italia Logistica €20,000 for the violation of Articles 12 and 15 GDPR, after they failed to sufficiently respond to a right of access request made by an employee.
The Italian DPA fined Amazon Italia Logistica €20,000 for the violation of Articles 12 and 15 GDPR, after they failed to respond to a right of access request made by an employee.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The case concerns an access request from a worker, the data subject, to their employer Amazon Italia Logistica (Amazon), the controller.  
This case concerns an access request from an employee, the data subject, to their employer Amazon Italia Logistica (Amazon), the controller.  


The data subject submitted an access request on 23 August 2020 pursuant to [[Article 15 GDPR|Article 15 GDPR]], in order to obtain their professional certificates obtained during the employment relationship. These certifications included, for example, their: “PLE pallet elevator certificate”; “certificate for the management and programming of the palletizer robot”; “PES and PAV” certificates. The data subject did not receive the requested information and subsequently, on 21 September 2020, filed a complaint with the Italian DPA. The data subject argued that he has the right to access his personal data contained in the company’s records. The controller’s refusal to provide the data would constitute a violation of the GDPR.
The data subject submitted the access request on 23 August 2020 pursuant to [[Article 15 GDPR|Article 15 GDPR]], in order to receive copies of their professional certificates obtained during the employment relationship. These certifications included, for example, their: “PLE pallet elevator certificate”; “certificate for the management and programming of the palletiser robot”; and “PES and PAV” certificates. The data subject did not receive the requested information and subsequently, on 21 September 2020, filed a complaint with the Italian DPA. The data subject argued that they have the right to access their personal data contained in the company’s records. The controller’s refusal to provide the data would constitute a violation of the GDPR.


The controller confirmed that the data subject had, on 23 August 2020, contacted the HR department, requesting a copy of the certificates, and sent a follow up request on 1 September 2020.   
Responsing to the complaint, the controller confirmed that the data subject had, on 23 August 2020, contacted the HR department, requesting a copy of the certificates, and had sent a follow up request on 1 September 2020. Dealing with the issues raised by the complaint the controller argued, firstly, that the professional certificates requested – with the exemption of the PES and PAV certificates – were from internal Amazon courses for which there is no physical certificate, and they have no value beyond internal authorization to carry out assigned tasks.   


Responding to the allegations, the controller argued, firstly, that the professional certificates requested – with the exemption of the PES and PAV certificates – were from internal Amazon courses for which there is no physical certificate and they have no value beyond internal authorization to carry out assigned tasks.
Secondly, they asserted that the data subject did not send their requests to the correct email address. The first request was sent to the HR department, the second request to an employee without any management powers, who was not competent to follow up on the request. The complainant did not send the requests to Amazon’s dedicated email address for [[Article 15 GDPR]] access requests (EU-staff-privacy@amazon.com) which was provided to all employees through the issuance of a privacy policy.
 
Secondly, they asserted that the data subject did not send their requests to the correct email address. While the first request was sent to the HR department, the second request to an employee without any management powers, who was not competent to follow up on the request. The complainant did not send the requests to Amazon’s dedicated email address for [[Article 15 GDPR|Article 15 GDPR]] access requests (EU-staff-privacy@amazon.com) which was provided to all employees through the privacy policy.


Thirdly, Amazon argued that the complainant did not in any way specify that these were access request pursuant to [[Article 15 GDPR|Article 15 GDPR]].  
Thirdly, Amazon argued that the complainant did not in any way specify that these were access request pursuant to [[Article 15 GDPR|Article 15 GDPR]].  


Amazon explained that, “unfortunately, due to an unfortunate negative contingency” they failed to provide the subject with the necessary clarifications and inform him of the impossibility of issuing the certificates, and they did not provide the PES and PEV certificates. They emphasized that any infringement was not carried out in bad faith, apologised for the lack of accuracy, and stated that the company did not intend to do any harm to the data subject.
The controller did acknowledge errors had been made in responding to the request, stating that “unfortunately, due to an unfortunate negative contingency” they failed to provide the subject with the necessary clarifications and inform him of the impossibility of issuing the certificates, and they did not provide the PES and PEV certificates. They emphasized that any infringement was not carried out in bad faith, apologised for the lack of accuracy, and stated that the company did not intend to do any harm to the data subject.


=== Holding ===
=== Holding ===
After investigating the complaint, the DPA ascertained that the Company did not adequately respond to the request for access pursuant to [[Article 15 GDPR|Article 15 GDPR]].
After investigating the complaint, the DPA ascertained that the Company did not adequately respond to the request for access pursuant to [[Article 15 GDPR|Article 15 GDPR]].


Responding to the controller’s first argument (impossible to provide internal certificates), the DPA explained that, even though it was impossible to provide certification of the internal authorization, the controller was under a duty to inform, and explain, this to the data subject. According to [[Article 12 GDPR#4|Article 12(4) GDPR]], in situations where the controller is unable to take action on the data subject request, they must “inform the interested party without delay, and at the latest within one month of receipt of the request, of the reasons for non-compliance”.
Responding to the controller’s first argument (impossible to provide internal certificates), the DPA explained that, even though it was impossible to provide certification of the internal authorisation, the controller was under a duty to inform, and explain, this to the data subject. According to [[Article 12 GDPR#4|Article 12(4) GDPR]], in situations where the controller is unable to take action on the data subject request, they must “''inform the interested party without delay, and at the latest within one month of receipt of the request, of the reasons for non-compliance''”.


Regarding the second argument (request sent to wrong email address), the DPA investigation revealed that the complainant had sent the first request to the HR department as well as the email address EU-candidate-privacy@amazon.com. Also, their follow up request was sent to another employee without management power, but this employee forwarded the request to the HR department. The DPA also found that there is no evidence that the privacy policy was sent to the employee and that, in any case, the document cited quotes the HR email as an alternative option for employees to obtain further information on their rights regarding the protection of personal data. Therefore, these cannot be considered circumstances such as to justify the absence of a reply.
Regarding the second argument (request sent to wrong email address), the DPA investigation revealed that the complainant had sent the first request to the HR department as well as the email address EU-candidate-privacy@amazon.com. Also, while their follow up request was sent to another employee without management power, this employee forwarded the request to the HR department. The DPA also found that there is no evidence that the privacy policy was sent to the employee and that, in any case, the document cited quotes the HR email as an alternative option for employees to obtain further information on their rights regarding the protection of personal data. Therefore, these cannot be considered circumstances such as to justify the absence of a reply.


Addressing the third argument (data subject did not specify Article 15 access request), the DPA outlined that, under the GDPR, the burden of specifying the legal basis of the request does not fall on the data subject. Furthermore, if the data controller has doubts about the right that the interested party intends to exercise, he must ask the data subject to specify it. The controller was under the obligation to facilitate the exercise of data subject rights and they failed to do so.
Addressing the third argument (data subject did not specify Article 15 access request), the DPA outlined that, under the GDPR, the burden of specifying the legal basis of the request does not fall on the data subject. Furthermore, if the data controller has doubts about the right that the interested party intends to exercise, they must ask the data subject to specify it. The controller was under the obligation to facilitate the exercise of data subject rights and they failed to do so.


In light of the above, the DPA held that the controller acted in violation of the GDPR, in particular Articles 12 and 15.  Pursuant to its powers under [[Article 58 GDPR#2i|Article 58(2)(i) GDPR]], and in accordance with [[Article 83 GDPR|Article 83 GDPR]], it imposed an administrative fine of €20,000 upon the controller.
In light of the above, the DPA held that the controller acted in violation of the GDPR, in particular Articles 12 and 15.  Pursuant to its powers under [[Article 58 GDPR#2i|Article 58(2)(i) GDPR]], and in accordance with [[Article 83 GDPR|Article 83 GDPR]], it imposed an administrative fine of €20,000 upon the controller.

Revision as of 17:35, 31 January 2023

Garante per la protezione dei dati personali - 9843805
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Article 58 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 21.09.2020
Decided: 01.12.2022
Published: 16.01.2023
Fine: 20000 EUR
Parties: Amazon Italia Logistica
National Case Number/Name: 9843805
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Italian DPA (in IT)
Initial Contributor: LR

The Italian DPA fined Amazon Italia Logistica €20,000 for the violation of Articles 12 and 15 GDPR, after they failed to respond to a right of access request made by an employee.

English Summary

Facts

This case concerns an access request from an employee, the data subject, to their employer Amazon Italia Logistica (Amazon), the controller.

The data subject submitted the access request on 23 August 2020 pursuant to Article 15 GDPR, in order to receive copies of their professional certificates obtained during the employment relationship. These certifications included, for example, their: “PLE pallet elevator certificate”; “certificate for the management and programming of the palletiser robot”; and “PES and PAV” certificates. The data subject did not receive the requested information and subsequently, on 21 September 2020, filed a complaint with the Italian DPA. The data subject argued that they have the right to access their personal data contained in the company’s records. The controller’s refusal to provide the data would constitute a violation of the GDPR.

Responsing to the complaint, the controller confirmed that the data subject had, on 23 August 2020, contacted the HR department, requesting a copy of the certificates, and had sent a follow up request on 1 September 2020. Dealing with the issues raised by the complaint the controller argued, firstly, that the professional certificates requested – with the exemption of the PES and PAV certificates – were from internal Amazon courses for which there is no physical certificate, and they have no value beyond internal authorization to carry out assigned tasks.

Secondly, they asserted that the data subject did not send their requests to the correct email address. The first request was sent to the HR department, the second request to an employee without any management powers, who was not competent to follow up on the request. The complainant did not send the requests to Amazon’s dedicated email address for Article 15 GDPR access requests (EU-staff-privacy@amazon.com) which was provided to all employees through the issuance of a privacy policy.

Thirdly, Amazon argued that the complainant did not in any way specify that these were access request pursuant to Article 15 GDPR.

The controller did acknowledge errors had been made in responding to the request, stating that “unfortunately, due to an unfortunate negative contingency” they failed to provide the subject with the necessary clarifications and inform him of the impossibility of issuing the certificates, and they did not provide the PES and PEV certificates. They emphasized that any infringement was not carried out in bad faith, apologised for the lack of accuracy, and stated that the company did not intend to do any harm to the data subject.

Holding

After investigating the complaint, the DPA ascertained that the Company did not adequately respond to the request for access pursuant to Article 15 GDPR.

Responding to the controller’s first argument (impossible to provide internal certificates), the DPA explained that, even though it was impossible to provide certification of the internal authorisation, the controller was under a duty to inform, and explain, this to the data subject. According to Article 12(4) GDPR, in situations where the controller is unable to take action on the data subject request, they must “inform the interested party without delay, and at the latest within one month of receipt of the request, of the reasons for non-compliance”.

Regarding the second argument (request sent to wrong email address), the DPA investigation revealed that the complainant had sent the first request to the HR department as well as the email address EU-candidate-privacy@amazon.com. Also, while their follow up request was sent to another employee without management power, this employee forwarded the request to the HR department. The DPA also found that there is no evidence that the privacy policy was sent to the employee and that, in any case, the document cited quotes the HR email as an alternative option for employees to obtain further information on their rights regarding the protection of personal data. Therefore, these cannot be considered circumstances such as to justify the absence of a reply.

Addressing the third argument (data subject did not specify Article 15 access request), the DPA outlined that, under the GDPR, the burden of specifying the legal basis of the request does not fall on the data subject. Furthermore, if the data controller has doubts about the right that the interested party intends to exercise, they must ask the data subject to specify it. The controller was under the obligation to facilitate the exercise of data subject rights and they failed to do so.

In light of the above, the DPA held that the controller acted in violation of the GDPR, in particular Articles 12 and 15. Pursuant to its powers under Article 58(2)(i) GDPR, and in accordance with Article 83 GDPR, it imposed an administrative fine of €20,000 upon the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9843805]

Injunction order against Amazon Italia Logistica s.r.l. - December 1, 2022

Register of measures
no. 406 of 1 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

CONSIDERING the complaint presented pursuant to art. 77 of the Regulation on 21 September 2020, regularized on 1 November 2020 as well as on 25 January 2021 by Mr. XX against Amazon Italia Logistica s.r.l.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

On September 21, 2020, Mr. XX filed against Amazon Italia Logistica s.r.l. (hereinafter, the Company) a complaint, regularizing it on 1 November 2020 as well as on 25 January 2021, following invitations to regularize sent by this Authority.

In the complaint, the interested party represented that, on 23 August 2020, he had sent a request to exercise the right of access pursuant to art. 15 of EU Regulation 2016/679 to the "professional certificates obtained" during the employment relationship established with the Company and in particular: "PLE pallet elevator certificate, certificate for the management and programming of the palletizer robot (RME instructor [...]), access certificate authorized in the "yard" goods unloading area, PES and PAV certificate, certificate in charge of drive maintenance and floor robot management. Stow and pick (SST instructor […])”. The complainant specified that he had sent the request several times and had not received a response from the Company.

The complaint also requested the cancellation of the "personal and sensitive data" relating to the same complainant processed by the Company as well as access to the "pre-employment visit medical file. Health file”, applications that have not been regularized by the complainant following invitations to regularize.

On 5 October 2021, following an invitation to provide feedback, the Company sent its response, also to the complainant, and declared that:

- "following an in-depth investigation conducted by Amazon on what was reported in the complaint, it turned out that: on August 21, 2020, Amazon's Human Resources Department sent the [complainant] the UNIEMENS model requested by him, promptly acknowledging the request of the [complainant]" (see note of 10.5.2021 cit., p. 2);

- "on August 23, 2020, the [complainant] contacted Amazon's Human Resources department again, requesting a copy of some professional certificates obtained during the trial period, specifically: (I) PLE pallet elevator certificate, (II) certificate to management and programming of the palletizer robot (RME instructor [...]), (iii) certificate for authorized access in the "yard" goods unloading area, (iv) PES and PAV certificate, and (v) certificate in charge of drive maintenance and management of floor robots . Stow and pick (SST instructor [...])” (see cited note, p. 2);

- "on 1 September 2020 (just 7 days after the request [...]) the [complainant] requested the sending of the previously requested documentation, also specifying the need to urgently receive the UNIEMENS form relating to the period of July 2020 (absent in the first document sent on August 21, 2020, as it has not yet been processed). Unfortunately, in this circumstance the [complainant] was contacting an employee without any management powers and, therefore, not competent to follow up on the request. This further contact was in any case forwarded to the Human Resources department, which promptly confirmed that it was taken over both internally and to the [complainant], who, moreover, had also contacted the Human Resources department on the same day, however requesting to receive only the UNIEMENS form" (see cited note, p. 2);

- "following the request received, the Human Resources department sent the [complainant] only the UNIEMENS model requested" (see cited note, p. 2);

- "on the contrary, with reference to the other professional certificates requested by the [complainant] - and with the sole exception of the PES and PAV certificate [...] - Amazon was not in a position to comply with the applicant's request since there was no physical certificate to be sent, since these are internal Amazon courses having the mere value of internal authorization to carry out the assigned tasks; more specifically, being internal courses organized directly by Amazon, the certificates referred to in points (i), (ii), (iii) and (v) are usually issued in the form of a mere internal badge that certifies participation and have exclusively internal clearance value. Otherwise, the PES and PAV certificate certifies participation in the course organized by a specific certifying body which issues a copy to the worker" (see cited note, p. 3);

- "in the specific case, unfortunately, due to an unfortunate negative contingency (without any will on the part of Amazon to prevent the response of the worker's request), Amazon failed to acknowledge the request of the [complainant] and consequently did not provide him with the necessary clarifications on the impossibility of issuing the certificates referred to in points (i), (ii), (iii) and (v) [...] nor did he send him the PES and PAV certificate" (see cited note, p. 3);

- "Amazon is deeply sorry for what happened and for the lack of accuracy on the part of the departments responsible for guaranteeing the exercise of the right of access pursuant to art. 15 GDPR. In any case, it is emphasized that, in no event did Amazon intend to damage the [complainant] following the interruption of the trial period. In this regard, the Company would like to underline that its employees are provided with all the information and training necessary to guarantee compliance with the legislation on the protection of personal data, including specific instructions on how to correctly follow up on requests for access to personal data from data subjects” (see cited note, p. 3);

- "the Company acknowledges the request of the [complainant] by sending the only certificate at its disposal, i.e. the PES and PAV certificate recovered from the certifying body following the request" (see cited note, p. 3).

On 30 June 2022, the Company, following the invitation to provide further clarifications from the Department on 31 May 2022, declared that:

- “failure to respond promptly pursuant to art. 15 GDPR is due to a series of unfortunate circumstances, first of all the fact that the request was not forwarded by the [complainant] using the e-mail address EU-staff-privacy@amazon.com dedicated to the exercise of the rights pursuant to art. . 15-22 GDPR (or in any case for questions relating to the processing of personal data of employees) as specifically indicated in the information pursuant to art. 13 GDPR issued by Amazon to the [complainant]" (see note 30.6.2022 cit., p. 1);

- "the [complainant], in fact, after having requested and obtained the first UNIEMENS model relating to the period of June 2020 on 21 August 2020, two days later wrote an email to Amazon's HR Manager asking for some certificates without in any way reference to the exercise of your access rights pursuant to art. 15 GDPR […]. Also the second request dated a little later, dated 1 September (in which the UNIEMENS form relating to the period of July 2020 was also requested) was not sent to the dedicated email for the exercise of privacy rights, nor was reference made in any way to the art. 15 GDPR” (see cited note, p. 1, 2);

- “Amazon has a dedicated team at European level for handling requests made by employees under the GDPR (“DSR Team”). In addition to providing employees with a specific email for the exercise of rights, as indicated in the privacy policy, Amazon follows an internal procedure for managing requests [...] all requests received through various channels, such as email, tickets, mail, telephone, delivered physically or verbally to an Amazon employee, are forwarded to the DSR Team" (see cited note, p. 2).

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 19 September 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 12 and 15 of the Regulation.

With defense briefs sent on 19 October 2022, the Company stated that:

- “failure to reply to the request for information within the terms established by article 12, par. 3 of the GDPR did not in any way depend on willful misconduct or the will to damage the [complainant] or to limit the exercise of rights" (see note 19.10.2022 cit., p. 1);

- "this delay derives, first of all, from the failure to recognize, and consequent failure to qualify and process, by the Human Resources function - in good faith - the request for certificates for participation in internal courses as a request for access pursuant to art. 15 of the GDPR, since it is indeed a request concerning a "negative data" (since the internal courses are not connected to any formal certification that can be delivered to the worker)" (see note cit., p. 1, 2);

- "the Company does not usually delay/fail to respond to requests for access pursuant to Article 15 of the GDPR made against it and, on the contrary, has a specific function and related procedures to prevent this from happening" (see cited note, p . 2);

- "the delay possibly due to the lack of internal coordination between the competent departments, also given the concomitance of the request with the summer holiday period, must be understood as completely exceptional, and the absence of previous sanctions for violations similar to the one occupies is proof of this; in any case, this delay must be seen in the context of a Company with a very high number of employees (9,212 employees as at 31 March 2022, as per the visura dated 22 September 2022), equipped with support functions receiving an equally large number of requests to be processed daily" (see note cit., p. 2);

- with reference to the "elements regarding the nature, gravity and duration of the violation taking into consideration the nature, object or purpose of the processing in question as well as the number of interested parties affected by the damage pursuant to article 83, par. 2, lit. a) of the GDPR" it is specified that "at least with reference to the UNIEMENS model of the month of July 2020, requested for the first time by the [complainant], on 1 September 2020, Amazon cannot be contested for any violation of art. 12 and 15 of the GDPR" (see cited note, p. 3);

- "with reference to the request for the other professional certificates, which took place on 23 August 2020 and reiterated (at least in one of the emails sent by the [complainant] to the officials of the Human Resources department) on 1 September 2020, in fact, the Company has not promptly informed the applicant that he was not in a position to follow up on the request since - with the sole exception of the PES and PAV certificate - there was not materially any certificate to be sent, since these were internal Amazon courses having a mere internal authorization value for carrying out the assigned duties" (see note cited, p. 3);

- "we highlight: - the absence of any will on the part of Amazon to prevent the response of the worker's request. This absence of willful misconduct is demonstrated by Amazon's collaborative and legally compliant behavior with respect to the UNIEMENS certificate requested by the [claimant]; - the disputed violation relates solely to the Company's failure to respond promptly to the request for information, in good faith not interpreted as a request for access, while it does not in any way concern the loss of confidentiality, integrity or availability of the data personal data of the interested party” (see cited note, p. 4);

-  "the [complainant] is the only interested party involved in the violation and [...], as of today's date, no prejudice suffered by the aforementioned [complainant] due to the late response by the Company has been ascertained or demonstrated" (see note cit., p. 4);

- with reference to the "malicious or negligent nature of the violation pursuant to article 83, par. 2, lit. b) of the GDPR” “it is important to underline how the nature of the violation is merely negligent” (see note cited, p. 4);

- "this violation is part of an internal coordination problem between the competent departments of Amazon, aggravated by the concurrence of the [complainant's] request with the summer holiday period" (see cited note, p. 5);

- "the Company failed to promptly find the request to exercise the right of access pursuant to article 15 of the GDPR presented by the [complainant] - at least with reference to the certificates requested on 23 August 2020 - due to various unfortunate circumstances: - the circumstance that the [complainant] had requested non-existent certificates, with the exception of the UNIEMENS one provided on 25 September 2020 and the PES and PAV certificates which, however, were not available to Amazon and of which the [complainant] should have had a copy; - sending multiple requests by the [complainant] to different officials of the Human Resources department. Among other things [...] in the email sent on 1 September by the [complainant to a] partner of the Human Resources department who took charge of the request, reference was made only to the request of the UNIEMENS form of July 2020. This created confusion with respect to the other requests of the same [complainant]; - failure to use the appropriate email address as specified in the information pursuant to article 13 of the GDPR issued by the Company to the [complainant]. This circumstance, although not justifiable, certainly affected the delay with which the [complainant's] request was qualified within the Company as an exercise of the right of access pursuant to art. 15 of the GDPR" (see cited note, p. 5);

- with reference to “any previous relevant violations committed pursuant to article 83, par. 2, lit. e) and the degree of cooperation with the supervisory authority in order to remedy the violation and implement its possible negative effects pursuant to article 83, par. 2, lit. f) of the GDPR" "to be considered equally relevant [...] is the extenuating circumstance that Amazon is not the recipient of any sanctioning measure for violations of the same content as the one we are dealing with (nor for more serious violations)" (see note cit. , p. 5);

- "the complaint made to the Company does not include a violation of accountability in relation to the policies, organization and technical measures adopted by the same and aimed at executing its obligations pursuant to the GDPR. It is rather an isolated case which, moreover, involved only one interested party” (see cited note, p. 5, 6);

- "the Company has always stood out for its transparent and collaborative conduct towards this Authority, promptly providing its answers to requests for information received and also demonstrating complete availability towards the [complainant], who - later to the intervention of the Guarantor – he also received the only certificate available to Amazon" (see cited note, p. 6);

- with reference to the "categories of personal data affected by the violation pursuant to article 83, par. 2, lit. g) of the GDPR" "the conduct contested against Amazon by this Authority does not pertain to the processing of "particular categories of personal data" pursuant to article 9 of the GDPR or of "personal data relating to criminal convictions and crimes" pursuant to article 10 of the GDPR. […] Indeed, it can be said that with respect to the only certificate available (i.e. PES and PAV certificates) Amazon was not even the person entitled to receive the request from the [complainant], not being the data controller of personal data of the [complainant] with respect to the conduct and results of the training. [...] in fact, it was a training organized and managed by an external certifying body to which Amazon - without being obliged - had to contact to obtain a copy which it then sent to the [complainant] on the occasion of the letter dated 5 October 2021. Indeed, the certifying body had issued a copy of the certificate directly to the employee and Amazon was not in possession of it. The delay in responding to the [complainant] must also be attributed to this circumstance" (see cited note, p. 6);

- "in the unbelieved hypothesis that the delay in Amazon's response was to be valued, it is believed that the circumstances inferred lead to the application of the minimum sanctionable. As a support for the determination of the possible sanction, it should be pointed out an injunction order that this Authority issued, on 16 June last, [provision no. 226 of 16 June 2022 with which] the Guarantor ordered [...] the payment of a [pecuniary] fine. Therefore, if the request not to apply any sanction to Amazon is not accepted, the circumstances already assessed by the Guarantor in the context of the order set out above are referred to, in the alternative, which, based on the considerations made in this defense brief, are largely superimposable” (see cited note, p. 7).

3. The outcome of the investigation and of the procedure for the adoption of corrective and sanctioning measures.

As a result of the examination of the declarations made to the Authority during the proceeding as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which are not compliant with the regulations on the matter of personal data protection. In this regard, it should be noted that, unless the fact constitutes a more serious offence, anyone who, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

On the merits, it emerged that the Company, also on the basis of what it declared, did not adequately respond to the request for access pursuant to art. 15 of the Regulation presented by the complainant concerning the "professional certificates obtained" and in particular: "PLE pallet elevator certificate, certificate for the management and programming of the palletiser robot (RME instructor [...]), certificate for authorized access in the goods unloading area "yard ”, PES and PAV certificate, drive maintenance and floor robot management certificate. Stow and pick (SST instructor […])”.

Indeed, only following the presentation of the complaint and the opening of the investigation did the Company send the complainant a copy of the "only certificate available to it, i.e. the PES and PAV certificate recovered from the certifying body following the request" and communicated that it could not provide a copy of the other training certificates requested "since there was no material certificate to be sent, since these were internal Amazon courses having a mere internal authorization value for carrying out the assigned tasks".

In particular, on 23 August 2020, the complainant, after receiving the requested UNIEMENS form of June 2020 from the Human Resources Department, contacted the same department, also according to what was declared by the same Company, requesting a copy of the aforementioned training certificates without receive any feedback on it.

Subsequently - i.e. on 1 September 2020 - the complainant reiterated the request for access to the aforementioned training certificates by sending it to an employee in relation to whom the Company specified that she was "devoid of any management power and, therefore, not competent to follow up upon request".

Again according to what was specified by the Company and on the basis of the documentation in the records, this request was, however, forwarded to the Human Resources Department, by sending it to a "partner in the Human Resources department who took charge of the request". The request was sent, in particular, to the same person in charge of sending the UNIEMENS form to the complainant (email dated 21 August 2020 and 25 September 2020 in the file) and who limited himself to responding to requests to receive a copy of the UNIEMENS model.

Although on 25 September 2020 the requested UNIEMENS form of August 2020 was sent to the complainant by the Company - in relation to access to which no objection has been raised by the Authority as it is not believed there are any profiles of illegality regarding the conduct held with reference to this specific document -, on that occasion the complainant was not provided with any information regarding the request to receive a copy of the training certificates, not even regarding the impossibility of fulfilling the same for the training certificates with the exception of the PES and PAV certificate.

In this regard, the Company declared that it did not respond to the request to exercise the right of access for a variety of reasons, including the non-existence of the requested certificates with the exception of PES and PAV, the sending of multiple requests to different employees of the Human Resources department, failure to use the e-mail address indicated in the information pursuant to article 13 of the GDPR issued by the Company to the complainant.

The Company also specified that in the requests to exercise the right of access, the complainant had not made any reference to the exercise of the right of access pursuant to art. 15 of the Regulation.

Given this, it does not appear that the Company has informed the complainant pursuant to art. 12, par. 4, of the Regulation of the impossibility of providing him with the required training certificates nor that he sent him a copy of the PES and PAV certificate he possessed or that he communicated to him - before recovering this last certificate from the certifying body - not to have it.

The art. 12, par. 4 of the Regulation, with reference to the hypothesis in which the data controller cannot allow the exercise of the rights recognized by the Regulation to the interested party, including the right of access, provides that the same "inform [i] the interested party without delay, and at the latest within one month of receipt of the request, of the reasons for the non-compliance and of the possibility to lodge a complaint with a supervisory authority and to lodge a judicial appeal".

In this regard, with reference to the circumstances that the Company has identified as the causes of its conduct (lack of reference to Article 15 of the Regulation and failure to use the e-mail address specifically dedicated to this), it should be recalled that, as also recently clarified by the Guidelines 01/2022 on data subject rights - Right of access, adopted by the EDPB on 18 January 2022 (subject to public consultation concluded on 11 March 2022), the burden of specifying the legal basis of the request does not fall on the interested parties that if the data controller has doubts about the right that the interested party intends to exercise, he must ask the interested party to specify the subject (see Guidelines 01/2022 cit., point 47 "Data subjects are not required to specify the legal basis in their request" unofficial translation "Data subjects are not required to specify the legal basis in their request", and point 48 "If the controller has doubts as to which r ight the data subject wishes to exercise, it is recommended to ask the data subject making the request to explain the subject matter of the request” trad. unofficial "If the data controller has doubts about the right that the interested party intends to exercise, it is recommended to ask the interested party making the request to explain the object").

Furthermore, the fact that the complainant sent requests to exercise the right of access to the Human Resources Department as well as to the email address EU-candidate-privacy@amazon.com and that the email of 1 September 2020 was sent by the complainant to an employee without management power (who, however, according to what was declared by the Company itself, was in any case forwarded to the Human Resources Department, which, therefore, was aware of it), cannot be considered circumstances such as justify the absence of a reply (even in the case of a reply aimed at expressing the mere refusal pursuant to article 12, paragraph 4, of the Regulation) from the Company.

In this regard, it is noted with reference to the Company's declaration according to which the reasons for the absence of response to the complainant's requests must also include the "failure to use the appropriate email address as specified in the information pursuant to article 13 of the GDPR issued by the Company to the [complainant]", that there is no evidence that the same has been issued to the complainant and that, in any case, the cited document specifies that "if [the interested party] wishes further information on your rights regarding protection of personal data, please contact your HR department (or your Data Protection Officer, if designated) or send an email to EU-staff-privacy@amazon.com”. Sending the request to exercise the rights to the e-mail address EU-staff-privacy@amazon.com also by express provision of the Company is, therefore, an alternative to contacting the human resources department or the data protection officer .

In the present case it was ascertained that the complainant contacted, among other things, also according to what was declared by the Company, the human resources department by sending an e-mail to an employee of the same.

It should also be recalled that the aforementioned Guidelines 01/2022 on data subject rights - Right of access recently clarified that data subjects are not required to adopt a specific format for submitting requests to exercise the right of access (see Guidelines 01/2022 cit., point 52 "the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller" unofficial translation "the General Data Protection Regulation does not impose any requirements on data subjects regarding the format of the request for access to personal data. Therefore, in principle, it does not there are requirements that the data subject is required to comply with when choosing a communication channel through which to get in touch with the data controller).

Finally, it should be noted that the same Company, in the context of the procedure for examining the requests to exercise the rights as described in the course of the procedure, contemplates - correctly - that the requests can be presented in different ways than sending to the dedicated e-mail account.

The Company, for the reasons set out above, has violated the articles 12 and 15 of the Regulation.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the preliminary investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable to allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company and in particular the omitted reply (also of communication of the reasons for the refusal pursuant to article 12, paragraph 4, of the Regulation) to the access request presented by the complainant, is in fact illegal, in the terms set out above, in relation to articles 12 and 15 of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation and previous relevant violations (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding it appears that Amazon Italia Logistica s.r.l. has violated the articles 12 and 15 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 5, letter. b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the fine must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation which concerned the exercise of the rights of the data subject was considered relevant;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the data protection regulations in relation to a plurality of provisions;

c) in favor of the Company, account was taken of the cooperation with the Supervisory Authority and of the circumstance that the ascertained violation concerned only the complainant.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the Company with reference to the ordinary financial statements for the year 2021. Lastly, the entity of the sanctions imposed in similar cases is taken into account.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply the administrative sanction of payment of a sum equal to 20,000 (twenty thousand) euros against Amazon Italia Logistica s.r.l..

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by Amazon Italia Logistica s.r.l., in the person of its legal representative, with registered office in Viale Monte Grappa 3/5 - 20124 Milan (MI), Tax Code 07231660965, pursuant to art. 143 of the Code, for the violation of the articles 12 and 15 of the Regulation;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to Amazon Italia Logistica s.r.l., to pay the sum of 20,000 (twenty thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to the same Company to pay the aforementioned sum of 20,000 (twenty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, and believes that the conditions set forth in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 1st December 2022

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew

[doc. web no. 9843805]

Injunction order against Amazon Italia Logistica s.r.l. - December 1, 2022

Register of measures
no. 406 of 1 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

CONSIDERING the complaint presented pursuant to art. 77 of the Regulation on 21 September 2020, regularized on 1 November 2020 as well as on 25 January 2021 by Mr. XX against Amazon Italia Logistica s.r.l.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

On September 21, 2020, Mr. XX filed against Amazon Italia Logistica s.r.l. (hereinafter, the Company) a complaint, regularizing it on 1 November 2020 as well as on 25 January 2021, following invitations to regularize sent by this Authority.

In the complaint, the interested party represented that, on 23 August 2020, he had sent a request to exercise the right of access pursuant to art. 15 of EU Regulation 2016/679 to the "professional certificates obtained" during the employment relationship established with the Company and in particular: "PLE pallet elevator certificate, certificate for the management and programming of the palletizer robot (RME instructor [...]), access certificate authorized in the "yard" goods unloading area, PES and PAV certificate, certificate in charge of drive maintenance and floor robot management. Stow and pick (SST instructor […])”. The complainant specified that he had sent the request several times and had not received a response from the Company.

The complaint also requested the cancellation of the "personal and sensitive data" relating to the same complainant processed by the Company as well as access to the "pre-employment visit medical file. Health file”, applications that have not been regularized by the complainant following invitations to regularize.

On 5 October 2021, following an invitation to provide feedback, the Company sent its response, also to the complainant, and declared that:

- "following an in-depth investigation conducted by Amazon on what was reported in the complaint, it turned out that: on August 21, 2020, Amazon's Human Resources Department sent the [complainant] the UNIEMENS model requested by him, promptly acknowledging the request of the [complainant]" (see note of 10.5.2021 cit., p. 2);

- "on August 23, 2020, the [complainant] contacted Amazon's Human Resources department again, requesting a copy of some professional certificates obtained during the trial period, specifically: (I) PLE pallet elevator certificate, (II) certificate to management and programming of the palletizer robot (RME instructor [...]), (iii) certificate for authorized access in the "yard" goods unloading area, (iv) PES and PAV certificate, and (v) certificate in charge of drive maintenance and management of floor robots . Stow and pick (SST instructor [...])” (see cited note, p. 2);

- "on 1 September 2020 (just 7 days after the request [...]) the [complainant] requested the sending of the previously requested documentation, also specifying the need to urgently receive the UNIEMENS form relating to the period of July 2020 (absent in the first document sent on August 21, 2020, as it has not yet been processed). Unfortunately, in this circumstance the [complainant] was contacting an employee without any management powers and, therefore, not competent to follow up on the request. This further contact was in any case forwarded to the Human Resources department, which promptly confirmed that it was taken over both internally and to the [complainant], who, moreover, had also contacted the Human Resources department on the same day, however requesting to receive only the UNIEMENS form" (see cited note, p. 2);

- "following the request received, the Human Resources department sent the [complainant] only the UNIEMENS model requested" (see cited note, p. 2);

- "on the contrary, with reference to the other professional certificates requested by the [complainant] - and with the sole exception of the PES and PAV certificate [...] - Amazon was not in a position to comply with the applicant's request since there was no physical certificate to be sent, since these are internal Amazon courses having the mere value of internal authorization to carry out the assigned tasks; more specifically, being internal courses organized directly by Amazon, the certificates referred to in points (i), (ii), (iii) and (v) are usually issued in the form of a mere internal badge that certifies participation and have exclusively internal authorization value. Otherwise, the PES and PAV certificate certifies participation in the course organized by a specific certifying body which issues a copy to the worker" (see cited note, p. 3);

- "in the specific case, unfortunately, due to an unfortunate negative contingency (without any will on the part of Amazon to prevent the response of the worker's request), Amazon failed to acknowledge the request of the [complainant] and consequently did not provide him with the necessary clarifications on the impossibility of issuing the certificates referred to in points (i), (ii), (iii) and (v) [...] nor did he send him the PES and PAV certificate" (see cited note, p. 3);

- "Amazon is deeply sorry for what happened and for the lack of accuracy on the part of the departments responsible for guaranteeing the exercise of the right of access pursuant to art. 15 GDPR. In any case, it is emphasized that, in no event did Amazon intend to damage the [complainant] following the interruption of the trial period. In this regard, the Company would like to underline that its employees are provided with all the information and training necessary to guarantee compliance with the legislation on the protection of personal data, including specific instructions on how to correctly follow up on requests for access to personal data from data subjects” (see cited note, p. 3);

- "the Company acknowledges the request of the [complainant] by sending the only certificate at its disposal, i.e. the PES and PAV certificate recovered from the certifying body following the request" (see cited note, p. 3).

On 30 June 2022, the Company, following the invitation to provide further clarifications from the Department on 31 May 2022, declared that:

- “failure to respond promptly pursuant to art. 15 GDPR is due to a series of unfortunate circumstances, first of all the fact that the request was not forwarded by the [complainant] using the e-mail address EU-staff-privacy@amazon.com dedicated to the exercise of the rights pursuant to art. . 15-22 GDPR (or in any case for questions relating to the processing of personal data of employees) as specifically indicated in the information pursuant to art. 13 GDPR issued by Amazon to the [complainant]" (see note 30.6.2022 cit., p. 1);

- "the [complainant], in fact, after having requested and obtained the first UNIEMENS model relating to the period of June 2020 on 21 August 2020, two days later wrote an email to Amazon's HR Manager asking for some certificates without in any way reference to the exercise of your access rights pursuant to art. 15 GDPR […]. Also the second request dated a little later, dated 1 September (in which the UNIEMENS form relating to the period of July 2020 was also requested) was not sent to the dedicated email for the exercise of privacy rights, nor was reference made in any way to the art. 15 GDPR” (see cited note, p. 1, 2);

- “Amazon has a dedicated team at European level for handling requests made by employees under the GDPR (“DSR Team”). In addition to providing employees with a specific email for the exercise of rights, as indicated in the privacy policy, Amazon follows an internal procedure for managing requests [...] all requests received through various channels, such as email, tickets, mail, telephone, delivered physically or verbally to an Amazon employee, are forwarded to the DSR Team" (see cited note, p. 2).

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 19 September 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 12 and 15 of the Regulation.

With defense briefs sent on 19 October 2022, the Company stated that:

- “failure to reply to the request for information within the terms established by article 12, par. 3 of the GDPR did not in any way depend on willful misconduct or the will to damage the [complainant] or to limit the exercise of rights" (see note 19.10.2022 cit., p. 1);

- "this delay derives, first of all, from the failure to recognize, and consequent failure to qualify and process, by the Human Resources function - in good faith - the request for certificates for participation in internal courses as a request for access pursuant to art. 15 of the GDPR, since it is indeed a request concerning a «negative data» (since the internal courses are not connected to any formal certification that can be delivered to the worker)" (see cited note, p. 1, 2);

- "the Company does not usually delay/fail to respond to requests for access pursuant to Article 15 of the GDPR made against it and, on the contrary, has a specific function and related procedures to prevent this from happening" (see cited note, p . 2);

- "the delay possibly due to the lack of internal coordination between the competent departments, also given the concomitance of the request with the summer holiday period, must be understood as completely exceptional, and the absence of previous sanctions for violations similar to the one occupies is proof of this; in any case, this delay must be seen in the context of a Company with a very high number of employees (9,212 employees as at 31 March 2022, as per the visura dated 22 September 2022), equipped with support functions receiving an equally large number of requests to be processed daily" (see note cit., p. 2);

- with reference to the "elements regarding the nature, gravity and duration of the violation taking into consideration the nature, object or purpose of the processing in question as well as the number of interested parties affected by the damage pursuant to article 83, par. 2, lit. a) of the GDPR" it is specified that "at least with reference to the UNIEMENS model of the month of July 2020, requested for the first time by the [complainant], on 1 September 2020, Amazon cannot be contested for any violation of art. 12 and 15 of the GDPR" (see cited note, p. 3);

- "with reference to the request for the other professional certificates, which took place on 23 August 2020 and reiterated (at least in one of the emails sent by the [complainant] to the officials of the Human Resources department) on 1 September 2020, in fact, the Company has not promptly informed the applicant that he was not in a position to follow up on the request since - with the sole exception of the PES and PAV certificate - there was not materially any certificate to be sent, since these were internal Amazon courses having a mere internal authorization value for carrying out the assigned duties" (see note cited, p. 3);

- "we highlight: - the absence of any will on the part of Amazon to prevent the response of the worker's request. This absence of willful misconduct is demonstrated by Amazon's collaborative and legally compliant behavior with respect to the UNIEMENS certificate requested by the [claimant]; - the disputed violation relates solely to the Company's failure to respond promptly to the request for information, in good faith not interpreted as a request for access, while it does not in any way concern the loss of confidentiality, integrity or availability of the data personal data of the interested party” (see cited note, p. 4);

-  "the [complainant] is the only interested party involved in the violation and [...], as of today's date, no prejudice suffered by the aforementioned [complainant] due to the late response by the Company has been ascertained or demonstrated" (see note cit., p. 4);

- with reference to the "malicious or negligent nature of the violation pursuant to article 83, par. 2, lit. b) of the GDPR” “it is important to underline how the nature of the violation is merely negligent” (see note cited, p. 4);

- "this violation is part of an internal coordination problem between the competent departments of Amazon, aggravated by the concurrence of the [complainant's] request with the summer holiday period" (see cited note, p. 5);

- "the Company failed to promptly find the request to exercise the right of access pursuant to article 15 of the GDPR presented by the [complainant] - at least with reference to the certificates requested on 23 August 2020 - due to various unfortunate circumstances: - the circumstance that the [complainant] had requested non-existent certificates, with the exception of the UNIEMENS one provided on 25 September 2020 and the PES and PAV certificates which, however, were not available to Amazon and of which the [complainant] should have had a copy; - sending multiple requests by the [complainant] to different officials of the Human Resources department. Among other things [...] in the email sent on 1 September by the [complainant to a] partner of the Human Resources department who took charge of the request, reference was made only to the request of the UNIEMENS form of July 2020. This created confusion with respect to the other requests of the same [complainant]; - failure to use the appropriate email address as specified in the information pursuant to article 13 of the GDPR issued by the Company to the [complainant]. This circumstance, although not justifiable, certainly affected the delay with which the [complainant's] request was qualified within the Company as an exercise of the right of access pursuant to art. 15 of the GDPR" (see cited note, p. 5);

- with reference to “any previous relevant violations committed pursuant to article 83, par. 2, lit. e) and the degree of cooperation with the supervisory authority in order to remedy the violation and implement its possible negative effects pursuant to article 83, par. 2, lit. f) of the GDPR" "to be considered equally relevant [...] is the extenuating circumstance that Amazon is not the recipient of any sanctioning measure for violations of the same content as the one we are dealing with (nor for more serious violations)" (see note cit. , p. 5);

- "the complaint made to the Company does not include a violation of accountability in relation to the policies, organization and technical measures adopted by the same and aimed at executing its obligations pursuant to the GDPR. It is rather an isolated case which, moreover, involved only one interested party” (see cited note, p. 5, 6);

- "the Company has always stood out for its transparent and collaborative conduct towards this Authority, promptly providing its answers to requests for information received and also demonstrating complete availability towards the [complainant], who - later to the intervention of the Guarantor – he also received the only certificate available to Amazon" (see cited note, p. 6);

- with reference to the "categories of personal data affected by the violation pursuant to article 83, par. 2, lit. g) of the GDPR" "the conduct contested against Amazon by this Authority does not pertain to the processing of "particular categories of personal data" pursuant to article 9 of the GDPR or of "personal data relating to criminal convictions and crimes" pursuant to article 10 of the GDPR. […] Indeed, it can be said that with respect to the only certificate available (i.e. PES and PAV certificates) Amazon was not even the person entitled to receive the request from the [complainant], not being the data controller of personal data of the [complainant] with respect to the conduct and results of the training. [...] in fact, it was a training organized and managed by an external certifying body to which Amazon - without being obliged - had to contact to obtain a copy which it then sent to the [complainant] on the occasion of the letter dated 5 October 2021. Indeed, the certifying body had issued a copy of the certificate directly to the employee and Amazon was not in possession of it. The delay in responding to the [complainant] must also be attributed to this circumstance" (see cited note, p. 6);

- "in the unbelieved hypothesis that the delay in Amazon's response was to be valued, it is believed that the circumstances inferred lead to the application of the minimum sanctionable. As a support for the determination of the possible sanction, it should be pointed out an injunction order that this Authority issued, on 16 June last, [provision no. 226 of 16 June 2022 with which] the Guarantor ordered [...] the payment of a [pecuniary] fine. Therefore, if the request not to apply any sanction to Amazon is not accepted, the circumstances already assessed by the Guarantor in the context of the order set out above are referred to, in the alternative, which, based on the considerations made in this defense brief, are largely superimposable” (see cited note, p. 7).

3. The outcome of the investigation and of the procedure for the adoption of corrective and sanctioning measures.

As a result of the examination of the declarations made to the Authority during the proceeding as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which are not compliant with the regulations on the matter of personal data protection. In this regard, it should be noted that, unless the fact constitutes a more serious offence, anyone who, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

On the merits, it emerged that the Company, also on the basis of what it declared, did not adequately respond to the request for access pursuant to art. 15 of the Regulation presented by the complainant concerning the "professional certificates obtained" and in particular: "PLE pallet elevator certificate, certificate for the management and programming of the palletiser robot (RME instructor [...]), certificate for authorized access in the goods unloading area "yard ”, PES and PAV certificate, drive maintenance and floor robot management certificate. Stow and pick (SST instructor […])”.

Indeed, only following the presentation of the complaint and the opening of the investigation did the Company send the complainant a copy of the "only certificate available to it, i.e. the PES and PAV certificate recovered from the certifying body following the request" and communicated that it could not provide a copy of the other training certificates requested "since there was no material certificate to be sent, since these were internal Amazon courses having a mere internal authorization value for carrying out the assigned tasks".

In particular, on 23 August 2020, the complainant, after receiving the requested UNIEMENS form of June 2020 from the Human Resources Department, contacted the same department, also according to what was declared by the same Company, requesting a copy of the aforementioned training certificates without receive any feedback on it.

Subsequently - i.e. on 1 September 2020 - the complainant reiterated the request for access to the aforementioned training certificates by sending it to an employee in relation to whom the Company specified that she was "devoid of any management power and, therefore, not competent to follow up upon request".

Again according to what was specified by the Company and on the basis of the documentation in the records, this request was, however, forwarded to the Human Resources Department, by sending it to a "partner in the Human Resources department who took charge of the request". The request was sent, in particular, to the same person in charge of sending the UNIEMENS form to the complainant (email dated 21 August 2020 and 25 September 2020 in the file) and who limited himself to responding to requests to receive a copy of the UNIEMENS model.

Although on 25 September 2020 the requested UNIEMENS form of August 2020 was sent to the complainant by the Company - in relation to access to which no objection has been raised by the Authority as it is not believed there are any profiles of illegality regarding the conduct held with reference to this specific document -, on that occasion the complainant was not provided with any information regarding the request to receive a copy of the training certificates, not even regarding the impossibility of fulfilling the same for the training certificates with the exception of the PES and PAV certificate.

In this regard, the Company declared that it did not respond to the request to exercise the right of access for a variety of reasons, including the non-existence of the requested certificates with the exception of PES and PAV, the sending of multiple requests to different employees of the Human Resources department, failure to use the e-mail address indicated in the information pursuant to article 13 of the GDPR issued by the Company to the complainant.

The Company also specified that in the requests to exercise the right of access, the complainant had not made any reference to the exercise of the right of access pursuant to art. 15 of the Regulation.

Given this, it does not appear that the Company has informed the complainant pursuant to art. 12, par. 4, of the Regulation of the impossibility of providing him with the required training certificates nor that he sent him a copy of the PES and PAV certificate he possessed or that he communicated to him - before recovering this last certificate from the certifying body - not to have it.

The art. 12, par. 4 of the Regulation, with reference to the hypothesis in which the data controller cannot allow the exercise of the rights recognized by the Regulation to the interested party, including the right of access, provides that the same "inform [i] the interested party without delay, and at the latest within one month of receipt of the request, of the reasons for the non-compliance and of the possibility to lodge a complaint with a supervisory authority and to lodge a judicial appeal".

In this regard, with reference to the circumstances that the Company has identified as the causes of its conduct (lack of reference to Article 15 of the Regulation and failure to use the e-mail address specifically dedicated to this), it should be recalled that, as also recently clarified by the Guidelines 01/2022 on data subject rights - Right of access, adopted by the EDPB on 18 January 2022 (subject to public consultation concluded on 11 March 2022), the burden of specifying the legal basis of the request does not fall on the interested parties that if the data controller has doubts about the right that the interested party intends to exercise, he must ask the interested party to specify the subject (see Guidelines 01/2022 cit., point 47 "Data subjects are not required to specify the legal basis in their request" unofficial translation "Data subjects are not required to specify the legal basis in their request", and point 48 "If the controller has doubts as to which r ight the data subject wishes to exercise, it is recommended to ask the data subject making the request to explain the subject matter of the request” trad. unofficial "If the data controller has doubts about the right that the interested party intends to exercise, it is recommended to ask the interested party making the request to explain the object").

Furthermore, the fact that the complainant sent requests to exercise the right of access to the Human Resources Department as well as to the email address EU-candidate-privacy@amazon.com and that the email of 1 September 2020 was sent by the complainant to an employee without management power (who, however, according to what was declared by the Company itself, was in any case forwarded to the Human Resources Department, which, therefore, was aware of it), cannot be considered circumstances such as justify the absence of a reply (even in the case of a reply aimed at expressing the mere refusal pursuant to article 12, paragraph 4, of the Regulation) from the Company.

In this regard, it is noted with reference to the Company's declaration according to which the reasons for the absence of response to the complainant's requests must also include the "failure to use the appropriate email address as specified in the information pursuant to article 13 of the GDPR issued by the Company to the [complainant]", that there is no evidence that the same has been issued to the complainant and that, in any case, the cited document specifies that "if [the interested party] wishes further information on your rights regarding protection of personal data, please contact your HR department (or your Data Protection Officer, if designated) or send an email to EU-staff-privacy@amazon.com”. Sending the request to exercise the rights to the e-mail address EU-staff-privacy@amazon.com also by express provision of the Company is, therefore, an alternative to contacting the human resources department or the data protection officer .

In the present case it was ascertained that the complainant contacted, among other things, also according to what was declared by the Company, the human resources department by sending an e-mail to an employee of the same.

It should also be recalled that the aforementioned Guidelines 01/2022 on data subject rights - Right of access recently clarified that data subjects are not required to adopt a specific format for submitting requests to exercise the right of access (see Guidelines 01/2022 cit., point 52 "the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller" unofficial translation "the General Data Protection Regulation does not impose any requirements on data subjects regarding the format of the request for access to personal data. Therefore, in principle, it does not there are requirements that the data subject is required to comply with when choosing a communication channel through which to get in touch with the data controller).

Finally, it should be noted that the same Company, in the context of the procedure for examining the requests to exercise the rights as described in the course of the procedure, contemplates - correctly - that the requests can be presented in different ways than sending to the dedicated e-mail account.

The Company, for the reasons set out above, has violated the articles 12 and 15 of the Regulation.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the preliminary investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable to allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company and in particular the omitted reply (also of communication of the reasons for the refusal pursuant to article 12, paragraph 4, of the Regulation) to the access request presented by the complainant, is in fact illegal, in the terms set out above, in relation to articles 12 and 15 of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation and previous relevant violations (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding it appears that Amazon Italia Logistica s.r.l. has violated the articles 12 and 15 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 5, letter. b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the fine must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation which concerned the exercise of the rights of the data subject was considered relevant;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the data protection regulations in relation to a plurality of provisions;

c) in favor of the Company, account was taken of the cooperation with the Supervisory Authority and of the circumstance that the ascertained violation concerned only the complainant.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the Company with reference to the ordinary financial statements for the year 2021. Lastly, the entity of the sanctions imposed in similar cases is taken into account.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply the administrative sanction of payment of a sum equal to 20,000 (twenty thousand) euros against Amazon Italia Logistica s.r.l..

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by Amazon Italia Logistica s.r.l., in the person of its legal representative, with registered office in Viale Monte Grappa 3/5 - 20124 Milan (MI), Tax Code 07231660965, pursuant to art. 143 of the Code, for the violation of the articles 12 and 15 of the Regulation;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to Amazon Italia Logistica s.r.l., to pay the sum of 20,000 (twenty thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to the same Company to pay the aforementioned sum of 20,000 (twenty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, and believes that the conditions set forth in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 1st December 2022

PRESIDENT
Station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew