Garante per la protezione dei dati personali (Italy) - 9899914: Difference between revisions

Garante per la protezione dei dati personali - 9899914
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 12 GDPR Article 15 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	18.08.2021
Published:	17.05.2023
Fine:	40,000 EUR
Parties:	Volkswagen Leasing GmbH
National Case Number/Name:	9899914
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	Bernardo Armentano

In response to an access request, Volkswagen Leasing failed to provide personal data that it had obtained from a credit information system and used for the creditworthiness assessment of the data subject. The Italian DPA issued a fine of €40,000.

English Summary

Facts

The data subject applied for a loan with Volkswagen Leasing GmbH, the controller, and submitted the documents containing their personal data for creditworthiness assessment. The loan was denied and the data subject made an access request, asking what data had been used in the assessment. In response, the controller sent a copy of the same documentation that the data subject had sent, without specifically indicating which data had been used in the analysis. However, the controller admitted that it had accessed a credit information system (CIS), namely by CRIF S.p.A, to whom it assigned responsibility for providing further information.

The data subject filed a complaint with the Italian DPA, claiming that the controller violated their right to access provided for by Article 15 GDPR. The DPA notified the controller that then argued that it does not carry out any customer profiling and that the only automated decision-making process is done on the basis of accessing the CIS. The controller also confirmed that the only CIS to which it adheres to is the one by CRIF S.p.A. and provided its contact details, so that the data subject could exercise their rights before it CRIF S.p.A. Finally, the controller provided a copy of the report prepared by CRIF S.p.A. containing all the credit information used for the creditworthiness assessment.

Holding

The DPA highlighted that the right to access is mainly conceived as a tool for data subjects to learn what data is being used and how it is being used, thereby enabling them to exercise control over it. Pursuant to Article 15 GDPR, when replying to an access request, controllers cannot provide a general description of the data or a simple reference to the categories, nor can they omit any information in their possession. On the contrary, such information must be complete and updated, corresponding as much as possible to the state of data processing at the time of receipt of the request. Moreover, it must be provided in a concise, transparent, intelligible and easily accessible form.

The DPA further emphasized that, in the case at stake, the peculiar context (acquisition of personal data from a CIS) underlying the access request, requires particular attention on the part of the controller with regard to the technical-organizational measures to be adopted, notably due to the delicate nature of the information processed to the potential negative impacts on the rights and freedoms of the data subject.

According to the DPA, it is precisely in situations of this type that the right of access plays the role a tool to control the lawfulness and accuracy of the processing. Therefore, controllers must take all measures, according to the accountability principle, to facilitate the exercise of this right (Article 5(2) and Article 12(2) GDPR).

For these reasons, the DPA found that the mere mention of the use of creditworthiness assessments and the provision of the contact details of CRIF S.p.A. was not sufficient, since it is up to the controller to comply with the obligation provided for by Article 15 GDPR. The DPA pointed out that the controller failed to provide the full information contained in the creditworthiness report, which was relevant for the verification of the accuracy and lawfulness of the processing. Although this information was in the controller's possession and had been expressly requested, the controller refused to provide it.

Based on the above, the DPA held that the controller violated Articles 12 and 15 GDPR and issued a fine of €40,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 22 June 2023



[doc. web no. 9899914]

Provision of May 17, 2023

Register of measures
no. 199 of 17 May 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO the legislative decree of 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree of 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

HAVING REGARD TO the complaint presented to the Guarantor pursuant to article 77 of the Regulation on 18 August 2021, with which Mr. XX complained of an alleged violation of the Regulation, with specific reference to the reply, provided by Volkswagen Leasing GmbH, to the request of exercising the rights submitted pursuant to articles 15-22 of the Regulation;

HAVING EXAMINED the documentation in the deeds;

GIVEN the observations made by the deputy secretary general pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. The complaint and the preliminary investigation.

With the complaint presented to this Authority on August 18, 2021, Mr. XX complained that Volkswagen Leasing GmbH (hereinafter also "VWL") did not fully respond to an advanced request for access to personal data , on 8 June 2021, in order to know the information "in possession [of the aforementioned Company], including the communications received from the SICs", communications that would have led to the denial of the loan request presented by the same in order to obtain a rental at long-term (see complaint of 18 August 2021, Annex IV).

Specifically, the complainant reported that the response, received from Volkswagen Leasing GmbH on 18 June 2021, contained a copy of the documentation submitted by the same to obtain the requested loan but did not provide indications regarding the data processed for the purposes of creditworthiness assessments relating to its person (see complaint of 18 August 2021, Annexes I and IV).

Furthermore, the aforesaid information had not even been provided in the communication of 24 June with which the controller, in response to the requests for integration of the complainant of 18 and 22 June 2021, limited himself to communicating that he had accessed CRIF S.p.A. - credit information system (hereinafter "SIC") - delegating to the same the burden of exercising, where appropriate, the rights pursuant to articles 15-22 of the Regulation directly against the latter Company (see complaint of 18 August 2021, Annex IV).

Following the invitation to provide information, formulated by the Office with communication of 17 September 2021, as well as the subsequent requests for documentary additions (see the notes of 10 March 2022 and 18 July 2022), Volkswagen Leasing GmbH, with communications of 22 October 2021, 8 April and 2 August 2022, declared the following.

The "assessment process underlying the decision to deny Mr. XX's long-term rental activation application was based on the analysis of the assets and income documentation communicated [by the same] (...), as well as on the analysis of the creditworthiness information obtained by querying the credit information system managed by Crif S.p.A.” (see acknowledgment note of 8 April 2022, page 2).

From all of this information emerged "a credit unreliability of Mr. XX" and an "inadequate financial situation for the granting of the loan for the long-term rental" leading to the conclusion that "the loan application could not be accepted" ( see acknowledgment note of 8 April 2022, pp. 3-4).

With reference to the obligations pursuant to art. 13 of the Regulation, the information to be provided to the interested party pursuant to the aforementioned provision was provided to the complainant through the information provided by the owner "at the time of signing the contractual offer" (see acknowledgment note of 22 October 2021, pp. 4-5; see also acknowledgment note of 8 April 2022, Annex 7 - "Information on the rental contract for vehicles without a driver pursuant to Article 13 of EU Regulation 2016/679", paragraphs 3.2 and 7) .

As regards the obligations put in place by Volkswagen Leasing GmbH, pursuant to articles 12 and 15 of the Regulation, in the present case, the request to exercise the rights presented by Mr. XX on 8 June 2021 was found "promptly and amply within the terms set by art. 12 of the GDPR (..), attaching all the documents in [the holder's] possession: identity card, membership form, National Vehicle Archive, signed quotation proposal, single certification, SEPA mandate" (see acknowledgment note of 17 September 2021 , page 2).

The subsequent communication from the complainant dated 18 June 2021 was answered on 22 June 2021, "specifying in particular that - as provided for in the privacy information - no customer profiling takes place, and that the only existing automated decision-making process is refers to the information processed on the basis of access to Credit Information Systems” (see feedback note of 17 September 2021, page 2).

The further request for clarification, presented on 22 June 2021 by Mr. XX and aimed at knowing "the communications (and related contents) between VWL and SIC", was confirmed by indicating CRIF S.p.A. as the "only SIC to which VWL adheres, both in the query and contribution phase" as well as through the transmission of the "contact details of the latter" so that the interested party could directly contact the aforementioned owner to find out the outcome of the queries carried out by Volkswagen Leasing GmbH in terms of reliability in terms of punctual payments (see acknowledgment note of 17 September 2021, pages 2-3).

Finally, a copy of the "Report Sprint 2.0", prepared by CRIF S.p.A., and containing all the credit information relating to Mr. XX used to fulfill the reliability checks inherent in the case in question, was sent to the undersigned Authority by the Company , with acknowledgment note dated 2 August 2022.

2. Notification of violations and defense briefs.

With communication dated 5 December 2022, the Office, on the basis of the documentation in the documents and the elements acquired during the investigation, proceeded to notify Volkswagen Leasing GmbH of the initiation of the procedure for the adoption of the provisions pursuant to articles . 58, par. 2, and 83, of the Regulation in relation to the violation of articles 12 and 15, of the same; this in compliance with the provisions of art. 166, paragraph 5, of the Code.

In this regard, the Company, with a note dated 19 December 2022, sent its defense writings, together with the supplementary communication dated 6 February 2022, with which it reiterated that the choice to indicate to the complainant exclusively the references of Crif S.p.A. "was pursued with a view to facilitating, in good faith, the exercise of the right of access by the complainant, as well as any additional rights that could be exercised by the same (such as, by way of example, the right of rectification pursuant to of Article 16 of the Regulation). Specifically, in addressing Mr. XX to SIC Crif S.p.A., the Company deemed it able to guarantee the interested party a more complete management of your request to exercise the right to access the Report, placing him in a position to obtain a comprehensive response on the matter to the logic of the processing of your personal data adopted by Crif S.p.A., in its role as Data Controller for the preparation of the Report as well as the information contained in the information systems that represented its source" (see note of 19 December 2022, page 3).

He also declared that he "provided the Report to Mr. XX, by communication dated December 19, 2022" (see note dated December 19, 2022, page 4).

On 15 February 2023, during the hearing requested by the Company, the latter, in referring in full to what has already been expressed in the defense writings cited above, also invited the Authority, at the time of the assessments to be carried out in order the seriousness of the disputed violation, taking into account the absence of willful misconduct by the data controller, the fact that the response to the access request was provided by the data controller, within the timeframe established by law, the high degree of cooperation shown by Volkswagen Leasing GmbH in the course of the proceedings.

Finally, he highlighted the legitimacy of the processing of personal data at the basis of the request presented by the interested party pursuant to art. 15 of the Regulation as well as the absence of any type of damage and/or consequence prejudicial to the rights of the interested party as a consequence of the Company's behavior (see, in this regard, also the note of 6 February 2022).

3. The outcome of the investigation.

First of all, it should be noted that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".
Dutifully stated, following the examination of the documentation in the file and the declarations made by Volkswagen Leasing GmbH during the proceeding, it was ascertained that the Company has provided insufficient response to the request to exercise the right of access to one's personal data presented by the complainant, failing, also following a specific request by the same, to transmit the personal information contained in the "Report Sprint 2.0", found by Crif S.p.A. and refer to the creditworthiness of Mr. XX. All this in violation of the articles 12 and 15 of the Regulation.

In fact, it is worth highlighting that the right of access pursuant to art. 15 of the Regulation is mainly conceived as a tool aimed at allowing, in general, the interested party to exercise "control" over the personal data concerning him, ensuring him full awareness of the information being processed and the actual methods of the latter .

Indeed, the purpose of the right of access is primarily to make known "what" data and "how" they have been and are processed by the owner in order to provide the interested party with the tools to "know and verify the lawfulness and accuracy of the treatment" referred to the same (see cons. 63 of the Regulation; European Data Protection Committee, "Guidelines 01/2022 on data subject rights - Right of access", cit., paragraphs 10-13).

Pursuant to art. 15 of the Regulation, therefore, the owner, when replying to an access request, cannot limit himself to issuing "a general description of the data [or] a simple reference to the categories of personal data processed", nor can he omit information in its possession where referable to the interested party; on the contrary, it is rather required to provide "access to all personal data relating to the data subject" actually being processed.

This information "must be complete, correct and updated, corresponding as much as possible to the state of data processing at the time of receipt of the request" and must be provided "in a concise, transparent, intelligible and easily accessible form" to the latter (Committee European Data Protection Authority, "Guidelines 01/2022 on data subject rights - Right of access", cited above, paragraphs 34-35; Article 12, paragraph 1 of the Regulation).

It is also noted that, in the specific case, the peculiar context (acquisition of personal data from a SIC), underlying the request to exercise the right of access presented by the complainant, requires particular attention, on the part of the data controller, in order to the technical-organizational measures to be adopted to manage the obligations required by the data protection legislation; this due to the particularly delicate nature of the information processed in the hypothesis in question (relating to the reliability in terms of punctuality in payments of the interested party) as well as the possible prejudicial consequences, on the rights and freedoms of the individual, deriving from the treatment of the same (first of all, as happened for the complainant, the refusal to grant the requested loan).

It is precisely in situations of this type that the right of access clearly plays the role of the main control tool, for the interested party, regarding the lawfulness and correctness of the processing, making the adoption, by the owner, pursuant to of the principle of accountability, of all the measures necessary to "facilitate the exercise [of this right]" (Article 5, paragraph 2 and Article 12, paragraph 3 of the Regulation).

Therefore, the mere mention of the use of creditworthiness assessments - as happened in the present case - and the contextual invitation for the interested party to contact the SIC manager in order to find them, is not sufficient for the latter (see acknowledgment note dated 8 April 2022, Annex 6; see also note dated 19 December 2022, page 3), as it is above all the duty of the holder, also as a participant in the aforementioned SIC, to provide, in compliance with the art. 15 of the Regulation, the information acquired and effectively processed therein (see in this regard, article 9 of the "Code of conduct for information systems managed by private entities on the subject of consumer credit, reliability and punctuality in payments", approved with resolution of the Guarantor of 6 October 2022, where specific obligations are envisaged for the manager and for the participants in the aforementioned SICs aimed at guaranteeing a punctual and timely response, by the latter, to the requests to exercise the rights presented by the interested parties).

In the light of the above considerations, the feedback provided by Volkswagen Leasing GmbH in the case in question therefore appears to be insufficient with respect to the provisions of art. 15 of the Regulation, lacking the communication of some information relating to the interested party (specifically those contained in the Crif S.p.A. Report relating to the creditworthiness of the same), information also necessary for the same to verify the correctness and lawfulness of the treatment put in place by the holder; all of this, moreover, although the aforesaid information was in Volkswagen Leasing GmbH's possession at the time the claimant submitted the access request (see acknowledgment notes of 8 April and 2 August 2022) and had been expressly requests from the latter (see the communication of 22 June 2021 with which Mr. XX, in an attempt to further specify the scope of application of his request pursuant to article 15 of the Regulation, requested to obtain a "copy of the response received from the SICs (..) questioned by the data controller regarding [his] person"; see acknowledgment note of 8 April 2022, Annex 6).

It should also be noted that the processing of personal data contained in the aforementioned Report was the basis of the assessment of unreliability of the complainant on which the non-acceptance of the loan request for a long-term rental depended (see acknowledgment note of the April 8, 2022, page 4).

On this point, it emerged in particular that Volkswagen Leasing GmbH provided Mr. XX with the personal information contained in the Crif S.p.A. Report, as requested in the access request presented by the latter pursuant to art. 15 of the Regulation, only on 19 December 2022, thus preventing the latter, until that date, from verifying the accuracy of such data and the possible lawfulness of the related processing (Article 12, paragraph 3 and Article 15 of the Regulation).

For all the reasons highlighted overall, the conduct of Volkswagen Leasing GmbH was placed in contrast with the articles 12 and 15 of the Regulation.

Without prejudice to what emerged in relation to the violations carried out by the owner, as regards the adoption of corrective powers by the undersigned Authority, the conditions for adopting a measure with respect to the request for " enjoin the data controller to satisfy requests to exercise the rights pursuant to articles from 15 to 22 of the Regulation" (see complaint of 18 August 2021, page 3), in consideration of the spontaneous fulfillment by the owner, during the procedure, as highlighted above (see infra par. 1 ).

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the aforementioned provisions entails the application of the administrative sanction provided for by art. 83, par. 5, letter. b), of the Regulation.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that , in the hypothesis in question, the following circumstances were taken into consideration:

- with regard to the seriousness of the violation (article 83, paragraph 2, letter a) of the Regulation), the nature (concerning the non-compliance with the principles of treatment) and the duration of the same (which lasted for about 16 months), as well as the level of damage suffered by the interested party (impossibility to verify the accuracy of the information processed by the Company in order to refuse the loan requested and possibly request the relative rectification/cancellation); account was also taken in favor of the offender of the circumstance that the conduct was limited to a single event and concerned only one interested party;

- with regard to the type of information subject to infringement (article 83, paragraph 2, letter g) of the Regulation), the peculiar nature of the information processed by the Company for the aforesaid purposes was considered; information which, although not included in the context of special data, is nonetheless characterized by a high level of sensitivity as it is intended to highlight the 'reliability' in terms of punctuality of customer payments. All this also taking into account the possible economic and social consequences that may derive, for the interested parties, from their illicit treatment;

- with reference to the subjective element (Article 83, paragraph 2, letter b), the culpable nature of the violation was found due to the owner's erroneous belief that directing the complainant to the manager of the SIC subject to consultation could allow the same to have exact and updated information regarding their credit situation;

- with regard to the adoption, by the owner, of measures aimed at mitigating or eliminating the consequences of the violation (Article 83, paragraph 2, letter c) of the Regulation), the fact that Volkswagen Leasing GmbH was positively considered has spontaneously provided the complainant, during the procedure, with the personal information requested by him with an access request.

The circumstance that the Company actively cooperated with the Authority during the proceedings (Article 83, paragraph 2, letter f) of the Regulation) was also assessed in favor of the offender, as well as the fact that there are no previous violations committed by Volkswagen Leasing GmbH or previous provisions pursuant to art. 58 of the Regulation (art. 83, paragraph 2, letter e) of the Regulation).

Furthermore, it is believed that they assume relevance, in the present case, in consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation ), the economic conditions of the infringer.

Lastly, the entity of the sanctions imposed by the Guarantor in similar cases was also considered.

Based on all the elements set out above, evaluated as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of 40,000 (forty thousand) euros for the violation of articles 12 and 15 of the Regulation Regulation.

In this framework, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, as well as the peculiar nature of the information being processed (data relating to the creditworthiness of the interested party) and the consequences deriving from the same 'unfinished response from the owner (first of all, the impossibility of verifying the accuracy of the information processed to decree the refusal of the requested loan), it is noted, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, of having to proceed with the publication of the injunction order on the website of the Guarantor.

Finally, it is believed that the conditions set forth in art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THAT BEING CONSIDERED, THE GUARANTOR

pursuant to articles 57, par. 1, lit. a) and 83, of the Regulation, notes the unlawfulness of the processing carried out by Volkswagen Leasing GmbH, based in Germany, p. VAT no. 12549080153 in the terms referred to in the motivation, for the violation of the articles 12 and 15 of the Regulation;

believes that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to Volkswagen Leasing GmbH, to pay the sum of 40,000 (forty thousand) euros as an administrative fine for the violations indicated in this provision.

ENJOYS

therefore to Volkswagen Leasing GmbH to pay the aforementioned sum of 40,000 (forty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/20129.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 17 May 2023

PRESIDENT
Station

THE SPEAKER
Station

THE DEPUTY SECRETARY GENERAL
Philippi



SEE ALSO Newsletter of 22 June 2023



[doc. web no. 9899914]

Provision of May 17, 2023

Register of measures
no. 199 of 17 May 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO the legislative decree of 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree of 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

HAVING REGARD TO the complaint presented to the Guarantor pursuant to article 77 of the Regulation on 18 August 2021, with which Mr. XX complained of an alleged violation of the Regulation, with specific reference to the reply, provided by Volkswagen Leasing GmbH, to the request of exercising the rights submitted pursuant to articles 15-22 of the Regulation;

HAVING EXAMINED the documentation in the deeds;

GIVEN the observations made by the deputy secretary general pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. The complaint and the preliminary investigation.

With the complaint presented to this Authority on August 18, 2021, Mr. XX complained that Volkswagen Leasing GmbH (hereinafter also "VWL") did not fully respond to an advanced request for access to personal data , on 8 June 2021, in order to know the information "in possession [of the aforementioned Company], including the communications received from the SICs", communications that would have led to the denial of the loan request presented by the same in order to obtain a rental at long-term (see complaint of 18 August 2021, Annex IV).

Specifically, the complainant reported that the response, received from Volkswagen Leasing GmbH on 18 June 2021, contained a copy of the documentation submitted by the same to obtain the requested loan but did not provide indications regarding the data processed for the purposes of creditworthiness assessments relating to its person (see complaint of 18 August 2021, Annexes I and IV).

Furthermore, the aforesaid information had not even been provided in the communication of 24 June with which the controller, in response to the requests for integration of the complainant of 18 and 22 June 2021, limited himself to communicating that he had accessed CRIF S.p.A. - credit information system (hereinafter "SIC") - delegating to the same the burden of exercising, where appropriate, the rights pursuant to articles 15-22 of the Regulation directly against the latter Company (see complaint of 18 August 2021, Annex IV).

Following the invitation to provide information, formulated by the Office with communication of 17 September 2021, as well as the subsequent requests for documentary additions (see the notes of 10 March 2022 and 18 July 2022), Volkswagen Leasing GmbH, with communications of 22 October 2021, 8 April and 2 August 2022, declared the following.

The "assessment process underlying the decision to deny Mr. XX's long-term rental activation application was based on the analysis of the assets and income documentation communicated [by the same] (...), as well as on the analysis of the creditworthiness information obtained by querying the credit information system managed by Crif S.p.A.” (see acknowledgment note of 8 April 2022, page 2).

From all of this information emerged "a credit unreliability of Mr. XX" and an "inadequate financial situation for the granting of the loan for the long-term rental" leading to the conclusion that "the loan application could not be accepted" ( see acknowledgment note of 8 April 2022, pp. 3-4).

With reference to the obligations pursuant to art. 13 of the Regulation, the information to be provided to the interested party pursuant to the aforementioned provision was provided to the complainant through the information provided by the owner "at the time of signing the contractual offer" (see acknowledgment note of 22 October 2021, pp. 4-5; see also acknowledgment note of 8 April 2022, Annex 7 - "Information on the rental contract for vehicles without a driver pursuant to Article 13 of EU Regulation 2016/679", paragraphs 3.2 and 7) .

As regards the obligations put in place by Volkswagen Leasing GmbH, pursuant to articles 12 and 15 of the Regulation, in the present case, the request to exercise the rights presented by Mr. XX on 8 June 2021 was found "promptly and amply within the terms set by art. 12 of the GDPR (..), attaching all the documents in [the holder's] possession: identity card, membership form, National Vehicle Archive, signed quotation proposal, single certification, SEPA mandate" (see acknowledgment note of 17 September 2021 , page 2).

The subsequent communication from the complainant dated 18 June 2021 was answered on 22 June 2021, "specifying in particular that - as provided for in the privacy information - no customer profiling takes place, and that the only existing automated decision-making process is refers to the information processed on the basis of access to Credit Information Systems” (see feedback note of 17 September 2021, page 2).

The further request for clarification, presented on 22 June 2021 by Mr. XX and aimed at knowing "the communications (and related contents) between VWL and SIC", was confirmed by indicating CRIF S.p.A. as the "only SIC to which VWL adheres, both in the query and contribution phase" as well as through the transmission of the "contact details of the latter" so that the interested party could directly contact the aforementioned owner to find out the outcome of the queries carried out by Volkswagen Leasing GmbH in terms of reliability in terms of punctual payments (see acknowledgment note of 17 September 2021, pages 2-3).

Finally, a copy of the "Report Sprint 2.0", prepared by CRIF S.p.A., and containing all the credit information relating to Mr. XX used to fulfill the reliability checks inherent in the case in question, was sent to the undersigned Authority by the Company , with acknowledgment note dated 2 August 2022.

2. Notification of violations and defense briefs.

With communication dated 5 December 2022, the Office, on the basis of the documentation in the documents and the elements acquired during the investigation, proceeded to notify Volkswagen Leasing GmbH of the initiation of the procedure for the adoption of the provisions pursuant to articles . 58, par. 2, and 83, of the Regulation in relation to the violation of articles 12 and 15, of the same; this in compliance with the provisions of art. 166, paragraph 5, of the Code.

In this regard, the Company, with a note dated 19 December 2022, sent its defense writings, together with the supplementary communication dated 6 February 2022, with which it reiterated that the choice to indicate to the complainant exclusively the references of Crif S.p.A. "was pursued with a view to facilitating, in good faith, the exercise of the right of access by the complainant, as well as any additional rights that could be exercised by the same (such as, by way of example, the right of rectification pursuant to of Article 16 of the Regulation). Specifically, in addressing Mr. XX to SIC Crif S.p.A., the Company deemed it able to guarantee the interested party a more complete management of your request to exercise the right to access the Report, placing him in a position to obtain a comprehensive response on the matter to the logic of the processing of your personal data adopted by Crif S.p.A., in its role as Data Controller for the preparation of the Report as well as the information contained in the information systems that represented its source" (see note of 19 December 2022, page 3).

He also declared that he "provided the Report to Mr. XX, by communication dated December 19, 2022" (see note dated December 19, 2022, page 4).

On 15 February 2023, during the hearing requested by the Company, the latter, in referring in full to what has already been expressed in the defense writings cited above, also invited the Authority, at the time of the assessments to be carried out in order the seriousness of the disputed violation, taking into account the absence of willful misconduct by the data controller, the fact that the response to the access request was provided by the data controller, within the timeframe established by law, the high degree of cooperation shown by Volkswagen Leasing GmbH in the course of the proceedings.

Finally, he highlighted the legitimacy of the processing of personal data at the basis of the request presented by the interested party pursuant to art. 15 of the Regulation as well as the absence of any type of damage and/or consequence prejudicial to the rights of the interested party as a consequence of the Company's behavior (see, in this regard, also the note of 6 February 2022).

3. The outcome of the investigation.

First of all, it should be noted that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".
Dutifully stated, following the examination of the documentation in the file and the declarations made by Volkswagen Leasing GmbH during the proceeding, it was ascertained that the Company has provided insufficient response to the request to exercise the right of access to one's personal data presented by the complainant, failing, also following a specific request by the same, to transmit the personal information contained in the "Report Sprint 2.0", found by Crif S.p.A. and refer to the creditworthiness of Mr. XX. All this in violation of the articles 12 and 15 of the Regulation.

In fact, it is worth highlighting that the right of access pursuant to art. 15 of the Regulation is mainly conceived as a tool aimed at allowing, in general, the interested party to exercise "control" over the personal data concerning him, ensuring him full awareness of the information being processed and the actual methods of the latter .

Indeed, the purpose of the right of access is primarily to make known "what" data and "how" they have been and are processed by the owner in order to provide the interested party with the tools to "know and verify the lawfulness and accuracy of the treatment" referred to the same (see cons. 63 of the Regulation; European Data Protection Committee, "Guidelines 01/2022 on data subject rights - Right of access", cit., paragraphs 10-13).

Pursuant to art. 15 of the Regulation, therefore, the owner, when replying to an access request, cannot limit himself to issuing "a general description of the data [or] a simple reference to the categories of personal data processed", nor can he omit information in its possession where referable to the interested party; on the contrary, it is rather required to provide "access to all personal data relating to the data subject" actually being processed.

This information "must be complete, correct and updated, corresponding as much as possible to the state of data processing at the time of receipt of the request" and must be provided "in a concise, transparent, intelligible and easily accessible form" to the latter (Committee European Data Protection Authority, "Guidelines 01/2022 on data subject rights - Right of access", cited above, paragraphs 34-35; Article 12, paragraph 1 of the Regulation).

It is also noted that, in the specific case, the peculiar context (acquisition of personal data from a SIC), underlying the request to exercise the right of access presented by the complainant, requires particular attention, on the part of the data controller, in order to the technical-organizational measures to be adopted to manage the obligations required by the data protection legislation; this due to the particularly delicate nature of the information processed in the hypothesis in question (relating to the reliability in terms of punctuality in payments of the interested party) as well as the possible prejudicial consequences, on the rights and freedoms of the individual, deriving from the treatment of the same (first of all, as happened for the complainant, the refusal to grant the requested loan).

It is precisely in situations of this type that the right of access clearly plays the role of the main control tool, for the interested party, regarding the lawfulness and correctness of the processing, making the adoption, by the owner, pursuant to of the principle of accountability, of all the measures necessary to "facilitate the exercise [of this right]" (Article 5, paragraph 2 and Article 12, paragraph 3 of the Regulation).

Therefore, the mere mention of the use of creditworthiness assessments - as happened in the present case - and the contextual invitation for the interested party to contact the SIC manager in order to find them, is not sufficient for the latter (see acknowledgment note dated 8 April 2022, Annex 6; see also note dated 19 December 2022, page 3), as it is above all the duty of the holder, also as a participant in the aforementioned SIC, to provide, in compliance with the art. 15 of the Regulation, the information acquired and effectively processed therein (see in this regard, article 9 of the "Code of conduct for information systems managed by private entities on the subject of consumer credit, reliability and punctuality in payments", approved with resolution of the Guarantor of 6 October 2022, where specific obligations are envisaged for the manager and for the participants in the aforementioned SICs aimed at guaranteeing a punctual and timely response, by the latter, to the requests to exercise the rights presented by the interested parties).

In the light of the above considerations, the feedback provided by Volkswagen Leasing GmbH in the case in question therefore appears to be insufficient with respect to the provisions of art. 15 of the Regulation, lacking the communication of some information relating to the interested party (specifically those contained in the Crif S.p.A. Report relating to the creditworthiness of the same), information also necessary for the same to verify the correctness and lawfulness of the treatment put in place by the holder; all of this, moreover, although the aforesaid information was in Volkswagen Leasing GmbH's possession at the time the claimant submitted the access request (see acknowledgment notes of 8 April and 2 August 2022) and had been expressly requests from the latter (see the communication of 22 June 2021 with which Mr. XX, in an attempt to further specify the scope of application of his request pursuant to article 15 of the Regulation, requested to obtain a "copy of the response received from the SICs (..) questioned by the data controller regarding [his] person"; see acknowledgment note of 8 April 2022, Annex 6).

It should also be noted that the processing of personal data contained in the aforementioned Report was the basis of the assessment of unreliability of the complainant on which the non-acceptance of the loan request for a long-term rental depended (see acknowledgment note of the April 8, 2022, page 4).

On this point, it emerged in particular that Volkswagen Leasing GmbH provided Mr. XX with the personal information contained in the Crif S.p.A. Report, as requested in the access request presented by the latter pursuant to art. 15 of the Regulation, only on 19 December 2022, thus preventing the latter, until that date, from verifying the accuracy of such data and the possible lawfulness of the related processing (Article 12, paragraph 3 and Article 15 of the Regulation).

For all the reasons highlighted overall, the conduct of Volkswagen Leasing GmbH was placed in contrast with the articles 12 and 15 of the Regulation.

Without prejudice to what emerged in relation to the violations carried out by the owner, as regards the adoption of corrective powers by the undersigned Authority, the conditions for adopting a measure with respect to the request for " enjoin the data controller to satisfy requests to exercise the rights pursuant to articles from 15 to 22 of the Regulation" (see complaint of 18 August 2021, page 3), in consideration of the spontaneous fulfillment by the owner, during the procedure, as highlighted above (see infra par. 1 ).

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the aforementioned provisions entails the application of the administrative sanction provided for by art. 83, par. 5, letter. b), of the Regulation.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that , in the hypothesis in question, the following circumstances were taken into consideration:

- with regard to the seriousness of the violation (article 83, paragraph 2, letter a) of the Regulation), the nature (concerning the non-compliance with the principles of treatment) and the duration of the same (which lasted for about 16 months), as well as the level of damage suffered by the interested party (impossibility to verify the accuracy of the information processed by the Company in order to refuse the loan requested and possibly request the relative rectification/cancellation); account was also taken in favor of the offender of the circumstance that the conduct was limited to a single event and concerned only one interested party;

- with regard to the type of information subject to infringement (article 83, paragraph 2, letter g) of the Regulation), the peculiar nature of the information processed by the Company for the aforesaid purposes was considered; information which, although not included in the context of special data, is nonetheless characterized by a high level of sensitivity as it is intended to highlight the 'reliability' in terms of punctuality of customer payments. All this also taking into account the possible economic and social consequences that may derive, for the interested parties, from their illicit treatment;

- with reference to the subjective element (Article 83, paragraph 2, letter b), the culpable nature of the violation was found due to the owner's erroneous belief that directing the complainant to the manager of the SIC subject to consultation could allow the same to have exact and updated information regarding their credit situation;

- with regard to the adoption, by the owner, of measures aimed at mitigating or eliminating the consequences of the violation (Article 83, paragraph 2, letter c) of the Regulation), the fact that Volkswagen Leasing GmbH was positively considered has spontaneously provided the complainant, during the procedure, with the personal information requested by him with an access request.

The circumstance that the Company actively cooperated with the Authority during the proceedings (Article 83, paragraph 2, letter f) of the Regulation) was also assessed in favor of the offender, as well as the fact that there are no previous violations committed by Volkswagen Leasing GmbH or previous provisions pursuant to art. 58 of the Regulation (art. 83, paragraph 2, letter e) of the Regulation).

Furthermore, it is believed that they assume relevance, in the present case, in consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation ), the economic conditions of the infringer.

Lastly, the entity of the sanctions imposed by the Guarantor in similar cases was also considered.

Based on all the elements set out above, evaluated as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of 40,000 (forty thousand) euros for the violation of articles 12 and 15 of the Regulation Regulation.

In this framework, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, as well as the peculiar nature of the information being processed (data relating to the creditworthiness of the interested party) and the consequences deriving from the same 'unfinished response from the owner (first of all, the impossibility of verifying the accuracy of the information processed to decree the refusal of the requested loan), it is noted, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, of having to proceed with the publication of the injunction order on the website of the Guarantor.

Finally, it is believed that the conditions set forth in art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THAT BEING CONSIDERED, THE GUARANTOR

pursuant to articles 57, par. 1, lit. a) and 83, of the Regulation, notes the unlawfulness of the processing carried out by Volkswagen Leasing GmbH, based in Germany, p. VAT no. 12549080153 in the terms referred to in the motivation, for the violation of the articles 12 and 15 of the Regulation;

believes that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to Volkswagen Leasing GmbH, to pay the sum of 40,000 (forty thousand) euros as an administrative fine for the violations indicated in this provision.

ENJOYS

therefore to Volkswagen Leasing GmbH to pay the aforementioned sum of 40,000 (forty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/20129.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 17 May 2023

PRESIDENT
Station

THE SPEAKER
Station

THE DEPUTY SECRETARY GENERAL
Philippi