Garante per la protezione dei dati personali (Italy) - 9445710

From GDPRhub
Garante per la protezione dei dati personali - 9445710
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(1) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.07.2020
Published: 02.08.2020
Fine: 3.000 EUR
Parties: GTL s.r.l.
National Case Number/Name: 9445710
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Ordinanza ingiunzione nei confronti di GTL s.r.l. - 2 luglio 2020 [9445710 (in IT)]
Initial Contributor: Andrea S.

The Italian DPA imposed a fine of €3000 on GTL for a breach of art. 12 and 15 of the GDPR in relation to an access request from a former employer. In particular, the Garante specified that a 'verbal' response, without any record of it, could not be considered adequate and therefore in line with the Regulation, even if the company has no information to communicate.

English Summary

Facts

On 26 November 2018, a former employee of GTL sent a request to have access to its personal data related to some 'registration sheets and printouts' extracted from the tachograph and those 'downloaded from the driver card relating to the journeys made' by the complainant himself during his previous work activities.

The company did not respond to this specific access request, so the employee made a complaint to the Garante in order to have access to the mentioned information.

Thus the Italian DPA sent a letter with some queries in order to investigate its compliance with the GDPR. Since the company did not respond to the DPA, the DPA sent another letter to demand more information on the data subject request. However, neither this time GTL provided any response.

On that basis, the DPA put in place a proper on-site investigation and found out that GTL did not provide the information requested by the complainant because they did not have the mentioned information available either in their paper or digital database. The company affirmed that it replied to the complainant 'orally', without any proof or recording of it.

Dispute

The Italian DPA had to understand whether there was a breach of art. 12 and 15 of the GDPR in relation to an access request of the complainant.

Holding

The Garante confirmed that, even if there was no information to provide, the company should have responded to the data subject in writing and, if appropriate, with electronic means.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.