With Ruling dated 6 July 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that data processing carried out by a public utility service company (the “Company”) was unlawful. The DPA ruled that an employer has an obligation to allow a worker to access all his or her personal data, including data contained in a report produced by an investigative agency appointed by the employer to collect information about the worker and used by the Company for disciplinary purposes.
The facts
The matter originates from a complaint submitted to the DPA by an employee who did not receive a full response to multiple requests for access to his personal data submitted to the employer Company after receiving a disciplinary complaint. The disciplinary complaint was followed by the dismissal of the worker, and contained “specific references” to conduct unrelated to the actual work activity and which therefore suggested potential monitoring “contrary to the regulations in force (condotta non iure) and detrimental to the personal legal status of others protected by law (condotta contra ius) and, consequently leading to data collected being unusable”.
The Company justified the denial of access to the personal data processed by arguing that the requests presented by the worker were too general and that he should have indicated in detail the information he wanted to access.
Furthermore, it emerged that the employee only learned of the existence and content of the investigative report when the Company entered an appearance in the proceedings appealing the dismissal before the competent judicial authorities.
The outcome of the preliminary investigation
At the time of the investigation, the DPA found that the Company, in its capacity as data Controller, carried out processing in breach of:
- Article 15 of Regulation (EU) 2016/679 (the “GDPR”), as it made the response to the access request presented by the worker conditional on the detailed indication of the documents and information he wanted to access. The request to exercise the right of access, a right recognised to all data subjects in relation to the processing of personal data by the article in question, must be understood in general terms, including all personal data concerning the data subject, as also specified in the “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023). Furthermore, the DPA reiterates that, if the data are not collected directly from the data subject, the data Controller must indicate their origin.
In this case, the Company should have provided all the data collected with the investigative report, considering that it also contained information relating to the worker but which had not been mentioned in the disciplinary complaint;
- Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;
- Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The Company, in the response provided to the worker, had not in fact specified the origin of the personal data used for the disciplinary complaint.
The DPA’s decision
For all the reasons set out above, the DPA found the processing carried out by the Company in relation to Articles 5, paragraph 1, letter (a), 12 and 15 of the GDPR to be unlawful. It reiterated that “unless otherwise explicitly requested by the data subject, the request to exercise the right of access is understood in general terms, including all personal data concerning them”. The DPA therefore, ordered the employer Company to pay an administrative fine of EUR 10,000 and also ordered the publication of the Ruling on its website.
Other related insights:
