Categories: Insights, Legislation · News, Press review

Tag: GDPR


26 Sep 2023

Italian Data Protection Authority: employee has right to access report of investigative agency appointed by employer

With Ruling dated 6 July 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA) found that data processing carried out by a public utility service company (the “Company”) was unlawful. The DPA ruled that an employer has an obligation to allow a worker to access all his or her personal data, including data contained in a report produced by an investigative agency appointed by the employer to collect information about the worker and used by the Company for disciplinary purposes.

The facts

The matter originates from a complaint submitted to the DPA by an employee who did not receive a full response to multiple requests for access to his personal data submitted to the employer Company after receiving a disciplinary complaint. The disciplinary complaint was followed by the dismissal of the worker, and contained “specific references” to conduct unrelated to the actual work activity and which therefore suggested potential monitoring “contrary to the regulations in force (condotta non iure) and detrimental to the personal legal status of others protected by law (condotta contra ius) and, consequently leading to data collected being unusable”.

The Company justified the denial of access to the personal data processed by arguing that the requests presented by the worker were too general and that he should have indicated in detail the information he wanted to access.

Furthermore, it emerged that the employee only learned of the existence and content of the investigative report when the Company entered an appearance in the proceedings appealing the dismissal before the competent judicial authorities.

The outcome of the preliminary investigation

At the time of the investigation, the DPA found that the Company, in its capacity as data Controller, carried out processing in breach of:

  • Article 15 of Regulation (EU) 2016/679 (the “GDPR”), as it made the response to the access request presented by the worker conditional on the detailed indication of the documents and information he wanted to access. The request to exercise the right of access, a right recognised to all data subjects in relation to the processing of personal data by the article in question, must be understood in general terms, including all personal data concerning the data subject, as also specified in the “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023). Furthermore, the DPA reiterates that, if the data are not collected directly from the data subject, the data Controller must indicate their origin.

In this case, the Company should have provided all the data collected with the investigative report, considering that it also contained information relating to the worker but which had not been mentioned in the disciplinary complaint;

  • Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;
  • Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The Company, in the response provided to the worker, had not in fact specified the origin of the personal data used for the disciplinary complaint.

The DPA’s decision

For all the reasons set out above, the DPA found the processing carried out by the Company in relation to Articles 5, paragraph 1, letter (a), 12 and 15 of the GDPR to be unlawful. It reiterated that “unless otherwise explicitly requested by the data subject, the request to exercise the right of access is understood in general terms, including all personal data concerning them”. The DPA therefore, ordered the employer Company to pay an administrative fine of EUR 10,000 and also ordered the publication of the Ruling on its website.

Other related insights:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…