Employees’ right of access: Italian SA fines Unicredit S.p.A. and orders corrective measures
29 september 2022
The Italian SA imposed an EUR 70,000 administrative fine and ordered the controller to grant the access request by the data subject.
The case followed a complaint against the failure by the controller (the complainant’s employer) to reply to an access request.
The Italian SA found that the reply provided by Unicredit S.p.A. to the access request prior to the complaint was devoid of any substance as the company made any reply conditional upon the filling out of a pre-set form. The form itself was found to be incomplete and misleading as to the actual scope of the right at issue. The company considered it was free to discard access requests that were submitted without using the given form and replied to the data subject only after the latter lodged his complaint. In that respect, the Italian SA clarified that an access request could not be dealt with by delivering the information notice as per Articles 13 and 14 GDPR; the right of access to one’s personal data and the right to be informed, though mutually related, are different rights which are set forth in separate provisions of the GDPR and are intended to afford safeguards and protection in ways that are not fully superimposable. The Italian SA recalled the EDPB Guidelines 1/2022 on data subject rights (right of access) in this connection.
News archive