The Italian data protection authority ('Garante') issued, on 6 October 2022, its Decision No. 322, in which it imposed a fine of €10,000 on Codess Sociale Società Cooperativa Sociale, for violations of Articles 12(3), 12(4), and 17 of the General Data Protection Regulation (Regulation (EU) 679/2016) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the Garante reported that, according to the complaint, the complainant had resigned from their role as volunteer at Codess Sociale by means of a letter, in which the complainant had also requested Codess Sociale to delete their personal data from its physical and computer archives, without receiving a response.

Findings of the Garante

Further to the above, at the end of the investigation carried out, the Garante ascertained that Codess Sociale had received the letter in question, rejecting Codess Sociale's argument that the request had not been fulfilled because the communication had not been sent to the competent institutional bodies.

As such, the Garante held that Codess Sociale had failed to respond to the request for deletion of personal data formulated by the complainant, within the term provided for by Article 12(3) of the GDPR, and to inform the complainant, within the same term, of the reasons for non-compliance and of the possibility of lodging a complaint with the Garante, as established by Article 12(4) of the GDPR, thus also leading to a violation of Article 17 of the GDPR.

Outcomes

In conclusion, the Garante issued the aforementioned fine and highlighted that Codess Sociale has 30 days to lodge an appeal before the judicial authority.

You can read the decision, only available in Italian, here.