Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines FCA Italy €40,000 for violating right of access

The Italian data protection authority ('Garante') announced, on 28 November 2022, the publication of its Decision No. 303, as issued on 15 September 2022, in which it imposed a fine of €40,000 on FCA Italy S.p.A., for violations of Articles 12(1), 12(2), 12(3), 12(4), and 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint lodged by an individual.

Background to the decision

In particular, the Garante reported that an employee of FCA Italy had submitted a complaint about the failure to respond to the personal data access request for data processed in the context of the employment relationship pursuant to Article 15 of the GDPR. In this regard, the Garante detailed that FCA Italy stated that it considered that it was able to respond to the request of the person concerned during an in-person meeting with representatives of the Human Resources Department, in accordance with a 'practice' that had been established with the complainant. However, the Garante noted that the meeting had not taken place because of the 'suspension of the plant's activities due to recourse to the redundancy fund also linked to the COVID-19 emergency'.

Findings of the Garante

Further to the above, the Garante noted that FCA Italy faced with a request, sent on 5 January 2021, containing the indication of specific information collected and held in the context of the employment relationship, and did not provide feedback to the complainant. Moreover, the Garante stated that the exercise of the right of access to one's personal data is strictly related to the identification of the specific modalities and time limits by which the data controller is required to meet the data subject's requests, as identified in Article 12 of the GDPR. Therefore, the Garente explained that the company should have responded to the complainant's request in writing and within the time limits prescribed by the GDPR.

In light of the above, the Garante provided that FCA Italy, for the reasons set out above, has therefore violated Articles 12(1), 12(2), 12(3), 12(4), and 15 of the GDPR. 

Outcomes

In conclusion, the Garante issued the aforementioned fine and outlined that FCA Italy may appeal the decision before the judicial authority within 30 days.

You can read the decision, only available in Italian, here.