Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Italy: Garante fines FCA Italy €40,000 for violating right of access
The Italian data protection authority ('Garante') announced, on 28 November 2022, the publication of its Decision No. 303, as issued on 15 September 2022, in which it imposed a fine of €40,000 on FCA Italy S.p.A., for violations of Articles 12(1), 12(2), 12(3), 12(4), and 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint lodged by an individual.
Background to the decision
In particular, the Garante reported that an employee of FCA Italy had submitted a complaint about the failure to respond to the personal data access request for data processed in the context of the employment relationship pursuant to Article 15 of the GDPR. In this regard, the Garante detailed that FCA Italy stated that it considered that it was able to respond to the request of the person concerned during an in-person meeting with representatives of the Human Resources Department, in accordance with a 'practice' that had been established with the complainant. However, the Garante noted that the meeting had not taken place because of the 'suspension of the plant's activities due to recourse to the redundancy fund also linked to the COVID-19 emergency'.
Findings of the Garante
Further to the above, the Garante noted that FCA Italy faced with a request, sent on 5 January 2021, containing the indication of specific information collected and held in the context of the employment relationship, and did not provide feedback to the complainant. Moreover, the Garante stated that the exercise of the right of access to one's personal data is strictly related to the identification of the specific modalities and time limits by which the data controller is required to meet the data subject's requests, as identified in Article 12 of the GDPR. Therefore, the Garente explained that the company should have responded to the complainant's request in writing and within the time limits prescribed by the GDPR.
In light of the above, the Garante provided that FCA Italy, for the reasons set out above, has therefore violated Articles 12(1), 12(2), 12(3), 12(4), and 15 of the GDPR.
Outcomes
In conclusion, the Garante issued the aforementioned fine and outlined that FCA Italy may appeal the decision before the judicial authority within 30 days.
You can read the decision, only available in Italian, here.
