The Italian Data Protection Authority (‘IDPA’), with a Ruling of 7 March 2024 [announced in the Newsletter of 3 May 2024] upheld a complaint filed by a worker who had asked her former employer company for access to her personal file to find out what information could have given rise to a disciplinary sanction against her.
The company had not given an adequate response to the request and had only provided an incomplete list of the documentation collected, omitting information which formed the basis of the disciplinary sanction which was then imposed. The omitted information was only provided to the worker after the start of the IDPA’s investigation.
In its note of reply, the company claimed that it had not provided the worker with the above-mentioned documentation in order to protect its right of defence in court as well as the confidentiality of the third parties involved. The company also alleged that the complainant lacked standing to access the information, since it had been requested at a time when the disciplinary proceedings could no longer be challenged.
The IDPA reiterated that the right of access recognised by Regulation (EU) 2016/679 (‘GDPR’) is intended to allow the data subject to exercise control over his or her personal data and to verify its accuracy. Consequently, this right cannot be denied or limited depending on the purpose of the request. In fact, according to the provisions of the GDPR, data subjects are not asked to indicate a reason or a particular need to justify their requests to exercise their rights, nor can the data controller verify the reasons for the request.
Therefore, access to personal data cannot be denied because the data requested could be used by the data subject to defend himself or herself in court in the event of dismissal.
“The jurisprudence has on several occasions reiterated that the right of access derives, in addition to the legislation on personal protection data, from the ‘respect for the principles of good faith and fairness incumbent on the parties to the employment relationship under Articles 1175 and 1375 of the Italian Civil Code. This is confirmed by the fact that, for some time, the relevant sector’s collective bargaining agreement has provided that the employer must keep, in a special personal file, all the deeds and documents produced by the entity or by the employee himself or herself, which relate to his or her professional development, the activity performed and the most significant facts concerning him or and that the employee has the right to freely view the deeds and documents included in his or her personal file’ (Italian Court of Cassation, 7 April 2016, no. 6775)”.
Based on the points set out above, the IDPA imposed a fine of EUR 20,000.00 on the company.
◊◊◊◊
Summary of the right of access:
- The right of access may be exercised by the data subject (i.e. the natural person to whom the data refer) or by his/her delegate.
- The request can be submitted directly to the Data Controller (aka, for example, the employer) or, if appointed, to the DPO.
- Through an access request, the data subject may request access to his or her personal data and obtain the following information: the purposes of the processing, the categories of data, the recipients or categories of recipients to whom the data are or will be disclosed, the period for which the data will be stored or the criteria used to determine it, the origin of the data, and whether there is an automated decision-making process, including profiling or transfers of his or her data outside the European Union.
- The request for access does not have to be justified by the applicant.
- The right to access personal data must not adversely affect the rights and freedoms of others.
- A response must be provided within 30 days (extendable by a further 30 days if the request is particularly complex which, in any case, must be justified).
Other related insights:
