GTL s.r.l. – €3,000 Fine (Italy, 2020)

On 26 November 2018, a former employee of GTL sent a request to have access to its personal data related to some 'registration sheets and printouts' extracted from the tachograph and those 'downloaded from the driver card relating to the journeys made' by the complainant himself during his previous work activities. The company did not respond to this specific access request, so the employee made a complaint to the Garante in order to have access to the mentioned information. Thus the Italian DPA sent a letter with some queries in order to investigate its compliance with the GDPR. Since the company did not respond to the DPA, the DPA sent another letter to demand more information on the data subject request. However, neither this time GTL provided any response. On that basis, the DPA put in place a proper on-site investigation and found out that GTL did not provide the information requested by the complainant because they did not have the mentioned information available either in their paper or digital database. The company affirmed that it replied to the complainant 'orally', without any proof or recording of it. The Italian DPA had to understand whether there was a breach of art. 12 and 15 of the GDPR in relation to an access request of the complainant. The Garante confirmed that, even if there was no information to provide, the company should have responded to the data subject in writing and, if appropriate, with electronic means.