Deutsche Bank – €20,000 Fine (Italy, 2022)

The data subject is a customer of Deutsche Bank. Deutsche Bank is the data controller. In 2017 the data subject entered into a loan agreement with the data controller. The data controller disclosed the data subject’s name to CRIF Italy, an Italian database for credit scoring. The data subject later learned about the disclosure. In July 2020 he submitted an access request with the controller, asking to provide him with the information as laid down under Article 13 GDPR (the data subject invoked Article 13 GDPR but apparently meant Article 15 GDPR, see comment below). The controller failed to reply. In October 2020 the data subject filed a complaint with the Italian DPA. He claimed that the controller failed to respond to his request within the time limits laid out by Article 12(3) GDPR. In June 2021, after the complaint was notified, the controller admitted that they failed to respond to the request in time and provided the data subject with the information under Article 15 GDPR (see comments for clarification). The controller claimed that the data subject’s request was only a small part of a longer communication, in which he complained that the disclosure of his personal data to CRIF Italy was unlawful. The controller claimed that they needed more time in order to properly address the data subject’s complaints in their entirety. The controller also claimed that they already provided the data subject with the information he requested when he agreed to the loan contract, in compliance with Article 13 GDPR. The DPA reject the controller’s arguments entirely. The DPA held that the controller violated Article 12 and Article 15 GDPR. The controller was under an obligation to respond to the data subject’s acccess request, even though the information he requested had already been provided at the time his personal data were collected, pursuant to Article 13 GDPR. Compliance with Article 13 GDPR at the moment of data collection does not exempt the controller from his