Amazon Italia Logistica – €20,000 Fine (Italy, 2022)

This case concerns access requests made by an employee, the data subject, to their employer Amazon Italia Logistica (Amazon), the controller. The data subject submitted the access request on 23 August 2020 pursuant to Article 15 GDPR, in order to receive copies of their professional certificates obtained during the employment relationship. These certifications included, for example, their: “PLE pallet elevator certificate”; “certificate for the management and programming of the palletiser robot”; and “PES and PAV” certificates. The data subject was not afforded access to these certificates and subsequently, on 21 September 2020, filed a complaint with the Italian DPA. The data subject argued that they have the right to access their personal data contained in the company’s records. The controller’s refusal to provide the data would constitute a violation of the GDPR. Responding to the complaint, made the following points. Firstly, the company confirmed that the data subject had, on 23 August 2020, contacted the HR department, requesting a copy of the certificates, and had sent a follow up request on 1 September 2020. Dealing with the issues raised by the complaint the controller argued, firstly, that the professional certificates requested – with the exemption of the PES and PAV certificates – were from internal Amazon courses for which there is no physical certificate, and they have no value beyond internal authorization to carry out assigned tasks. Secondly, they asserted that the data subject did not send their requests to the correct email address. The first request was sent to the HR department, the second request to an employee without any management powers, who was not competent to follow up on the request. The complainant did not send the requests to Amazon’s dedicated email address for Article 15 GDPR access requests (EU-staff-privacy@amazon.com) which was provided to all employees through the issuance of a privacy policy. Thirdly, Amazon argued that t