FCA Italia s.p.a. – €40,000 Fine (Italy, 2022)

A former employee (the complainant) asked his former company FCA Italy s.p.a. (the data controller), to access his personal data processed in the context of their employment relationship and held in his personal file. Since the company did not reply, on 22 March 2021, the complainant filed a complaint with the Italian DPA, who then requested the company to provide feedback in this regard. The company provided a first defense note stating that the complainant used to have conversations with the H.R. department and that, after receiving the access request, the data controllerhad considered it possible to resolve the issue in a meeting which, however, due to the COVID-19 emergency, had been postponed several times. Furthermore, according to the company, the data that the complainant requested was already in his possession. On 05 August 2021, the complainant stated in a note that the feedback provided by the data controller was unsuitable and reiterated his request. The company responded to have carried out the complainant's demands and that the requested documents were already available to the complainant. As the data controller declared itself to have been collaborative by sending what was requested with transparency, it requested the DPA to express a preliminary opinion on the admissibility of the appeal presented by the complainant considering itself not responsible and therefore not punishable. On 08 April 2022, the Italian DPA notified the data controller of the alleged violations of the GDPR that had been found, specifically of Article 12 GDPR and Article 15 GDPR, and stated that the complaint by the complainant was admissible. Following a request from the data controller, a hearing took place on 24 May 2022 during which the data controller declared that since November 2020, the data controller had a portal dedicated to the exercise of the rights of interested parties, both employees and customers, which could be accessed also from the company's website. Further