Ministero dell'Interno – Complaint Upheld (Italy, 2024)

In 2009, the data subject was stopped by the Police and his driving licence was revoked given that he was driving under the influence. In 2023, the data subject noticed that in the national database of driving licences, his name was still associated with this offence. Therefore, he filed an erasure request with the Interior Ministry (Ministero dell'Interno). Since the Interior Ministry never replied, the data subject filed a complaint with the DPA. The controller pointed out that it cannot delete the data since Article 17(3)(b) GDPR applies, i.e. the controller has a legal obligation to continue processing this data in accordance with [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:1992-04-30;285~art223 Articles 223(1)] and [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:1992-04-30;285~art226 226(11) of the Italian Traffic Regulation] (Codice della strada - D. Lgs. 285/1992), obliging the controller to register the issuing and revoking of driving licenses in a database. Regarding the failure to reply to the data subject's request, the controller argued that the data subject, when filing the erasure request, did not tick the box of the form saying that he did not want to be informed according to Article 12(4) GDPR. According to the controller, this it to think that the 30-day deadline was not legally binding. Finally, the controller noted that it had deemed not necessary to reply to the data subject since the latter was, however, not entitled to the erasure at hand. First, the DPA pointed out that, according to Article 12(3) and 12(4) GDPR, a controller should reply to an erasure request in every case, including when it believes that the request should be rejected. Since in the case at hand the controller did not reply, the DPA found a violation of Article 12(1), 12(3) and 12(4) GDPR. On these grounds, the DPA issued a reprimand to the controller.