Security Service s.r.l. – Complaint Upheld (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Italian data protection authority upheld a complaint against Security Service s.r.l. for not responding to a former employee's request for access to their employment documents. This is important because it reinforces that companies must respond to data access requests even after employment ends.
What happened
Security Service s.r.l. failed to respond to a former employee's request for access to employment contracts and pay slips.
Who was affected
The former employee of Security Service s.r.l. was affected by the company's failure to provide requested documents.
What the authority found
The authority ruled that the company is still responsible for handling access requests from former employees under GDPR.
Why this matters
This case highlights the ongoing obligations of companies regarding employee data, even after employment has ended. Businesses should be aware of their responsibilities to former employees.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2024 an individual (the data subject) filed an access request with his former employer Security Service s.r.l. (the controller). The data subject requested access to two of his employment contracts, as well as two pay slips for each year of employment. The controller failed to reply despite the data subject's reminder two months later. The controller eventually filed a complaint with the DPA. After the complaint was filed, the controller honored the data subject's request. During the procedure, the controller claimed that it was no longer the controller of the data subject's data because he was not longer its employee. For this reason, the controller argued that it was no longer required to respond to the data subject's request. The controller also claimed that the documents, requested by the data subject, had already been provided to him during the employment relationship. On this basis, the controller argued that the data subject's request was unfounded and could be refused under Article 12(5) GDPR. The DPA held that an employer is a controller of employee data for as long as it controls the personal data of employees. So, the end of the employment relationship does not automatically release the employer from its obligations under the GDPR: this is only the case when the employer has erased or anonymized the data. In this regard, the DPA referenced the EDPB Guidelines on the right of accessEDPB, 'Guidelines 01/2022 on data subject rights - Right of access', 28 March 2023 (version 2.1), margin 37 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]). The DPA also held that the data subject's access request was not unfounded. In this regard, the DPA reference the case law of Corte di CassazioneCass.Civ. - 32533/2018. (Italy's last instance court). According to Cassazione, the right of access is not merely the right to learn new information; instead, it covers all personal data
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Security Service s.r.l. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
27 February 2025
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-9149About this data
Cite as: Cookie Fines. Security Service s.r.l. - Italy (2025). Retrieved from cookiefines.eu
Last updated: