Security Service s.r.l. – Complaint Upheld (Italy, 2025)
An Italian data protection authority upheld a complaint against a former employer for not providing requested employment documents. This ruling is significant because it reinforces that companies must respond to access requests even after employment ends.
What happened
The authority found that the former employer failed to respond to a request for access to employment contracts and pay slips.
Who was affected
The former employee who requested access to their employment documents.
What the authority found
The authority ruled that the employer still had obligations to respond to data access requests even after the employee had left.
Why this matters
This decision stresses that companies must maintain data access rights for former employees, encouraging better compliance with privacy regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2024 an individual (the data subject) filed an access request with his former employer Security Service s.r.l. (the controller). The data subject requested access to two of his employment contracts, as well as two pay slips for each year of employment. The controller failed to reply despite the data subject's reminder two months later. The controller eventually filed a complaint with the DPA. After the complaint was filed, the controller honored the data subject's request. During the procedure, the controller claimed that it was no longer the controller of the data subject's data because he was not longer its employee. For this reason, the controller argued that it was no longer required to respond to the data subject's request. The controller also claimed that the documents, requested by the data subject, had already been provided to him during the employment relationship. On this basis, the controller argued that the data subject's request was unfounded and could be refused under Article 12(5) GDPR. The DPA held that an employer is a controller of employee data for as long as it controls the personal data of employees. So, the end of the employment relationship does not automatically release the employer from its obligations under the GDPR: this is only the case when the employer has erased or anonymized the data. In this regard, the DPA referenced the EDPB Guidelines on the right of accessEDPB, 'Guidelines 01/2022 on data subject rights - Right of access', 28 March 2023 (version 2.1), margin 37 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]). The DPA also held that the data subject's access request was not unfounded. In this regard, the DPA reference the case law of Corte di CassazioneCass.Civ. - 32533/2018. (Italy's last instance court). According to Cassazione, the right of access is not merely the right to learn new information; instead, it covers all personal data
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Security Service s.r.l. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
27 February 2025
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-9149About this data
Cite as: Cookie Fines. Security Service s.r.l. - Italy (2025). Retrieved from cookiefines.eu
Last updated: