XXX – €70,000 Fine (Italy, 2022)

An employee (the data subject) sent a letter to his employer, Unicredit s.p.a (the controller), exercising his right of access. The controller replied and asked the data subject to send the access request by filling out a form available on the controller's website. The data subject did not reply or fill out the form on the portal, but filed a complaint with the Italian DPA. He claimed that his right to access was not granted by the controller. After the controller was notified of the complaint by the DPA, it granted the access request. The controller told the DPA that because the data subject did not contest the controller's request to fill out the form, it believed that the data subject was no longer interested in exercising the right of access. However, the data subject claimed that the controller did not provide all information required under Article 15 GDPR. The controller argued that the information provided was sufficient. It stated that (1) the data subject's request for "any information on the processing of personal data" was manifestly unfounded and excessive. The controller further claimed that (2) it did not include the information that the data subject could download directly from the controller's system and (3) the information requested by the data subject were already provided in the privacy statement available on the company website. The DPA held that the controller may use forms as a part of the procedure to respond to a data subject's request. However, the submission of a form could not be a necessary condition for the data subject to exercise his rights. The controller still had a duty to respond to request communicated by the data subject through different means. In addition, the DPA further noted that the form in question did not cover the full content of the data subject's right of access under Article 15 GDPR. The DPA rejected the controller’s argument that the data subject’s request was manifestly unfounded and excessive. It held that Arti