ING Bank – Court Ruling (Italy, 2023)

The Court of Milan rejected a claim brought by the data subject against the controller, ING Bank, relating to the non-compliance with an access request made on the basis of Article 15 GDPR. The Court accepted the arguments of the controller, who denied having processed the data subject's data, and stated that they failed to prove that the bank was the controller in relation to the processing of their data. On this basis, it rejected the claim. The data subject challenged the decision with appeal to cassation, arguing that there was a wrong application of Articles 12 and 15 GDPR. The DPA highlighted that Article 12 GDPR burdens the controller with the obligation to provide data subjects with information regarding the existence of personal data as a result of the access request presented by them. Therefore, contrary to what was decided by the first instance, Ing Bank should have provided a complete reply to the access request within one month or at least should have asked for a deadline extension. The DPA stressed the incontrovertible fact that Ing Bank had not met the request for access to the documents, making it impossible for the data subject to know whether it possessed their personal data and to verify the legitimacy of the data collection. According to the Court of Cassation, the controller should have responded to the request, even if the response was a negative one. Contrary to what was held by the first instance Court, it held that the burden of showing whether or not it is processing personal data is on the controller and not on the data subject making the request. Similarly, it emphasized that, pursuant to Article 12(5) GDPR, the controller has the burden of demonstrating the manifestly unfounded or excessive nature of the request. In any case, the Court of Cassation stated, from the literal wording of the last-mentioned provision it clearly emerges that the controller must always acknowledge the request, even in negative terms, as it cannot hide beh