Gestore Dei Servizi Energeticic – Gse S.p.A. – €30,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A data subject lodged a complaint with the DPA against Gestore Dei Servizi Energetici – Gse S.p.A. (‘controller’), his former employer. The data subject made an access request to his personal performance evaluation from 2019 and 2020. On 27 October 2021, the data subject sent an e-mail to the company’s general e-mail address and also CCd a director of the human resources. As the controller did not respond, on 6 December 2021, the data subject sent a reminder. On 28 March 2022, the data subject sent the same request to the DPO designated by the controller. In its response on 21 April 2022, the DPO stated that the competent Human Resources (‘HR’) functions of the controller took charge of his request for access and will provide the data subject with the information requested. After a further period of time had elapsed without a response to the request, on 12 May 2022, the data subject asked the DPA to order the controller to comply with the request. The controller argued that the first two e-mails sent by the data subject did not go through their officially certified mailbox of the DPO which is set up for this purpose. Additionally they noted that the data requested was already known to the data subject, given that he became aware of it during his feedback interview. On 19 September 2022, the HR department provided the data subject with the requested information. The DPA established that the controller failed to timely provide the data subject with a copy of his personal performance evaluation file despite his several attempts to access the information. In fact, the controller forwarded the documents to the data subject only after learning that the data subject lodged a formal complaint and with a considerable delay in breach of obligations prescribed in Article 12 and 15 GDPR. The DPA rejected the controller’s defence statement that the initial access requests were not sent to the DPO's official mailbox set up for this purpose. The controller cannot be absolve
GDPR Articles Cited
A data subject lodged a complaint with the DPA against Gestore Dei Servizi Energetici – Gse S.p.A. (‘controller’), his former employer. The data subject made an access request to his personal performance evaluation from 2019 and 2020. On 27 October 2021, the data subject sent an e-mail to the company’s general e-mail address and also CCd a director of the human resources. As the controller did not respond, on 6 December 2021, the data subject sent a reminder. On 28 March 2022, the data subject sent the same request to the DPO designated by the controller. In its response on 21 April 2022, the DPO stated that the competent Human Resources (‘HR’) functions of the controller took charge of his request for access and will provide the data subject with the information requested. After a further period of time had elapsed without a response to the request, on 12 May 2022, the data subject asked the DPA to order the controller to comply with the request. The controller argued that the first two e-mails sent by the data subject did not go through their officially certified mailbox of the DPO which is set up for this purpose. Additionally they noted that the data requested was already known to the data subject, given that he became aware of it during his feedback interview. On 19 September 2022, the HR department provided the data subject with the requested information. The DPA established that the controller failed to timely provide the data subject with a copy of his personal performance evaluation file despite his several attempts to access the information. In fact, the controller forwarded the documents to the data subject only after learning that the data subject lodged a formal complaint and with a considerable delay in breach of obligations prescribed in Article 12 and 15 GDPR. The DPA rejected the controller’s defence statement that the initial access requests were not sent to the DPO's official mailbox set up for this purpose. The controller cannot be absolve
Related Enforcement Actions (0)
No other enforcement actions found for Gestore Dei Servizi Energeticic – Gse S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
24 April 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€30,000
GDPRhub ID
gdprhub-7936About this data
Cite as: Cookie Fines. Gestore Dei Servizi Energeticic – Gse S.p.A. - Italy (2024). Retrieved from cookiefines.eu
Last updated: