C.I.EL. S.p.A. – €10,000 Fine (Italy, 2024)

On 7 July 2022, the data subject filed a complaint with the Italian DPA against his former employer. During his job, the data subject took part to some safety courses. At the end of them, a certificate was issued. After terminating his job, the data subject filed an access request with the controller. He intended to have a copy of his personal data, included those certificates. The controller only partially replied to his request. It sent to the data subject a copy of the medical certificate issued by the occupational physician, but not the other certificates he had been awarded. On 7 June 2022, the controller argued that, after the termination of the employment contract, it had deleted them, as it was no more obliged to keep them and as they contained sensitive data. However, on 28 June 2022, the controller differently told the data subject that it actually still had the certificates, but it will delete them since he was no more an employee of that company. Firstly, the DPA pointed out that the information contained in the safety certificates falls into the definition of personal data as per Article 4(1) GDPR. Secondly, the DPA found that the controller had not promptly and completely answered the data subject’s access request. The controller failed in sending the data subject a copy of his certificates. The DPA specified that, even if the controller was not storing the certificates anymore, it would have needed to provide the data subject with the specific reasons for not taking action and inform him of the possibility to lodge a complaint with the supervisory authority or to seek a judicial remedy, as provided for by Article 12(4) GDPR. Therefore, the DPA found a violation of Article 12 GDPR in combination with Article 15 GDPR and issued a fine of €10,000.