Data Subject Access Requests (DSAR) from Employees: not answering causes Serious Fines even if the Information is Easily Accessible Online
In a recent development, the Italian DPA has taken decisive actions against Autostrade per l’Italia and Amazon Italia, fining them €100,000 and €40,000 respectively for having mishandled Data Subjects Access Requests (DSARs) from (former)employees. Article 15 GDPR outlines the Data Subject’s right to access, and its pivotal role has also been acknowledged by the European Data Protection Board (EDPB) guidelines 01/2022 on the right of access as updated on the 28th of March 2023. In particular, this right allows individuals to confirm the processing of their data, access personal information, and obtain details about the processing, including
- categories of data,
- storage period.
The EDPB emphasizes the interconnectedness of the right of access with other GDPR provisions and underscores that limitations should only be placed by other GDPR Articles (such as Articles 15(4) and 12(5), aimed at preventing infringement on others’ rights and addressing manifestly unfounded or excessive requests).
Employees Request for Access to Work-related Information (Autostrade per l’Italia)
Autostrade faced complaints from 50 employees. They requested access to their:
- personal files,
- pay slips,
- information relating to the processing of data for the calculation of their pay slips,
without receiving any reply. Autostrade argued that it did not reply for the following reasons:
- To safeguard its right to defend itself in several lawsuits that involved the data subjects.
- The employees could have easily retrieved the information on an online platform.
Notwithstanding these arguments, the Italian DPA stated that Autostrade should have replied to the employees’ requests anyway and informed them about the reason for the denial of access. Failing to do so, lead to a fine of €100,000.
Former Employee Request to Access to Personnel File (Amazon Italia)
A former Amazon employee requested a copy of the personnel file. Amazon did not reply to the DSAR, arguing that it was too broad and generic. After the request for information from the Italian DPA (and significantly after six months after the request), Amazon sent the employee a copy of the personnel file. Notwithstanding this, the Italian DPA stated that Amazon:
- should have replied to the employee within 30 days as provided by the GDPR
- should have informed the employee that more information was required to specify the request.
In other words, the fact that the DSAR was too broad and generic did not exclude the Company’s duty under the GDPR to answer the DSAR.
In both cases, the companies failed to provide timely and adequate responses, violating the Data Subjects’ right of access. Autostrade should have replied even if the information was easily retrievable somewhere else and Amazon should have replied by asking the Dat Subject to send a more specific request. The decision to stay silent cost the companies tens of thousands of euros of fines that could have been easily avoided.
These recent regulatory actions highlight the critical role of the right of access in ensuring individuals’ control over their personal data. The Italian DPA stresses the necessity of providing motivated responses even in denial cases, informing individuals about the right to appeal. Additionally, it emphasizes that broad and generic access requests should not excuse delayed responses; instead, companies should seek clarification promptly.
In conclusion, organizations must recognize the centrality of access rights within privacy policies, adopting a proactive approach to address requests in a timely and transparent manner. These fines underscore once again the importance of compliance and the responsibility organizations bear in upholding individuals’ privacy rights. If you want help in structuring your DSAR policy or verifying it is up to date please contact us, we are happy to help you.