With decision no. 137 of March 7, 2024, the Italian Data Protection Authority confirmed that employees have the right to access their data held by employers, regardless of the reason for the request. This principle was confirmed following a complaint by a former bank employee who had requested access to her personal file to understand the reasons for a disciplinary sanction. The bank initially responded with an incomplete list of documents, omitting some crucial information.
Only after the intervention of the Authority the bank provided the complete documentation, including correspondence with a third party who complained about the unlawful communication of the husband’s confidential information to the complainant, which was used in a judicial proceeding.
The bank justified the omission by claiming to protect the right of defense and the confidentiality of the involved third parties, as well as the alleged lack of interest in access by the requester. However, the Authority clarified that the right of access is aimed at allowing individuals to check their personal data and verify its accuracy, without the need to justify the request. This principle is supported by the General Data Protection Regulation (GDPR) and the guidelines of the European Data Protection Board (EDPB).
Following the violation, the Authority fined the bank €20,000.00, taking into account the nature, severity, and duration of the infraction, as well as the absence of similar previous cases.