Fine in the amount of 70 000 euros applied by the Italian Data Protection Authority to Unicredit for the infringement of Article 5.1(a), Article 12 and 15 of GDPR

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 70 000 euros applied by the Italian Data Protection Authority (SA) to Unicredit for the infringement of Article 5.1(a), Article 12 and 15 of GDPR.

Following investigations, the Italian SA found that Unicredit SpA rejected a data subject’s request for access to personal data on the grounds that a pre-established form had not been completed. The form itself was found to be incomplete and misleading as to the actual scope of the right at issue. The company considered it was free to discard access requests that were submitted without using the given form and replied to the data subject only after the latter lodged his complaint.  In that respect, the Italian SA clarified that an access request could not be dealt with by delivering the information notice as per Articles 13 and 14 GDPR; the right of access to one’s personal data and the right to be informed, though mutually related, are different rights which are set forth in separate provisions of the GDPR and are intended to afford safeguards and protection in ways that are not fully superimposable. The Italian SA recalled the EDPB Guidelines 1/2022 on data subject rights (right of access) in this connection and imposed a fine in the amount of 70 000 euros.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.