The data subject has the right to access the data processed by the controller about them, a right guaranteed by both the EU General Data Protection Regulation (“GDPR”) of April 14, 2016, which came into force on May 25, 2018, and the Law on Personal Data Protection of the Republic of Serbia.
This right is undisputed during the course of the business or other relationship between the data subject and the controller. But what happens when that relationship ends—can the individual still exercise that right afterward?
This question was recently considered by the Italian Data Protection Authority (“Garante”).
Case Background
In 2024, an individual submitted a request via email to their former employer to access and receive two of their employment agreement and two payslips for each year of employment.
Despite a follow-up two months later, the employer failed to respond.
As a result, the individual filed a complaint with Garante, after which the employer fulfilled the request.
During the proceedings before Garante, the employer argued:
- That they no longer process the individual’s personal data, as the individual is no longer employed by employer;
- That the documents requested had already been provided during the term of employment; and
- That the individual had informed about finding the requested documents and thus withdrew the complaint.
The employer therefore claimed that it was not obligated to respond to the request, considering it unjustified and subject to rejection under Article 12(5) of the GDPR.
Garante’s Decision
Garante determined that the individual’s request was not unfounded and found that the employer had unlawfully acted in violation of Articles 12(3) and 15 of the GDPR. As a result, Garante issued a warning to the employer for processing personal data in breach of data protection regulations.
First and foremost, Garante concluded that the employer, as the data controller, was obligated to respond to the individual’s request within the legally prescribed time frame and could not exempt itself from this obligation. If a controller is unable or unwilling to fulfill a request, it must provide a response explaining the reasons for denial and inform the individual of their right to lodge a complaint with the supervisory authority or a court, in accordance with Article 12(4) of the GDPR.
Furthermore, Garante clarified that the termination of employment does not automatically relieve the employer of GDPR and Guidelines on the right of access, obligations. This only occurs if the employer deletes or anonymizes the data. Therefore, ending the employment relationship does not automatically mean that the processing of personal data also ends. The employer was still in possession of the documents, confirming that the data was still being processed.
Regarding the employer’s claim that the individual had already received the documents during their employment and thus the employer was exempt from the obligation to respond to the request, Garante, relying on Italian Supreme Court of Cassation practice, ruled this assumption unfounded.
Namely, the right of access is not limited to discovering new information but extends to all personal data, including those already known to the data subject. Accordingly, the purpose of the right of access is not just to obtain new data but, in the interest of human dignity and privacy, to verify the existence, deletion, or ongoing processing of personal data.
This article is for informational purposes only and does not constitute legal advice. If you require further information, please feel free to contact us.
By Borinka Dobrnjac, Senior Associate, PR Legal