Italian Data Protection Authority: employee has right to access data collected through GPS system installed by employer

With Ruling of 14 September 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that the processing of data carried out by a company appointed to read gas, electricity and water meters (the ‘Company’) was unlawful, confirming that the employer has an obligation to provide a full response to requests to exercise the right of access, including by communicating geolocation data.

The facts of the case

The case arose from a complaint submitted to the DPA by three Company employees who had not received a satisfactory response to a request for access to their personal data collected through the company’s smartphone, on which a geolocation system had been installed that allowed workers to identify the route to take to reach the meters to be dealt with.

In particular, the employees asked for the information used to process mileage reimbursements and the monthly hourly wage, as well as the procedure for establishing the remuneration due to verify the accuracy of their pay slip.

The DPA, during the preliminary investigation, found that the Company had not provided an adequate response to the three workers’ request, despite the fact that the request was clear and detailed. In fact, it had not provided the employees with the data processed through the GPS system, but had limited itself to indicating the methods and purposes for which they were processed and to providing the privacy policy already signed by the concerned workers.

The outcome of the preliminary investigation

At the outcome of the preliminary investigation, the DPA found that the Company, in its capacity as Controller, carried out the processing in breach of:

• Article 15 of Regulation (EU) 2016/679 (the ‘GDPR’), for failing to provide, including through the attached documentation, a complete and exhaustive response with respect to what was requested through the requests. The exercise of the right of “access to personal data” must, in fact, allow effective access to any personal data processed, which is not a general description of the same, nor a mere reference to the categories of personal data processed by the controller (as also specified in “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023).

The Company should have provided all the data collected through the geolocation system, responding to the specific requests received from the three complainants;

• Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;

• Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The data subject’s right of access to his or her own data cannot be considered to be satisfied by mere reference to what is contained in the information notice, without any reference to the processing actually carried out.

The DPA’s decision

At the outcome of the preliminary investigation, the DPA clarified that, since the Company processed, among other things, data relating to the geolocation of smartphones provided to employees for the performance of their work, such processing “indirectly provided the geolocation of the complainants themselves”: for this reason, the Company should have provided a complete and exhaustive response to the requests to exercise the right of access, indicating, in particular, the data relating to the employees’ geolocation or explaining the reasons for any failure to comply with the requests received.

In light of all the above, the DPA fined the Company EUR 20,000, and also ordered the publication of the Ruling on its website.

Other related insights:

• European Court rules that employee tracking through company car geolocator is lawful (Norme e Tributi Plus Diritto, 23 January 2023 – Alberto De Luca, Claudia Cerbone)
• Italian Data Protection Authority: employee has right to access report of investigative agency appointed by employer