With Ruling of 14 September 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that the processing of data carried out by a company appointed to read gas, electricity and water meters (the ‘Company’) was unlawful, confirming that the employer has an obligation to provide a full response to requests to exercise the right of access, including by communicating geolocation data.

The facts of the case

The case arose from a complaint submitted to the DPA by three Company employees who had not received a satisfactory response to a request for access to their personal data collected through the company’s smartphone, on which a geolocation system had been installed that allowed workers to identify the route to take to reach the meters to be dealt with.

In particular, the employees asked for the information used to process mileage reimbursements and the monthly hourly wage, as well as the procedure for establishing the remuneration due to verify the accuracy of their pay slip.

The DPA, during the preliminary investigation, found that the Company had not provided an adequate response to the three workers’ request, despite the fact that the request was clear and detailed. In fact, it had not provided the employees with the data processed through the GPS system, but had limited itself to indicating the methods and purposes for which they were processed and to providing the privacy policy already signed by the concerned workers.

The outcome of the preliminary investigation

At the outcome of the preliminary investigation, the DPA found that the Company, in its capacity as Controller, carried out the processing in breach of:

• Article 15 of Regulation (EU) 2016/679 (the ‘GDPR’), for failing to provide, including through the attached documentation, a complete and exhaustive response with respect to what was requested through the requests. The exercise of the right of “access to personal data” must, in fact, allow effective access to any personal data processed, which is not a general description of the same, nor a mere reference to the categories of personal data processed by the controller (as also specified in “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023).

The Company should have provided all the data collected through the geolocation system, responding to the specific requests received from the three complainants;

• Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;

• Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The data subject’s right of access to his or her own data cannot be considered to be satisfied by mere reference to what is contained in the information notice, without any reference to the processing actually carried out.

The DPA’s decision

At the outcome of the preliminary investigation, the DPA clarified that, since the Company processed, among other things, data relating to the geolocation of smartphones provided to employees for the performance of their work, such processing “indirectly provided the geolocation of the complainants themselves”: for this reason, the Company should have provided a complete and exhaustive response to the requests to exercise the right of access, indicating, in particular, the data relating to the employees’ geolocation or explaining the reasons for any failure to comply with the requests received.

In light of all the above, the DPA fined the Company EUR 20,000, and also ordered the publication of the Ruling on its website.

Other related insights:

• European Court rules that employee tracking through company car geolocator is lawful (Norme e Tributi Plus Diritto, 23 January 2023 – Alberto De Luca, Claudia Cerbone)
• Italian Data Protection Authority: employee has right to access report of investigative agency appointed by employer

On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework ensuring that the United States of America guarantees an adequate level of protection of personal data comparable to that of the European Union.

The adequacy decision is one of the tools provided for by Regulation (EU) 2016/679 (the ‘Regulation’) to transfer personal data from the European Union to third countries that, upon prior assessment by the European Commission, offer ‘an adequate level of protection’, i.e. a level of protection of personal data equivalent to that guaranteed within the EU.

The consequence is that personal data can be transferred securely and can be managed in the same way as data transmissions that take place within Europe.

What does the new EU-US Data Privacy Framework entail?

The EU-US Data Privacy Framework is structured around a self-certification mechanism whereby US companies undertake to comply with a number of personal data protection obligations, including, but not limited to, compliance with the principles of purpose limitation, data minimisation and retention, as well as specific obligations regarding data security and data sharing with third parties.

The organisations’ undertakings will be renewed on an annual basis and are subject to checks and monitoring by the U.S. Department of Commerce, which will process certification applications and periodically verify compliance with the requirements by participating companies.

European citizens will benefit from several independent and impartial remedies in the event that their data is processed in a non-compliant manner, including the newly established Data Protection Review Court (DPRC).

US law will provide a number of safeguards, including limiting access to personal data by public authorities to what is necessary and proportionate to protect national security or to enforce criminal law.

In any case, the Data Privacy Framework will be subject to periodic revisions by the European Commission together with representatives of the European data protection authorities and the competent US authorities.  The first review will take place within one year of the entry into force of the adequacy decision.

The other instruments provided for by the Regulation

It is worth remembering that in addition to the adequacy decision, the Regulation also provides for other tools to ensure the correct transfer of data outside the European Union, including:

• the adoption of Standard Contractual Clauses;
• the adoption of Binding Corporate Rules (BCR) by large international groups following negotiations with the supervisory authorities of the countries involved;
• adherence to specific Codes of Conduct or, in any case, to certification mechanisms which must be simultaneously applied by the entity to whom the data are transferred;
• the consent of the data subject who must be adequately informed as required by the Regulation itself.

◊◊◊◊

As most recently pointed out in the information note of the European Data Protection Board (EDPB) of 18 July 2023, all the protections provided by the US government in the field of national security apply to all transfers of personal data made to companies in the United States, regardless of the transfer mechanisms used. Therefore, these guarantees also serve to facilitate the use of the other instruments provided for by the Regulation.

Other related insights:

• DID YOU KNOW THAT… The European Commission and the US reached a framework agreement on the transfer of personal data? De Luca & Partners (delucapartners.it)
• Privacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement – De Luca & Partners (delucapartners.it)

With a decision of 10 November 2022, the Italian Data Protection Authority (l’Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed a fine of EUR 20,000 on an Italian company for monitoring employee attendance by reading fingerprints. The Authority reiterated that ‘the processing of biometric data in the workplace is allowed only if necessary to fulfil obligations and exercise the employer’s rights provided for by a legal provision and with appropriate safeguards’.

The case arose following a report made to the Authority by a trade union organisation that complained about the introduction by the company, the employer, of a stamping system that used a biometric terminal to monitor access and attendance of employees and collaborators within its facilities. The union also challenged the fact that the system had been introduced even though the company had been asked to adopt ‘less invasive means’ that did not involve the processing of biometric data of the data subjects.

The company defended itself by stating that the system adopted was intended to facilitate the registration of entry and exit times for data subjects and represented a ‘more streamlined and faster’ tool than the one previously used, which recorded attendance through a personal identification badge.

After carrying out its preliminary investigation, the Authority held, among other things, that the processing of biometric personal data carried out by the company was unlawful for (i) having carried out processing in the absence of an appropriate lawful basis: the Authority, in fact, reaffirmed that the processing of biometric data in the workplace is allowed only if it is provided for by a national or European law; (ii) not having provided the data subjects with adequate information, thus infringing the fundamental principles on the subject such as those of lawfulness, fairness and transparency; (iii) not having updated the Record of Processing Activities which, in the version presented to the Authority, did not record any processing of employee biometric data, thus also infringing the principle of accountability; (iv) having processed a category of special data for the sole purpose of simplifying employment relationship management activities.

For all these reasons, therefore, the Authority sanctioned the company, ordering it not only to pay the above-mentioned administrative fine for the above-mentioned infringements but also ordering the publication of the decision on its institutional website.

In conclusion, while in the work context monitoring employees’ attendance is necessary to verify compliance with working hours as well as for the employer to fulfil specific obligations and exercise specific rights, for the processing of biometric data of employees to be lawful, it must be based on a legislative provision and cannot be based on the collection of the data subjects’ consent ‘in the light of the asymmetry between the respective parties to the employment relationship and the resulting, if any, need to ascertain from time to time and in concrete terms the effective freedom of expression of will of the employee’.

Other related insights:

• The requirements relative to the processing of special categories of data have been issued
• Data Processing Register and Impact Assessment: clarifications provided by the Data Protection Authority

As only geolocation data referring to kilometres travelled were considered, the interference in the applicant’s privacy was limited and proportional to the intended purpose.

Dismissal by an employer based on the data from the geolocator of an employee’s company car is lawful and the collection and processing of the relevant data does not result in the infringement of the employee’s rights as enshrined in the Human Rights Convention. This was established, in an important precedent on this much debated issue, in the ruling of the European Court of Human Rights No 26968/1616 issued at the conclusion of Gramaxo v. Portugal. This is the first time the European Court has ruled on a case of surveillance at work through a geolocation system and laid down the criteria for the correct balance between the worker’s right to respect for his or her private life and the employer’s rights in terms of monitoring the proper use of capital assets.

The case on which the Court was asked to rule related to the dismissal of a medical representative of a Portuguese pharmaceutical company who, because of travel associated with his work, had been assigned a company car for mixed work and private use.

At a later date the company had installed a global positioning satellite system (GPS) on all company vehicles.

Following a comparison of the data collected through the installed systems, it was found that the employee in question had falsified the monitoring records making it look like the vehicle had been used more for work than it actually had and lowering its private use to reduce the cost to himself.

The full version can be accessed at Norme e Tributi Plus Law of Il Sole 24 Ore.

It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.

The preliminary investigation

The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.

The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.

The Italian DPA’s Order

On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:

• in breach of the principles of ‘lawfulness, fairness and transparency’, employees had not been provided with information on the processing of personal data in accordance with Articles 12 and 13 of the GDPR. And, as the Italian DPA noted, the fulfilment of the information obligations ‘constitutes a specific precondition for the lawful use of the data collected through technological tools, by the employer, including for all purposes related to the employment relationship (Article 4, paragraph 3, of Italian Law No 300/1970)’;
• given that ‘the generalised collection and extensive retention of e-mail metadata […] are not instrumental to the “employee’s work performance”, such data processing may entail an – albeit indirect – remote monitoring of the employees’ activities. Therefore, the employer breached not only the existing data protection legislation but also the regulations on remote monitoring of employees;
• the processing and monitoring carried out enabled the employer to acquire information on the employees’ private lives or on matters that were not in any way relevant to the assessment of their professional suitability;
• the processing of the metadata was carried out in breach of principles of data protection law, namely the principles of retention limitation, of data protection by design and by default, as well as of the principle of accountability;
• the processing of metadata was carried out in the absence of a prior data protection impact assessment.

On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.

Other related insights:

An employer can monitor its employee’s corporate email account

Dismissal for just cause: monitoring the company chat without adequate information is unlawful