With a decision of 10 November 2022, the Italian Data Protection Authority (l’Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed a fine of EUR 20,000 on an Italian company for monitoring employee attendance by reading fingerprints. The Authority reiterated that ‘the processing of biometric data in the workplace is allowed only if necessary to fulfil obligations and exercise the employer’s rights provided for by a legal provision and with appropriate safeguards’.

The case arose following a report made to the Authority by a trade union organisation that complained about the introduction by the company, the employer, of a stamping system that used a biometric terminal to monitor access and attendance of employees and collaborators within its facilities. The union also challenged the fact that the system had been introduced even though the company had been asked to adopt ‘less invasive means’ that did not involve the processing of biometric data of the data subjects.

The company defended itself by stating that the system adopted was intended to facilitate the registration of entry and exit times for data subjects and represented a ‘more streamlined and faster’ tool than the one previously used, which recorded attendance through a personal identification badge.

After carrying out its preliminary investigation, the Authority held, among other things, that the processing of biometric personal data carried out by the company was unlawful for (i) having carried out processing in the absence of an appropriate lawful basis: the Authority, in fact, reaffirmed that the processing of biometric data in the workplace is allowed only if it is provided for by a national or European law; (ii) not having provided the data subjects with adequate information, thus infringing the fundamental principles on the subject such as those of lawfulness, fairness and transparency; (iii) not having updated the Record of Processing Activities which, in the version presented to the Authority, did not record any processing of employee biometric data, thus also infringing the principle of accountability; (iv) having processed a category of special data for the sole purpose of simplifying employment relationship management activities.

For all these reasons, therefore, the Authority sanctioned the company, ordering it not only to pay the above-mentioned administrative fine for the above-mentioned infringements but also ordering the publication of the decision on its institutional website.

In conclusion, while in the work context monitoring employees’ attendance is necessary to verify compliance with working hours as well as for the employer to fulfil specific obligations and exercise specific rights, for the processing of biometric data of employees to be lawful, it must be based on a legislative provision and cannot be based on the collection of the data subjects’ consent ‘in the light of the asymmetry between the respective parties to the employment relationship and the resulting, if any, need to ascertain from time to time and in concrete terms the effective freedom of expression of will of the employee’.

Other related insights:

On 25 March, the European Commission and the United States of America announced that they had reached a new framework agreement on the cross-border transfer of personal data (the “Trans-Atlantic Data Privacy Framework”) that will be the basis for an adequacy decision by the European Commission. The new agreement was announced less than two years after the European Court of Justice ruled that the Privacy Shield was invalid. It ensures that the GDPR-guaranteed levels of data protection are not undermined by being transferred to the US and when European citizens’ data is processed. The agreement’s crucial points will be represented by binding rules and safeguards to limit the access to data by the US authorities, which assumed considerable importance in the cited Court of Justice decision. The authorities will be allowed to access and process personal data only to the extent that this is necessary and proportionate to protect and pursue the defined objectives of national security. The communiqué stated that this will be achieved by establishing an independent two-level review mechanism, to establish corrective measures and improve the strict and layered oversight of intelligence activities by ensuring compliance with limitations during surveillance. The Trans-Atlantic Data Privacy Framework will provide a basis for transatlantic data flows that is fundamental to protecting data subject rights. The communiqué confirmed that teams from the US government and the European Commission will continue their cooperation to turn this agreement into legal documents to be adopted by both sides. Once this process is completed, European and US data controllers and processors must comply with the framework agreement provisions.

Other related insights:

The Court of Cassation, with order No. 18292 issued on 3 September 2020, has pointed out that failure to arrange the relevant technical and organisational measures safeguarding the protection of the personal data of the data subject is comparable to the organisational fault linked to the failure to adopt an organisational model pursuant to Legislative Decree No. 231/2001.

The facts of the case

In the case at issue, a local authority lodged an appeal before the Court of Cassation against an injunction order of the Italian Data Protection Authority with which a sanction had been inflicted thereto for having published the personal data of one of its civil servants beyond the 15 day term provided for under article 124 TUEL (“Local Authorities Consolidation Act”) in the online municipal notice board.

Indeed, it was ascertained that the City had kept some decisions visible for more than one year, from which the following were clear (i) name and surname of the data subject, (ii) existence of litigation between the data subject and the City, (iii) family certificate and (iv) the circumstances that the data subject lived by herself, had made a request for paying the amount due by instalments and that the request had not been accepted.

To back its own position, the City objected that the fault for the failure to cancel the data of the data subject from the online municipal city board needed to be attributed to an outside consultant who had been instructed to configure the Internet Website in compliance with the laws and regulations currently in force.

The decision of the Court of Cassation

In rejecting the appeal, the Court of Cassation clarified that the employee’s data did not concern any “aspect of the organisation”, they did not amount to “indicators concerning the operating trend and the use of resources”, nor did they even represent “results of the activity related to the measurement and assessment carried out by the competent bodies”. Therefore, the respective publication beyond the term fixed by law could not be deemed to be lawful.

Then, in so far as the liability of the outside consultant is concerned, the Court of Cassation has specified that the Data Controller, pursuant to article 4 of Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “GDPR”) is the legal entity and not the legal representative or the director, therefore, standalone liability precisely on the legal entity’s side takes shape. This liability, the judges carry on, must be understood as “fault on the organisation’s side”, that is “reprimand arising out of the breach by the authority of the obligation to take the necessary organisational and operating precautions to prevent the perpetration of the breaches of the law”, “just like under Legislative Decree No. 231/2001 on liability of entities arising out of crime”.

In light of the foregoing, the Court of Cassation reached the conclusion that the delay in removing the published data from the online municipal notice board is “may be fully traced back to the scope of authority of the Entity and of its own apparatus”.


With the order under examination, the Court of Cassation finds an important similarity between the subject matter of the protection of personal data and that of liability of entities arising out of crime, by precisely comparing and making the failure to adopt adequate technical and organisational measures (under article 32 GDPR) equal to the so-called “fault on the organisation’s side” foreseen by Legislative Decree No. 231/2001.

Others Insights related:

The new FAQ of the Italian Data Protection Authority (hereinafter, the “Authority”) were published on 6 May 2020 on its website, containing information on the correct processing of personal data strictly related to the spread of the new Covid-19 virus (“Coronavirus “), supplemented on the following 14 May.

Recording of temperature

With specific reference to the occupational context, the Authority provides important clarifications on the employer’s ability to record the body temperature of employees, customers, suppliers or occasional visitors at the entrance of company premises or offices, preventing persons from access who have a temperature exceeding 37.5 °, as provided for by applicable law.

According to the Authority, the possibility of recording body temperature is provided for by the joint “Safety Protocol” (hereinafter, the “Protocol “) of the Social Partners and the Government, signed on 14 March 2020 and updated on the following 24 April.

Given that the recording of an identified person’s body temperature constitutes the processing of personal data, the Authority clarifies how the employer can record and register an excessive body temperature only where it proves necessary to document the reasons why an employee has been prevented from accessing the workplace.

It is not necessary to record the body temperature data of customers, suppliers or occasional visitors as it is not necessary, in relation to these persons, to document the reasons for any refusal of access. This clarification is provided in view of the “data minimisation principle” envisaged by Article 5.1 c) of Regulation (EU) 2016/679 (the “GDPR “) according to which “personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed“.

Serological testing in the workplace

On 14 May 2020 the Authority supplemented the previously communicated FAQs in order to clarify whether an employer can carry out serological tests on its employees directly.

More specifically, it clarifies that only the company doctor or other health professional (i) can provide for serological tests to be carried out on employees, or (ii) can provide for the adoption of diagnostic tools if considered useful in order to limit the spread of the virus, while following instructions and guidelines issued from time to time by the competent health authorities, also in relation to the appropriateness and reliability of the instruments indicated. These provisions also apply to medical checks carried out in order to assess whether a worker should be allowed to return to his/her job duties after e.g. a prolonged absence due to illness.

According to the Authority, this follows from the specific wording of paragraph 12 of the Protocol  (“12-Health surveillance/Company Doctor/Workers’ Safety Representative (RLS)“), emphasising the importance of health surveillance, which must be arranged not only in strict observance of the health and hygiene measures contained in directions handed down by the Minister of Health and by the competent authorities, but also by ensuring that information and training are provided to workers by the company doctor, in order to prevent the spread of infection.

If the company doctor is in a position to carry out those tests, he may communicate to the employer no more than his opinion as to whether or not the worker concerned is fit for work or otherwise.

The Authority emphasises that the employer

  • is not entitled to process, in any manner, information and data pertaining to the diagnosis or medical history of the worker which derive, for instance, from having consulted the reports or the results of tests that the worker was required to take
  • may, however, receive information about any limitations or restrictions determined by the company doctor for particular workers who are deemed fit for their job duties but are potentially at high risk of contagion.

Subject to the foregoing, the FAQs in question clarify that workers can sign up to special screening campaigns initiated and promoted by the competent health authorities, also through the employer where the latter has been directly involved by the local prevention department in promoting those campaigns, also by agreeing to cover the associated economic costs incurred by its own employees.

The Authority considers, in any case, that the company doctor, the employer and the Workers’ Safety Representative (RLS) or Territorial Workers’ Safety Representative (RLST) should – in the collaborative effort to adopt all regulatory measures required in order to contain the spread of Covid 19 – pay particular attention to applicable rules, to the guidelines and directions of the competent Authorities, and also to ensuring full compliance with personal data protection rules, guaranteeing the adoption of methods and instruments that can safeguard the confidentiality and dignity of data subjects concerned.

Other related insights:

Il Quotidiano del Lavoro publishes an article signed by Vittorio De Luca, Antonella Iacobellis and Martina De Angeli in connection with a recent decision of the Italian Data Protection Authority, which imposes a sanction of an Italian University for not having properly protected the personal data of two whistleblowers, by relying on the security procedures chosen by the respective software supplier.

Click here to read the DLP insights on the subject matter and the Firm’s remarks.