THE ITALIAN DATA PROTECTION AUTHORITY AND THE DECISION OF JUNE 6, 2024: A SANCTION AGAINST BIOMETRIC MONITORING IN THE WORKPLACE.
Have you got a question?
Recently, the Italian Data Protection Authority has revisited the collection and use of biometric data for managing employment relationships, as well as monitoring work activities through employer-managed software.
These issues were specifically addressed in the decision of June 6, 2024, where the Authority fined the employer—a dealership operating in the cities of Modica and Ragusa—€120,000 for violations of Articles 5, 6, and 13 of Regulation (EU) 2016/679 (GDPR – General Data Protection Regulation), following a complaint from an employee.
IN CASE YOU MISSED IT: THE GDPR AND THE SEVEN FUNDAMENTAL PRINCIPLES FOR DATA COLLECTION AND PROCESSING.
Regulation (EU) 2016/679, also known as the General Data Protection Regulation (GDPR), aims to harmonize data protection laws across the European Union, ensuring greater protection for citizens and establishing strict rules for organizations handling personal data.
The GDPR outlines seven fundamental principles for the processing of personal data, which we will briefly explain below:
1.Lawfulness, fairness, and transparency:
a)Lawfulness: The processing of personal data must be conducted in accordance with the laws of each Member State and must be legally grounded in the data subject’s consent, the performance of a contract, a legal obligation, or a legitimate interest.
b)Fairness: Personal data processing must be conducted in a fair and non-deceptive manner, aiming to protect the data subjects.
c)Transparency: Data subjects must be clearly and understandably informed about the processing of their data. The information provided must include details on how and why data is collected, used, stored, and shared.
2.Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. In other words, collected data should not be used for purposes other than those originally stated to the data subjects, unless legally permitted.
3.Data minimization: Only the personal data necessary to achieve the intended purposes should be processed. This principle implies that unnecessary or excessive data should not be collected relative to the declared purposes. Minimization helps reduce privacy risks for data subjects.
4.Accuracy: Personal data must be accurate and, if necessary, kept up to date. Reasonable measures should be taken to ensure that inaccurate or incomplete data is corrected or deleted without delay.
5.Storage limitation: Personal data should be kept in a form that permits the identification of data subjects for no longer than necessary for the purposes for which the data is processed. Once the processing purpose is fulfilled, data should be deleted or anonymized.
6.Integrity and confidentiality: Personal data must be processed in a way that ensures protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Security measures should be appropriate to the risk and include technical and organizational controls to safeguard data.
7.Accountability: The data controller—often the employer or designated employees—is responsible for demonstrating compliance with GDPR principles. This involves implementing appropriate policies and procedures, maintaining documentation to provide proof of GDPR compliance, and continuously reviewing data processing practices. A key aspect of accountability is maintaining “Records of Processing Activities” as per Article 30 of the GDPR. These records include the name and contact details of the controller, the purposes of processing, descriptions of data categories, recipients of data, retention periods, and a general description of security measures.
It is important to note that these seven principles are explicitly outlined in Article 5 and the subsequent Article 6 (which focuses on the “Lawfulness of Processing”) of the GDPR, helping to better frame the Authority’s decision.
CASE ANALYSIS: COLLECTION, MANAGEMENT, AND STORAGE OF PERSONAL DATA THROUGH BIOMETRIC RECOGNITION HARDWARE AND WORK ACTIVITY TRACKING SOFTWARE
In the examined decision, the Authority found that the use of both biometric recognition hardware and work activity tracking software was unlawful. Specifically, the Authority focused on two distinct applications used by the fined employer: first, the biometric recognition hardware called “X FACE 360” and second, the tracking software called “INFINITY DMS”.
A) The X Face 360 Biometric Tracking Hardware: Violations of Lawfulness, Data Minimization, and Storage Limitation Principles (Articles 5, 9, and 13 of the GDPR). Issues with Informed Consent from Employees.
The investigation revealed that the fined company used a facial recognition system to record employee attendance starting from December 2018. This processing—affecting 40 employees at the Modica and Ragusa sites—was intended solely to process attendance data for payroll purposes and to provide a monthly report to the CDL.
According to the GDPR, biometric data is considered a special category of data, processing of which is permitted only if necessary for specific labor-related obligations and rights, and authorized by laws or collective agreements, to ensure adequate protection for workers’ rights (Article 9(2)(b) of the GDPR; also Articles 88(1) and Recitals 51-53 of the GDPR).
The Authority found that the collection and processing of biometric data violated the principles of lawfulness, data minimization, and storage limitation because:
1.The legal basis for data collection and processing was not demonstrated: Informed consent from employees was not deemed an adequate legal basis due to the imbalance in the contractual relationship between workers and employer. This principle is essential, as it sets precise limits on the validity of employee consent, often compromised by the need to accept contractual terms that may include more or less evident restrictions on their rights.
2.The necessity of processing was not specified: That is, the specific purposes guiding data collection and processing were not clarified.
3.The retention period for biometric data was considered excessive, extending unreasonably until the end of the employment relationship.
The Authority concluded that the company’s processing of biometric data violated Articles 5(1)(a), (c), (e), 9(2)(b), and 13 of the Regulation.
B) The Infinity DMS Monitoring Software: Violations of Lawfulness, Fairness, and Transparency in Data Management (Articles 5, 6, and 13 of the GDPR).
The second issue addressed by the Authority concerned the lawfulness, fairness, and transparency of data collected through the “Infinity DMS” software. The investigation showed that the software was used to record various stages of work activity, including breaks, with specific reasons (e.g., rest, waiting for replacements).
The software was also used to collect and process personal data related to workshop clients (who were provided with information) and details about the types of interventions performed on vehicles, which were entered by employees.
The investigation revealed that while the company had prepared a record of processing activities in accordance with Article 30 of the Regulation, it had not provided sufficient details about the software, making it difficult to assess the nature and type of processed data, the methods and retention periods, and the necessity and proportionality of the data processing relative to the purposes.
The employee information provided was also incomplete, failing to give a full account of data processing.
To sum up, even in this case the company did not provide an adequate legal basis for processing, merely stating that the software was necessary to improve quality standards imposed by the parent company.
Consequently, the Authority found that the processing violated the principles of lawfulness, fairness, and transparency outlined in Articles 5(1)(a), 6, and 13 of the GDPR.
CONCLUSIONS.
In “1984” Orwell wrote: “If you want a picture of the future, imagine a boot stamping on a human face—forever”.
As technology continues to develop, it increasingly demands ethical reflection on its practical application, including in the workplace. Tools that may seem useful for speeding up administrative and production processes—such as biometric recognition for attendance and payroll—often end up infringing on fundamental rights, sometimes without individuals’ awareness.
In this case, the Authority’s decision serves as a warning for more rigorous GDPR enforcement and highlights the growing importance of fair treatment of personal data, recognizing it as an extension of an individual’s identity.
If this is true, the future may be a bit brighter and less painful than Orwell envisioned in his famous novel.
-
Via Benedetto Brin 55, Scala B, Interno A13, 80142 Napoli
Italia
Prenota una richiamata
Compilate il nostro modulo e uno dei nostri esperti vi ricontatterà.
Condividi questo articolo
Got a question?
Please complete this form to send an enquiry. Your message will be sent to one member of our team.
Related posts
BIG PROFITS, LOW TAXES: WHY APPLE HAS TO PAY € 13 BILLION IN BACK TAXES TO IRELAND?
With the ruling on September 10, 2024, case C-465/20 P, the Court of Justice of the EU confirmed that Ireland granted unlawful tax
Extended Producer Responsibility (E.P.R.): Practical and Regulatory Aspects
The topic of environmental respect has always been at the center of debates both at the community and national levels. In order to
THE FASHION MARKET: THE DOWNFALL OF THE GIANTS? A COMPARATIVE ANALYSIS BETWEEN 2022 AND 2024
A dynamic sector The fashion sector is, by definition, characterized by the greatest dynamism and has been changing for years, constantly oscillating between
