Garante per la protezione dei dati personali (Italy) - 10029500: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10029500 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10029500 |Original_Source_Language_1=It...") |
(No difference)
|
Latest revision as of 12:57, 28 June 2024
| Garante per la protezione dei dati personali - 10029500 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 4(14) GDPR Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 9(1) GDPR Article 9(2)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 06.06.2024 |
| Published: | |
| Fine: | 120,000 EUR |
| Parties: | Cappello Giovanni & Figli s.r.l. |
| National Case Number/Name: | 10029500 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | fb |
The DPA fined a controller €120,000 after it unlawfully used facial recognition to monitor workplace attendance of its employees.
English Summary
Facts
On December 2018, the controller implemented a facial recognition system to monitor the workplace attendance of its employees and grant them access to its premises. Moreover, it also started using a software to register the tasks each employee was performing.
On 5 October 2021, a data subject filed a complaint with the DPA, arguing that this processing activity was in breach of GDPR.
The controller pointed out that it had provided each data subject with a privacy policy, pursuant to Article 13 GDPR and, then, had acquired their consent for the processing of this data. It argued that the purpose of implementing the facial recognition system is improving the efficiency of the company and the quality of its products.
Moreover, the controller noted that it had conducted a DPIA before implementing this processing operation.
Holding
Firstly, the DPA pointed out that data processed through a facial recognition system are biometric data as per Article 4(14) GDPR. Therefore, its processing falls into the scope of Article 9(1) GDPR and is, in principle, forbidden. The DPA believes that the processing of biometric data happens both when the biometric characteristics of the data subject are acquired (for example, when the first picture of the data subject is taken) and when the actual facial recognition takes place.
The DPA recalled that Article 9(2)(b) GDPR introduces an exception to this prohibition in the field of employment and social security. However, some conditions must be met to apply this exception: (1) the processing must be necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject and (2) it should be authorised by Union or Member State law or a collective agreement which (3) provide for appropriate safeguards for the fundamental rights and the interests of the data subject. The DPA noted that there is no piece of national legislation which provides for such an authorisation.
Furthermore, the DPA did not uphold the controller’s argument regarding consent. The DPA recalled that, in an employment relationship, consent cannot be considered as a valid legal basis due to the unbalanced nature of this relationship. Therefore, the DPA stated that the processing of biometric data with the purpose of monitoring workplace attendance is forbidden and found a violation of Article 9(1) GDPR.
Secondly, the DPA pointed out that this processing violated also the principle of data minimisation, provided for by Article 5(1)(c) GDPR. It believed that the controller was unable to prove that this type of processing was necessary and proportionate, especially as there are less intrusive ways of registering the attendance.
Thirdly, the DPA noted that the biometric data was stored until the employment contract was terminated. The DPA believed this period of time to be excessive and, therefore, found a violation of Article 5(1)(e) GDPR.
As for the privacy policy, the DPA held that it was incomplete and lacking the elements foreseen by Article 13 GDPR. Therefore, it found a violation of the principles of transparency and fairness as per Article 5(1)(a) GDPR.
Finally, as for the time management software, the DPA pointed out that, also in this case, the information provided to the data subject was incomplete and that the controller did not prove to have a lawful legal basis for this processing.
On these grounds, the DPA issued a fine of €120,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 10029500]
Provision of 6 June 2024
Register of measures
n. 338 of 6 June 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, n. 101, hereinafter “Code”);
GIVEN the complaint presented by Mr. XX pursuant to art. 77 of the Regulation with which the unlawful processing of personal data by Cappello Giovanni & fili s.r.l. was complained of.
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER Prof. Pasquale Stanzione;
PREMISE
1. The complaint presented to the Authority and the investigative activity.
With the complaint presented on 05/10/2021 pursuant to art. 77 of the Regulation, Mr. XX, through its lawyer Avv. XX, complained of a violation of the regulations regarding the protection of personal data by the company Cappello Giovanni & Figli s.r.l. (hereinafter "the Company"), consisting of an illicit processing of personal data of employees (workshop department operators) carried out by means of a software called "Infinity DMS" and a hardware called "X.-Face 380".
In particular, it was represented that, through the use of the "Infinity DMS" management software (installed at the production units in Modica and Ragusa), each employee is required, at the beginning of the working day, to record work performance and maintenance to be carried out, i.e. the times and methods of intervention on assigned vehicles undergoing repairs and the downtime with the specific reasons ("breaks", to indicate work breaks, "waiting for spare parts", "waiting for work" to indicate the waits due to work orders, "collection of external spare parts" to indicate downtime due to waiting for spare parts not in stock, and others).
It was also represented that the X-Face 380 hardware, also present in both production units, had been installed to regulate access to the workplace through a facial recognition system.
The Authority, therefore, delegated the Privacy and Technological Fraud Protection Unit of the Financial Police to carry out inspections pursuant to art. 157 of the Code.
On 1 and 2 March 2022, inspections were carried out at the Company's registered office, located in Modica (RG), during which information was acquired relating to the use of the instruments being reported.
In particular, from the results of the inspections, it emerged that:
- the Company, which carries out car trading activities, has around 40 employees, employed at the two operating units of Modica and Ragusa. The treatment carried out using the Infinity DMS and X-Face 380 instruments therefore involves all the employees employed at the two production units;
- both the Infinity DMS software and the X-Face 380 hardware were put into use by the Company "as work tools in order to improve the quality and efficiency of the activity carried out";
- the company has drawn up the Register of treatments pursuant to art. 30 of the Regulation which reports all the processing activities carried out in relation to each purpose
- with specific reference to the hardware ” (p. 3 of the minutes of 01/03/2022);
- the processing via the hardware began on 11/12/2018 and all employees were informed before its installation through specific information, prepared pursuant to art. 13 of the Regulation, and simultaneous acquisition of consent;
- as regards the technical characteristics of the hardware, it allows "facial recognition of employees when they enter and leave the company (...) and has the following functions: list of people present and printing of reports of hours of presence for each user" (p. 3 of the minutes of 02/03/2022);
- "the employee, after having read the information and signed the consent, is registered upon first access with the photo. (...) The employee's image can only be visible to him at the moment of detecting his presence" (p. 3 of the cited report);
- "the biometric data attributable to the mere facial recognition of the
- “Personal data are overwritten with a string of characters and once the defined retention period has expired they are permanently and irreversibly deleted” (p. 4 minutes cit.);
- with respect to the processing thus carried out, an impact assessment has been prepared pursuant to art. 35 of the Regulation which is updated periodically;
- with reference to the management system called Infinity DMS, this "is used for the management of the accounting, warehouse, workshop, new and used vehicle sales and CRM areas, it does not provide for remote control of the workers assigned to the workshop department and is a tool for work that all dealerships use" (p. 4 of the minutes of 01/03/2022);
- more precisely, it is an application provided by the Visual software company and made available to many Italian dealerships;
- the related processing began on 01/05/2013 and is profiled on the individual employee, in relation to the specific task carried out in the company;
- “each mechanic is provided with a bar code that allows marking on jobs. The start and end of activities are carried out independently by individual employees only in the workshop areas and for the individual activities carried out, the system does not carry out any checks on the activities carried out, but carries out a simple count of the time spent";
- "the request to carry out the marking also to indicate breaks, waiting for spare parts or workshop cleaning is part of a parametric mapping and at the discretion of the company which may or may not ask employees to use these reasons to declare the reason why a process was interrupted ( ...) otherwise customers would be charged for non-compliant hours and therefore non-compliant processing costs";
- every month a report is sent to the parent company containing aggregate data on the times used by the workshops for the work carried out;
- "this information allows us to analyze the performance of the workshop department and understand how many of the activities will be invoiced to customers, how many will remain the responsibility of the companies and, consequently, allows the owner to adjust the rates based on the overall costs (...) in addition than to follow and monitor its economic efficiency”;
- the information was prepared on 11/12/2018 and is provided to employees who sign it for review at the same time as signing the employment contract.
With subsequent notes dated 06/30/2022 and 10/31/2022, the Company, in response to specific requests for information formulated pursuant to art. 157 of the Code (dated 05/30/2022 and 09/30/2022 respectively) provided further elements to integrate what was declared during the inspection. In particular, the Company represented that:
- “The cameras for biometric comparison are located in the Modica and Ragusa offices and can function exclusively with the active and conscious participation of the interested parties”;
- "the software does not record movements and, in any case, the cancellation procedures are carried out manually as indicated in the declaration of conformity". This document, produced in documents, specifies that "the models created for registration must be kept only until the purposes of the processing are achieved and must not be memorized or archived";
- with regard to the data collected by the Infinity DMS management system, these "are kept for up to 10 years from the date of termination of the contractual relationship. It is specified that the data collected are not used for purposes other than that of reporting the hours worked. It is also clarified that the reports allowed by Infinity DMS can be customized by worker, team, qualification and statistical category".
2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.
Based on the elements collected during the preliminary investigation, the Office proceeded to notify the Company, on 01/31/2023, of the initiation of the sanctioning procedure pursuant to art. 166, paragraph 5, of the Code.
In particular, with reference to the processing of so-called data. details carried out using the X-Face 380 hardware, the violation of the articles has been notified. 5, par. 1, letter. a), b) and f), 6, par. 1, letter. a), 9, par. 2, letter. b) and 13 of the Regulation.
While, with reference to the processing of personal data carried out using the Infinity DMS software, the violation of the articles was contested. 5, par. 1, letter. a), 6 and 13 of the Regulation.
With the defense briefs, presented on 02/03/2023, the Company declared that:
- “the use of this hardware [Hardware x-face 380] was necessary as a result of the following events. First of all, the Covid-19 epidemic has forced almost all economic entities to equip themselves with thermometers capable of measuring the body temperature of those entering the premises. Secondly, the Cappello & Figli company, adapting to the recommendations of the parent company, has adopted these tools for data processing";
- "the Company (...), as Data Controller, has always acted by diligently respecting the rules of Regulation (EU) No. 2016/679; more specifically, the Data Controller has prepared an appropriate privacy information representing to the interested parties the characteristics of the processing. Consequently, the interested parties have given their explicit consent to the processing of personal data in accordance with the provisions of art. 9, letter a)” of the Regulation itself;
- furthermore, “the processing of so-called data. particulars carried out using the 9, par. 2, letter. b, of the aforementioned Reg. (EU)”;
- “The use of the Infinity DMS software and the X-FACE 380 hardware occurred in compliance with the principles of “lawfulness, correctness and transparency”, “purpose limitation”, “minimisation”; furthermore, the data were "processed in such a way as to guarantee adequate security" of the same".
In requesting the dismissal of the proceedings, the Company reported a ruling from the Court of Cassation, according to which "the damage resulting from violation of the right to the protection of personal data does not exist in re ipsa, since the compensable damage is not identified with the mere violation of the right protected by the law, but rather with the prejudicial consequences caused by the violation itself, which must be alleged and demonstrated by the victim of the crime, reaching a threshold of serious and effective damage".
3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.
Following the examination of the declarations made to the Authority during the procedure as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to its employees, which are not compliant with the regulations in force regarding the protection of personal data.
In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".
3.1. Special data processing carried out using the X-face 380 hardware.
On the merits, following the preliminary investigation, it was ascertained that the Company has used a biometric system, based on facial recognition, starting from December 2018 and still ongoing.
During the investigation, however, the initial moment in which the activities of recording employee data by acquiring their photos began was not clarified.
The processing involved 40 interested parties, all employees of the Company employed at the two production units in Modica and Ragusa, who received the information pursuant to art. 13 of the Regulation and consent to the processing of data has been granted.
According to what was declared by the Company, the use of the biometric system is aimed at detecting the presence of employees on duty and was determined by the need to improve the quality and efficiency of the service.
Having said this, we observe how, in provision no. 513 of 12/11/2014 (available on the Authority's website www.gpdp.it, web doc no. 3556992), the Guarantor has clarified that the processing of biometric data takes place both in the registration phase (so-called enrolment), consisting in the acquisition of the biometric characteristics of the interested party (in this case, the facial characteristics), and in the biometric recognition phase to be carried out at the time of attendance recording (see points 6.1, 6.2 and 6.3 of Annex A to the aforementioned provision).
Based on the regulations on the protection of personal data, given that biometric data falls within the category of so-called. particular categories of data, it is noted that the related processing is generally prohibited pursuant to art. 9, par. 1 of the Regulation, while it is only permitted if one of the conditions indicated in paragraph 2 of the same article occurs.
In particular, with regard to processing carried out in the workplace, the law provides that such processing is permitted only when it is "necessary to fulfill the obligations and exercise the specific rights of the data controller or the interested party in matters of labor law and social security and social protection, to the extent authorized by Union or Member State law or by a collective agreement under Member State law, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject" (art. 9, par. 2, letter b) of the Regulation; v. also: art. 88, par. 1) and cons. 51-53 of the Regulation).
This means that, in order for processing involving biometric data to be lawfully carried out, it must be based on a regulatory provision that has the characteristics required by data protection regulations, also in terms of proportionality of the intervention. regulatory with respect to the purposes that are intended to be pursued.
From this perspective, the art. 2-septies of the Code establishes that the processing of biometric data can be carried out in accordance with the guarantee measures established by the Guarantor in relation to each category of data, as well as in compliance with the conditions established by the aforementioned art. 9, par. 2, of the Regulation.
Therefore, to date, the current legislation does not allow the processing of employees' biometric data for the purposes of detecting their presence on duty. This was reiterated by the Guarantor with numerous provisions, the last of which were adopted on 02/22/2024 with which the Authority declared the unlawfulness of the processing carried out (measures no. 105, 106, 107 and 109, doc. web no. 9995785, 9995701, 9995680, 9995741).
It should also be taken into account that the employer, as data controller, is required in any case to observe the general principles regarding the processing of personal data, including the principles of lawfulness, correctness and transparency, the principle of minimization and the principle of purpose limitation (art. 5, par. 1, letter a), b), c) of the Regulation).
In this case, the declaration of conformity, acquired during the procedure and issued by the supplier of the facial recognition device, cannot eliminate the responsibility of the Company which, as data controller, should have verified the lawfulness of the processing to be carried out and compliance with the applicable principles, in light of the principle of accountability according to which "the data controller is competent for compliance with [the principles referred to in] paragraph 1 and is able to prove it" (art. 5, par. 2 of the Regulation).
Therefore, in light of the above reasons, it is noted that the use of biometric data for the detection of attendance on duty, without, among other things, having provided for an alternative system for verifying working hours, is contrary to the principles of minimization and proportionality referred to in art. 5, par. 1, letter. c) of the Regulation. The law, in fact, requires that the data be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed".
During the proceedings, the Company did not produce any documentation that could demonstrate the necessity and proportionality of the processing carried out with respect to the purposes to be pursued, limiting itself to abstractly recalling the principles and provisions of the Regulation.
Also with regard to the conservation of the data collected, it is noted that from the examination of the documentation produced (in particular, the Declaration of conformity made by the XX company, annex 3 to the note dated 06/30/2022) as well as the declarations made in the during the inspection (operations report dated 02/03/2022, page 3) it appears that the biometric data referring to the employee is deleted by the Company only following the termination of the employment relationship.
This is in contrast with what was established by the Guarantor in the aforementioned provision of 12/11/2014, which provides that "the biometric samples used in the creation of the biometric model can only be processed during the registration and acquisition phases necessary for the biometric comparison, and must not be stored except for the time strictly necessary to generate the model itself" (see point 8.5 of Annex A).
This provision, although approved with reference to the previous legal framework, is still valid in its general lines and compliant with the principles and provisions of the Regulation.
Therefore, this processing does not comply with the principle of limitation of conservation referred to in the art. 5, par. 1, letter. e), of the Regulation which, on the contrary, requires that the data be kept for a time no longer than the achievement of the purposes for which they were collected.
Among other things, contrary to what is believed by the Company, in the context of the employment relationship the consent expressed by the employees cannot be considered a suitable prerequisite of lawfulness, this in light of the asymmetry between the respective parties of the employment relationship and the consequent , possible, need to ascertain from time to time and in concrete terms the actual freedom of express consent (see provisions no. 16 of 01/14/2021 web doc. no. 9542071, no. 35 of 02/13/2020, web doc no. 9285411, no. 500 of 12/13/2018, web doc no.
It is, therefore, ascertained that the processing of biometric data of employees was carried out by the Company in the absence of an appropriate legal basis, in violation of the art. 9, par. 2, letter. b), of the Regulation.
Furthermore, from the examination of the documentation acquired, it emerged that the information prepared by the Company is deficient and unsuitable for representing, in a complete manner, the main characteristics of the processing.
In the document produced in the documents, in fact, there is no reference not only, as mentioned, to the main characteristics of the processing, but also to the precautions adopted, to the mandatory or optional nature of the provision of the data, with respect to the purpose pursued, and to the possibility of using, as an alternative to the biometric system, the traditional badge-based system.
In this respect, it is noted that the Authority has reiterated on several occasions that the employer, in application of the principle of transparency, has the obligation to indicate to its employees and collaborators what are the essential characteristics of the data processing carried out in occasion of the employment relationship as well as the tools through which the processing is carried out, in accordance with what is specifically indicated in the art. 13 of the Regulation. This is also considering that, in the context of the employment relationship, the obligation to inform the employee is also an expression of the duty of correctness (art. 5, par. 1, letter a) of the Regulation).
In light of the above, it is ascertained that the Company has processed biometric data in violation of the articles. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b) and 13 of the Regulation.
3.2. Processing of personal data using the Infinity DMS software.
From the examination of the documentation acquired, it also emerged that the Company has been processing employees' personal data using management software since January 2018.
This tool, according to what was declared, would be "imposed" on the dealership by the parent company to which a report is sent monthly containing aggregate data on the times taken by the workshops for the work carried out.
In particular, from the investigations carried out on 1 and 2 March 2022, it was found that employees, through an individually assigned bar code, are required to record the various phases of work activity including breaks in the management system, with the indication of the specific reason (e.g. rest, waiting for spare parts, etc.).
The software also allows you to collect and process personal data relating to the workshop's customers (to whom the information is provided, acquired in documents) and information relating to the type of interventions carried out on the cars, the latter, as mentioned, entered by the employees .
The Company has prepared the register of treatments, pursuant to art. 30 of the Regulation, from the examination of which it was possible to deduce the main objectives pursued, through the Infinity DMS management system, consisting in particular in the management of accounting and financial processes, in the preparation of estimates and in the execution of contracts in general.
However, it should be noted that, in response to repeated requests from the Authority to know in detail the essential characteristics of the management system used (see the requests made on 05/31/2022 and 09/30/2022), the Company provided feedback very generic and evasive without allowing the Authority to have full knowledge of the processing carried out, to know the nature and type of data processed, the methods and times of data retention, and to evaluate its actual necessity and proportionality with respect to the purposes to be to pursue.
Among other things, this information was not even brought to the attention of the employees, who were provided with information that was incomplete and unsuitable for fully representing the processing carried out.
In fact, in the information acquired in the documents, which refers to all the processing carried out by the Company, the same simply declares that "in carrying out the processing activities the Company undertakes to ensure the accuracy and updating of the data processed (…); process the personal data acquired in full compliance with the principle of correctness, lawfulness and transparency" (annex 2 to the minutes of 01/03/2022).
This is also considering that in the context of the employment relationship the obligation to inform the employee is an expression of the duty of correctness (art. 5, par. 1, letter a) of the Regulation).
Likewise, a suitable legal basis among those listed in the art. cannot be found in the documents produced in the documents, and primarily in the information. 6 of the Regulation.
In fact, the Company, even during the inspection, limited itself to declaring that "the evaluations that determined the purchase of the Infinity DMS software and the the quality standards of the company (...)” (page 4 of the report of operations carried out).
Therefore, following the assessments carried out on the basis of the declarations made and the documentation acquired, it emerges that the processing was carried out by the Company in violation of the principles of lawfulness, correctness and transparency referred to in the articles. 5, par. 1, letter. a), 6 and 13 of the Regulation.
4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for in the art. 11 of the Guarantor Regulation n. 1/2019.
The processing of personal data carried out by the Company and, in particular, the processing of personal and biometric data (facial recognition) relating to its employees for the purpose of recording attendance, is unlawful, in the terms set out above, in relation to the articles. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b) and 13 of the Regulation.
The processing of employees' personal data also occurred in violation of articles. 5, par. 1, letter. a), 6 and 13 of the Regulation.
The violation ascertained within the terms set out in the justification cannot be considered "minor", taking into account the nature of the violation which concerned the general principles and conditions of lawfulness of the processing of particular data as well as the seriousness of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the circumstances of the specific case:
- the application of a pecuniary administrative sanction is ordered pursuant to art. 83 of the Regulation;
- the processing of employee biometric data is prohibited, pursuant to art. 58, par. 2, letter. f) of the Regulation;
- the Company is ordered to conform the data processing carried out using the Infinity DMS management software to the provisions and general principles regarding the processing of personal data.
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings it appears that Cappello Giovanni & Figli s.r.l. carried out two separate data processing in violation of the articles respectively. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b), 13 and articles. 5, par. 1, letter. a), 6, 13 of the Regulation.
For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, letter. a) and par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).
Considered not to apply, in the present case, paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:
to. in relation to the nature, severity and duration of the violation, the nature of the violation which concerned the general principles and conditions of lawfulness of the processing and the processing of particular biometric data using facial recognition technology was considered to the Company's disadvantage; the duration of the violation, which is still ongoing, was also considered to the Company's disadvantage;
b. with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the regulations on data protection in relation to a plurality of provisions;
c. the poor collaboration with the Supervisory Authority and the continuation of the processing even after the start of the procedure were taken into account.
It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022. Lastly, the extent of the sanctions imposed in similar cases is taken into account.
In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply against Cappello Giovanni e fili s.r.l. the administrative sanction of the payment of a sum equal to 120,000.00 (one hundred and twenty thousand) euros.
In this framework, it is also believed, in consideration of the type of violations ascertained which concerned the general principles and conditions of lawfulness of the processing, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.
It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THE WHEREAS, THE GUARANTOR
notes the unlawfulness of the processing carried out by Cappello Giovanni & Figli s.r.l., in the person of the legal representative pro tempore, with headquarters in Modica (RG), Via Sorda Samperi 128/A, C.F. 01238300881, for violations of articles. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b), 13 (relating to the processing of biometric data) and articles. 5, par. 1, letter. a), 6, 13 of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i), of the Regulations of Cappello Giovanni & Figli s.r.l. to pay the sum of 120,000.00 (one hundred and twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;
pursuant to art. 58, par. 2, letter. d) of the Regulation, to conform the data processing carried out using the Infinity DMS management software to the provisions and general principles regarding the processing of personal data within the terms set out in the justification within 90 days from the date of notification of this provision;
pursuant to art. 58, par. 2, letter. f), of the Regulation, the prohibition on processing employees' biometric data through the facial recognition system.
ORDERS
to the same Company to pay the aforementioned sum of 120,000.00 (one hundred and twenty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981.
Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.
Requests the Company to communicate which initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by the art. 83, par. 5, letter. e) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 6 June 2024
PRESIDENT
Stantion
THE SPEAKER
Stantion
THE GENERAL SECRETARY
Mattei
SEE ALSO NEWSLETTER OF 26 JUNE 2024
[doc. web no. 10029500]
Provision of 6 June 2024
Register of measures
n. 338 of 6 June 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, n. 101, hereinafter “Code”);
GIVEN the complaint presented by Mr. XX pursuant to art. 77 of the Regulation with which the unlawful processing of personal data by Cappello Giovanni & fili s.r.l. was complained of.
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER prof. Pasquale Stanzione;
PREMISE
1. The complaint presented to the Authority and the investigative activity.
With the complaint presented on 05/10/2021 pursuant to art. 77 of the Regulation, Mr. XX, through its lawyer Avv. XX, complained of a violation of the regulations regarding the protection of personal data by the company Cappello Giovanni & Figli s.r.l. (hereinafter "the Company"), consisting of an illicit processing of personal data of employees (workshop department operators) carried out by means of a software called "Infinity DMS" and a hardware called "X.-Face 380".
In particular, it was represented that, through the use of the "Infinity DMS" management software (installed at the production units in Modica and Ragusa), each employee is required, at the beginning of the working day, to record work performance and maintenance to be carried out, i.e. the times and methods of intervention on assigned vehicles undergoing repairs and the downtime with the specific reasons ("breaks", to indicate work breaks, "waiting for spare parts", "waiting for work" to indicate the waits due to work orders, "collection of external spare parts" to indicate downtime due to waiting for spare parts not in stock, and others).
It was also represented that the X-Face 380 hardware, also present in both production units, had been installed to regulate access to the workplace through a facial recognition system.
The Authority, therefore, delegated the Privacy and Technological Fraud Protection Unit of the Financial Police to carry out inspections pursuant to art. 157 of the Code.
On 1 and 2 March 2022, inspections were carried out at the Company's registered office, located in Modica (RG), during which information was acquired relating to the use of the instruments being reported.
In particular, from the results of the inspections, it emerged that:
- the Company, which carries out car trading activities, has around 40 employees, employed at the two operating units of Modica and Ragusa. The treatment carried out using the Infinity DMS and X-Face 380 instruments therefore involves all the employees employed at the two production units;
- both the Infinity DMS software and the X-Face 380 hardware were put into use by the Company "as work tools in order to improve the quality and efficiency of the activity carried out";
- the company has drawn up the Register of treatments pursuant to art. 30 of the Regulation which reports all the processing activities carried out in relation to each purpose
- with specific reference to the hardware ” (p. 3 of the minutes of 01/03/2022);
- the processing via the hardware began on 11/12/2018 and all employees were informed before its installation through specific information, prepared pursuant to art. 13 of the Regulation, and simultaneous acquisition of consent;
- as regards the technical characteristics of the hardware, it allows "facial recognition of employees when they enter and leave the company (...) and has the following functions: list of people present and printing of reports of hours of presence for each user" (p. 3 of the minutes of 02/03/2022);
- "the employee, after having read the information and signed the consent, is registered upon first access with the photo. (...) The employee's image can only be visible to him at the moment of detecting his presence" (p. 3 of the cited report);
- "the biometric data attributable to the mere facial recognition of the
- “Personal data are overwritten with a string of characters and once the defined retention period has expired they are permanently and irreversibly deleted” (p. 4 minutes cit.);
- with respect to the processing thus carried out, an impact assessment has been prepared pursuant to art. 35 of the Regulation which is updated periodically;
- with reference to the management system called Infinity DMS, this "is used for the management of the accounting, warehouse, workshop, new and used vehicle sales and CRM areas, it does not provide for remote control of the workers assigned to the workshop department and is a tool for work that all dealerships use" (p. 4 of the minutes of 01/03/2022);
- more precisely, it is an application provided by the Visual software company and made available to many Italian dealerships;
- the related processing began on 01/05/2013 and is profiled on the individual employee, in relation to the specific task carried out in the company;
- “each mechanic is provided with a bar code that allows marking on jobs. The start and end of activities are carried out independently by individual employees only in the workshop areas and for the individual activities carried out, the system does not carry out any checks on the activities carried out, but carries out a simple count of the time spent";
- "the request to carry out the marking also to indicate breaks, waiting for spare parts or workshop cleaning is part of a parametric mapping and at the discretion of the company which may or may not ask employees to use these reasons to declare the reason why a process was interrupted ( ...) otherwise customers would be charged for non-compliant hours and therefore non-compliant processing costs";
- every month a report is sent to the parent company containing aggregate data on the times used by the workshops for the work carried out;
- "this information allows us to analyze the performance of the workshop department and understand how many of the activities will be invoiced to customers, how many will remain the responsibility of the companies and, consequently, allows the owner to adjust the rates based on the overall costs (...) in addition than to follow and monitor its economic efficiency”;
- the information was prepared on 11/12/2018 and is provided to employees who sign it for review at the same time as signing the employment contract.
With subsequent notes dated 06/30/2022 and 10/31/2022, the Company, in response to specific requests for information formulated pursuant to art. 157 of the Code (dated 05/30/2022 and 09/30/2022 respectively) provided further elements to integrate what was declared during the inspection. In particular, the Company represented that:
- “The cameras for biometric comparison are located in the Modica and Ragusa offices and can function exclusively with the active and conscious participation of the interested parties”;
- "the software does not record movements and, in any case, the cancellation procedures are carried out manually as indicated in the declaration of conformity". This document, produced in documents, specifies that "the models created for registration must be kept only until the purposes of the processing are achieved and must not be memorized or archived";
- with regard to the data collected by the Infinity DMS management system, these "are kept for up to 10 years from the date of termination of the contractual relationship. It is specified that the data collected are not used for purposes other than that of reporting the hours worked. It is also clarified that the reports allowed by Infinity DMS can be customized by worker, team, qualification and statistical category".
2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.
Based on the elements collected during the preliminary investigation, the Office proceeded to notify the Company, on 01/31/2023, of the initiation of the sanctioning procedure pursuant to art. 166, paragraph 5, of the Code.
In particular, with reference to the processing of so-called data. details carried out using the X-Face 380 hardware, the violation of the articles has been notified. 5, par. 1, letter. a), b) and f), 6, par. 1, letter. a), 9, par. 2, letter. b) and 13 of the Regulation.
While, with reference to the processing of personal data carried out using the Infinity DMS software, the violation of the articles was contested. 5, par. 1, letter. a), 6 and 13 of the Regulation.
With the defense briefs, presented on 02/03/2023, the Company declared that:
- “the use of this hardware [Hardware x-face 380] was necessary as a result of the following events. First of all, the Covid-19 epidemic has forced almost all economic entities to equip themselves with thermometers capable of measuring the body temperature of those entering the premises. Secondly, the Cappello & Figli company, adapting to the recommendations of the parent company, has adopted these tools for data processing";
- "the Company (...), as Data Controller, has always acted by diligently respecting the rules of Regulation (EU) No. 2016/679; more specifically, the Data Controller has prepared an appropriate privacy information representing to the interested parties the characteristics of the processing. Consequently, the interested parties have given their explicit consent to the processing of personal data in accordance with the provisions of art. 9, letter a)” of the Regulation itself;
- furthermore, “the processing of so-called data. particulars carried out using the 9, par. 2, letter. b, of the aforementioned Reg. (EU)”;
- “The use of the Infinity DMS software and the X-FACE 380 hardware occurred in compliance with the principles of “lawfulness, correctness and transparency”, “purpose limitation”, “minimisation”; furthermore, the data were "processed in such a way as to guarantee adequate security" of the same".
In requesting the dismissal of the proceedings, the Company reported a ruling from the Court of Cassation, according to which "the damage resulting from violation of the right to the protection of personal data does not exist in re ipsa, since the compensable damage is not identified with the mere violation of the right protected by the law, but rather with the prejudicial consequences caused by the violation itself, which must be alleged and demonstrated by the victim of the crime, reaching a threshold of serious and effective damage".
3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.
Following the examination of the declarations made to the Authority during the procedure as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to its employees, which are not compliant with the regulations in force regarding the protection of personal data.
In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".
3.1. Special data processing carried out using the X-face 380 hardware.
On the merits, following the preliminary investigation, it was ascertained that the Company has used a biometric system, based on facial recognition, starting from December 2018 and still ongoing.
During the investigation, however, the initial moment in which the activities of recording employee data by acquiring their photos began was not clarified.
The processing involved 40 interested parties, all employees of the Company employed at the two production units in Modica and Ragusa, who received the information pursuant to art. 13 of the Regulation and consent to the processing of data has been granted.
According to what was declared by the Company, the use of the biometric system is aimed at detecting the presence of employees on duty and was determined by the need to improve the quality and efficiency of the service.
Having said this, we observe how, in provision no. 513 of 12/11/2014 (available on the Authority's website www.gpdp.it, web doc no. 3556992), the Guarantor has clarified that the processing of biometric data takes place both in the registration phase (so-called enrolment), consisting in the acquisition of the biometric characteristics of the interested party (in this case, the facial characteristics), and in the biometric recognition phase to be carried out at the time of attendance recording (see points 6.1, 6.2 and 6.3 of Annex A to the aforementioned provision).
Based on the regulations on the protection of personal data, given that biometric data falls within the category of so-called. particular categories of data, it is noted that the related processing is generally prohibited pursuant to art. 9, par. 1 of the Regulation, while it is only permitted if one of the conditions indicated in paragraph 2 of the same article occurs.
In particular, with regard to processing carried out in the workplace, the law provides that such processing is permitted only when it is "necessary to fulfill the obligations and exercise the specific rights of the data controller or the interested party in matters of labor law and social security and social protection, to the extent authorized by Union or Member State law or by a collective agreement under Member State law, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject" (art. 9, par. 2, letter b) of the Regulation; v. also: art. 88, par. 1) and cons. 51-53 of the Regulation).
This means that, in order for processing involving biometric data to be lawfully carried out, it must be based on a regulatory provision that has the characteristics required by data protection regulations, also in terms of proportionality of the intervention. regulatory with respect to the purposes that are intended to be pursued.
From this perspective, the art. 2-septies of the Code establishes that the processing of biometric data can be carried out in accordance with the guarantee measures established by the Guarantor in relation to each category of data, as well as in compliance with the conditions established by the aforementioned art. 9, par. 2, of the Regulation.
Therefore, to date, the current legislation does not allow the processing of employees' biometric data for the purposes of detecting their presence on duty. This was reiterated by the Guarantor with numerous provisions, the last of which were adopted on 02/22/2024 with which the Authority declared the unlawfulness of the processing carried out (measures no. 105, 106, 107 and 109, doc. web no. 9995785, 9995701, 9995680, 9995741).
It should also be taken into account that the employer, as data controller, is required in any case to observe the general principles regarding the processing of personal data, including the principles of lawfulness, correctness and transparency, the principle of minimization and the principle of purpose limitation (art. 5, par. 1, letter a), b), c) of the Regulation).
In this case, the declaration of conformity, acquired during the procedure and issued by the supplier of the facial recognition device, cannot eliminate the responsibility of the Company which, as data controller, should have verified the lawfulness of the processing to be carried out and compliance with the applicable principles, in light of the principle of accountability according to which "the data controller is competent for compliance with [the principles referred to in] paragraph 1 and is able to prove it" (art. 5, par. 2 of the Regulation).
Therefore, in light of the above reasons, it is noted that the use of biometric data for the detection of attendance on duty, without, among other things, having provided for an alternative system for verifying working hours, is contrary to the principles of minimization and proportionality referred to in art. 5, par. 1, letter. c) of the Regulation. The law, in fact, requires that the data be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed".
During the proceedings, the Company did not produce any documentation that could demonstrate the necessity and proportionality of the processing carried out with respect to the purposes to be pursued, limiting itself to abstractly recalling the principles and provisions of the Regulation.
Also with regard to the conservation of the data collected, it is noted that from the examination of the documentation produced (in particular, the Declaration of conformity made by the XX company, annex 3 to the note dated 06/30/2022) as well as the declarations made in the during the inspection (operations report dated 02/03/2022, page 3) it appears that the biometric data referring to the employee is deleted by the Company only following the termination of the employment relationship.
This is in contrast with what was established by the Guarantor in the aforementioned provision of 12/11/2014, which provides that "the biometric samples used in the creation of the biometric model can only be processed during the registration and acquisition phases necessary for the biometric comparison, and must not be stored except for the time strictly necessary to generate the model itself" (see point 8.5 of Annex A).
This provision, although approved with reference to the previous legal framework, is still valid in its general lines and compliant with the principles and provisions of the Regulation.
Therefore, this processing does not comply with the principle of limitation of conservation referred to in the art. 5, par. 1, letter. e), of the Regulation which, on the contrary, requires that the data be kept for a time no longer than the achievement of the purposes for which they were collected.
Among other things, contrary to what is believed by the Company, in the context of the employment relationship the consent expressed by the employees cannot be considered a suitable prerequisite of lawfulness, this in light of the asymmetry between the respective parties of the employment relationship and the consequent , possible, need to ascertain from time to time and in concrete terms the actual freedom of express consent (see provisions no. 16 of 01/14/2021 web doc. no. 9542071, no. 35 of 02/13/2020, web doc no. 9285411, no. 500 of 12/13/2018, web doc.
It is, therefore, ascertained that the processing of biometric data of employees was carried out by the Company in the absence of an appropriate legal basis, in violation of the art. 9, par. 2, letter. b), of the Regulation.
Furthermore, from the examination of the documentation acquired, it emerged that the information prepared by the Company is deficient and unsuitable for representing, in a complete manner, the main characteristics of the processing.
In the document produced in the documents, in fact, there is no reference not only, as mentioned, to the main characteristics of the processing, but also to the precautions adopted, to the mandatory or optional nature of the provision of the data, with respect to the purpose pursued, and to the possibility of using, as an alternative to the biometric system, the traditional badge-based system.
In this respect, it is noted that the Authority has reiterated on several occasions that the employer, in application of the principle of transparency, has the obligation to indicate to its employees and collaborators what the essential characteristics of the data processing carried out in occasion of the employment relationship as well as the tools through which the processing is carried out, in accordance with what is specifically indicated in the art. 13 of the Regulation. This is also considering that, in the context of the employment relationship, the obligation to inform the employee is also an expression of the duty of correctness (art. 5, par. 1, letter a) of the Regulation).
In light of the above, it is ascertained that the Company has processed biometric data in violation of the articles. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b) and 13 of the Regulation.
3.2. Processing of personal data using the Infinity DMS software.
From the examination of the documentation acquired, it also emerged that the Company has been processing employees' personal data using management software since January 2018.
This tool, according to what was declared, would be "imposed" on the dealership by the parent company to which a report is sent monthly containing aggregate data on the times taken by the workshops for the work carried out.
In particular, from the investigations carried out on 1 and 2 March 2022, it was found that employees, through an individually assigned bar code, are required to record the various phases of work activity including breaks in the management system, with the indication of the specific reason (e.g. rest, waiting for spare parts, etc.).
The software also allows you to collect and process personal data relating to the workshop's customers (to whom the information is provided, acquired in documents) and information relating to the type of interventions carried out on the cars, the latter, as mentioned, entered by the employees .
The Company has prepared the register of treatments, pursuant to art. 30 of the Regulation, from the examination of which it was possible to deduce the main objectives pursued, through the Infinity DMS management system, consisting in particular in the management of accounting and financial processes, in the preparation of estimates and in the execution of contracts in general.
However, it should be noted that, in response to repeated requests from the Authority to know in detail the essential characteristics of the management system used (see the requests made on 05/31/2022 and 09/30/2022), the Company provided feedback very generic and evasive without allowing the Authority to have full knowledge of the processing carried out, to know the nature and type of data processed, the methods and times of data retention, and to evaluate its actual necessity and proportionality with respect to the purposes to be to pursue.
Among other things, this information was not even brought to the attention of the employees, who were provided with information that was incomplete and unsuitable for fully representing the processing carried out.
In fact, in the information acquired in the documents, which refers to all the processing carried out by the Company, the same simply declares that "in carrying out the processing activities the Company undertakes to ensure the accuracy and updating of the data processed (…); process the personal data acquired in full compliance with the principle of correctness, lawfulness and transparency" (annex 2 to the minutes of 01/03/2022).
This is also considering that in the context of the employment relationship the obligation to inform the employee is an expression of the duty of correctness (art. 5, par. 1, letter a) of the Regulation).
Likewise, a suitable legal basis among those listed in the art. cannot be found in the documents produced in the documents, and primarily in the information. 6 of the Regulation.
In fact, the Company, even during the inspection, limited itself to declaring that "the evaluations that determined the purchase of the Infinity DMS software and the the quality standards of the company (...)” (page 4 of the report of operations carried out).
Therefore, following the assessments carried out on the basis of the declarations made and the documentation acquired, it emerges that the processing was carried out by the Company in violation of the principles of lawfulness, correctness and transparency referred to in the articles. 5, par. 1, letter. a), 6 and 13 of the Regulation.
4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
The processing of personal data carried out by the Company and, in particular, the processing of personal and biometric data (facial recognition) relating to its employees for the purpose of recording attendance, is unlawful, in the terms set out above, in relation to the articles. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b) and 13 of the Regulation.
The processing of employees' personal data also occurred in violation of articles. 5, par. 1, letter. a), 6 and 13 of the Regulation.
The violation ascertained within the terms set out in the justification cannot be considered "minor", taking into account the nature of the violation which concerned the general principles and conditions of lawfulness of the processing of particular data as well as the seriousness of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, in light of the circumstances of the specific case:
- the application of a pecuniary administrative sanction is ordered pursuant to art. 83 of the Regulation;
- the processing of employee biometric data is prohibited, pursuant to art. 58, par. 2, letter. f) of the Regulation;
- the Company is ordered to conform the data processing carried out using the Infinity DMS management software to the provisions and general principles regarding the processing of personal data.
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings it appears that Cappello Giovanni & Figli s.r.l. carried out two separate data processing in violation of the articles respectively. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b), 13 and articles. 5, par. 1, letter. a), 6, 13 of the Regulation.
For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, letter. a) and par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).
Considered not to apply, in the present case, paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:
to. in relation to the nature, severity and duration of the violation, the nature of the violation which concerned the general principles and conditions of lawfulness of the processing and the processing of particular biometric data using facial recognition technology was considered to the Company's disadvantage; the duration of the violation, which is still ongoing, was also considered to the Company's disadvantage;
b. with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the regulations on data protection in relation to a plurality of provisions;
c. the poor collaboration with the Supervisory Authority and the continuation of the processing even after the start of the procedure were taken into account.
It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022. Lastly, the extent of the sanctions imposed in similar cases is taken into account.
In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply against Cappello Giovanni e fili s.r.l. the administrative sanction of payment of a sum equal to 120,000.00 (one hundred and twenty thousand) euros.
In this context, it is also believed, in consideration of the type of violations ascertained which concerned the general principles and conditions of lawfulness of the processing, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.
It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THE WHEREAS, THE GUARANTOR
notes the unlawfulness of the processing carried out by Cappello Giovanni & Figli s.r.l., in the person of the legal representative pro tempore, with headquarters in Modica (RG), Via Sorda Samperi 128/A, C.F. 01238300881, for violations of articles. 5, par. 1, letter. a), c), e), 9, par. 2, letter. b), 13 (relating to the processing of biometric data) and articles. 5, par. 1, letter. a), 6, 13 of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i), of the Regulations of Cappello Giovanni & Figli s.r.l. to pay the sum of 120,000.00 (one hundred and twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;
pursuant to art. 58, par. 2, letter. d) of the Regulation, to conform the data processing carried out using the Infinity DMS management software to the provisions and general principles regarding the processing of personal data within the terms set out in the justification within 90 days from the date of notification of this provision;
pursuant to art. 58, par. 2, letter. f), of the Regulation, the prohibition on processing employees' biometric data through the facial recognition system.
ORDERS
to the same Company to pay the aforementioned sum of 120,000.00 (one hundred and twenty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981.
Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.
Requests the Company to communicate which initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by the art. 83, par. 5, letter. e) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 6 June 2024
PRESIDENT
Stanzione
THE SPEAKER
Stanzione
THE GENERAL SECRETARY
Mattei
