Garante per la protezione dei dati personali (Italy) - 10112287
From GDPRhub
| Garante per la protezione dei dati personali - 10112287 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 13 GDPR Article 88 GDPR Article 157 Italian Privacy Code |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 50,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 10112287 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GPDP (in IT) |
| Initial Contributor: | elu |
The DPA fined an auto repair shop €50,000 due to their geolocation system in company cars, which allowed excessive data collection and monitoring of employees. The shop's privacy policies did not inform employees about the data processing.
English Summary
Facts
A data subject advanced a complaint before the DPA against the controller, an auto repair shop. The controller was their former employee and the complaint concerned the presence of a geolocalisation system installed in the company cars assigned to them. Such geolocalisation system was installed by the controller without informing their employees.
The DPA started an investigation, which revealed that, when accessing the platform to verify the safeguards in place in the system, the company cars were traced on the map through their plate numbers, which were in turn linked with the name and surname of the employee driving that car.
Moreover, the DPA found that the data, namely name and surname, sometimes did not belong to the driver but rather to any employee to which each car was assigned to. Therefore, sometimes a different employee could be driving the work car assigned to another employee. In addition, the investigation revealed that some documentation was acquired relating to the contract signed with another company through a geolocation system registered under “TIM Your Way”.
Thus, in light of the above, the DPA considered “TIM Your Way” the processor as per Article 28 GDPR.
Holding
Violation of Article 5(1)(a) and 13 GDPR
The DPA found that the privacy policy of the controller was completely unable to represent the data processing that happened when the geolocalisation system was in place.
Additionally, the privacy policy did not mention at all how the data processing through the geolocalisation system took place.
Especially, while the controller shared that identification of the driver takes place by means of a satellite system that recognises the pseudonymised ID of the user by means of a company badge, it appears that the examination of the documentation acquired in the course of the investigation has shown that the geolocation system in use allows the acquisition of location data, telemetry and other nature by means of on-board equipment equipped with GSM/GPRS modem with SIM Card.
Thus, the lack of information regarding the processing entailed a violation of Article 5(1)(a) and 13 GDPR.
Violation of Article 5(1)(a), (c), (e) and 88 GDPR
The geolocalisation system used by the controller was installed to “protect the controller’s goods” for organizational and productivity purposes.
However, the controller’s system allowed the gathering of data related to the car when the car is off, as well as when the driver is taking their break. This data is indiscriminately stored for a period of 180 days.
The collection of this detailed personal data is likely to carry out a continuous monitoring of employees' activities in violation of the principle of data minimization, laid out in Article 5(1)(c) GDPR.
Additionally, storing the data for such a prolonged time without any explanation violates Article 5(1)(c) and (e) GDPR.
The specific functionalities of the geolocation system do not comply with the specific guarantees set out in the authorisation issued by the local supervisory authority, in particular as regards the non continuous tracking of the geolocated vehicle, the anonymisation of the data collected, the adoption of technological solutions to prevent the possible processing of data that are extraneous, irrelevant or exceeding the purposes pursued by the data controller. This amounts to a violation of Article 5(1)(a) GDPR.
Violation of Article 157 of the Privacy Code
Due to the lack of cooperation of the controller, the DPA had to extraordinarily require the intervention of the privacy enforcement section of the Financial Police.
Thus, the lack of cooperation of the controller entailed a violation of Article 157 of the Italian Privacy Code, legislative decree No.196/2003.
Fine
Due to the aforementioned violations, the DPA deemed it appropriate to impose a fine of €50,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
- SEE ALSO NEWSLETTER OF MARCH 21, 2025 [web doc. n. 10112287] Provision of January 16, 2025 Register of provisions n. 7 of January 16, 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Councilor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”); HAVING SEEN the complaint submitted by Mr. XX pursuant to art. 77 of the Regulation against Autotrasporti Cuccu Riccardo S.r.l. Unipersonale; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Prof. Pasquale Stanzione; WHEREAS 1. The initiation of the preliminary investigation following the submission of the complaint. By complaint filed on 09/23/2024, Mr. XX complained of a violation of the regulations on the protection of personal data by Autotrasporti Cuccu Riccardo S.r.l. Unipersonale (hereinafter “the Company”), a former employer, representing that the latter had installed a geolocation system on the vehicle used, in the performance of work activities, without having previously provided him with the information referred to in art. 13 of the Regulation and without having activated the guarantee procedure referred to in art. 4 of Law no. 300/1970 (Workers' Statute). The Company was invited to provide observations in relation to the facts that were the subject of the complaint, with the request for information formulated pursuant to art. 157 of the Code to which the same provided feedback, with a note dated 02/10/2022, with which it represented that: - "The ITL of Cagliari-Oristano, at the request of the undersigned of 15 March 2021, authorized, with a provision of 19 May 2021, the installation and use of the satellite system on board company vehicles. Said provision, in particular, authorized the installation for the purposes indicated in the application and precisely for the protection of company assets, to guarantee safety at work and for organizational and production needs"; - “Autotrasporti Cuccu Riccardo s.r.l., having received authorization from the ITL, provided all employees with the information required by art. 13 of the Regulation. This information is still prominently displayed on the company notice board, which all company workers must access every day to acquire the documentation necessary to carry out the service (…). All drivers have read the information. At present, no so-called simplified information has been installed on individual vehicles”; - “It should be noted that the company’s drivers are not authorized to use the vehicle outside of working hours. In fact, these are tractors with semi-trailers”; - “The data recorded by the system are processed, in compliance with the provisions of art. 5 of EU Regulation 2016/679, in a lawful, transparent and correct manner to achieve the purposes set out above. Furthermore, the conditions of lawfulness set out in art. 6 of the aforementioned Regulation exist”; - “taking into account the fact that the authorization to install satellite localization systems and equipment was requested mainly for the purposes of protecting company assets and protecting employees, also with reference to the organization of work, the geographical detection of the company vehicle is also active during breaks in the activity”; - “The recorded data, moreover, are attributable to the individual employee only for the time in which the same performs the work activity. Upon termination of service, the personal card is removed, no data of the worker is recorded or saved”. In light of the statements made and the documentation produced, it was deemed necessary to acquire further elements of evaluation, with respect to the processing of employees' personal data, carried out by means of the satellite detection system. Therefore, a further request for information was formulated, pursuant to art. 157 of the Code, which, although duly notified to the Company's certified email address, remained unanswered (note dated 03/25/2022). Then, through the Privacy and Technological Fraud Protection Unit of the Guardia di Finanza, the act of initiation of the sanctioning procedure was notified, pursuant to art. 166, paragraph 5, of the Code, for the violation of art. 157 of the Code. At the same time, the aforementioned Unit proceeded to collect the additional information requested, drawing up a specific report of operations carried out (drawn up on 21 and 22/06/2022), from which it emerged that: - "the company has equipped itself with the WAY geolocation system provided by the TIM operator since May 2021. The reasons for using the geolocation system are for the protection of company assets, workplace safety needs and organizational and production needs. On 15 March 2021, the Company submitted an application for authorization to install and use satellite location systems and equipment to the Cagliari Labor Inspectorate", which issued the authorization provision on 19/05/2021; - with regard to the lack of response to the request for information, “from a consultation with the lawyer (…) it was assessed that it was not necessary to respond, as it was a duplicate of the previous one, received on 11 January 2022, to which it had already sent responses”; - “the Company avails itself of the collaboration of approximately 70 employees, 50 of whom are drivers. Normally, each is assigned the same vehicle (tractor). All vehicles are equipped with the WAY system”; - “All drivers have been informed of the use of the WAY system and its functions, through a specific information notice posted on the notice board (…)”; - “The system locates the company tractors when necessary, the data collected can be referred to the employee using them only while they are carrying out their work activity. The association occurs through the interfacing of the tachograph system supplied to the drivers and the WAY system. (…)”; - "As stated in the authorization request (...) the detection/localization of the tractors is not live, but deferred by 3/5 minutes". During the inspection, access was made to the web platform to verify the functionality of the system. It was found that "the map shows the positions of the vehicles, identified only by the license plate number. Among the system's functions, those relating to the association of the driver's name and surname with the vehicle used were highlighted. In fact, it was found that the driver's data detected by the system did not correspond to the actual driver but to the data of the employee to whom the vehicle was associated at the time of installation" (minutes of 06/22/2022). Furthermore, the documentation relating to the contract signed with TIM concerning the rental of the geolocalization system called "TIM Your Way", dated 04/10/2021, was acquired. With a subsequent communication dated 05/07/2022, the Company informed the Authority that it had purchased the window stickers containing the simplified information, to be placed on company vehicles and sent a copy of the designation as data controller pursuant to art. 29 of Legislative Decree 196/2003 (in the wording prior to the amendments introduced by Legislative Decree 101/2018) for the company WAY s.r.l., signed on 03/05/2021. 2. The investigation against WAY s.r.l., the company supplying the geolocation system. In order to fully evaluate the methods of processing performed, an investigation was also started against WAY s.r.l., identified as the supplier of the geolocation service, as well as the data controller. Based on the documentation sent by WAY s.r.l. on 24/10/2022 and the inspections carried out by the aforementioned Unit at the company's headquarters on 8 and 9 March 2023, it was found that: - "TIM S.p.A. is the signatory of the contract with the Customer (in this case Autotrasporti Cuccu Riccardo S.r.l.) and therefore the Data Processor with respect to the Customer himself who is configured as the Data Controller. W.A.Y. S.r.l., as a supplier of TIM S.p.A., is appointed by the latter as Second Data Processor upon authorization of the Data Controller, as can be seen from the commercial documents signed by TIM S.p.A. and the Customer"; - the type of data processed includes, in addition to location data (vehicle position), telemetry data (speed, progressive km travelled), vehicle status data, tachograph data relating to the DIN (Driver Identification Number), messaging data interchangeable between the web platform and the on-board device and any additional information that the customer wishes to enter independently, such as the driver's name and driving licence number; - “The system is designed to activate, upon request of the user, a specific additional function that allows the driver of the vehicle (so-called “Data Subject”) to deactivate the tracking device of the vehicle itself (so-called “privacy button”), currently not requested and therefore not implemented for the Customer in question. Furthermore, the Web platform allows the Data Controller to deactivate the tracking device of a vehicle, or other components of the service, independently via the Web platform interface or via request to the assistance service provided by the Second Data Controller. It should be noted that, also in this case, this option was not requested and therefore was not implemented for the Customer in question”; - “The Web platform allows you to record, in specific fields of its input forms, the data relating to the Data Subject (by way of example: name, surname, driving license number, etc.)”. 3. The initiation of the procedure for the adoption of the Authority's corrective and sanctioning measures. Following the examination of the declarations made and the documentation acquired as a whole, the Office notified the Company of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code (note of 06/16/2023), for the violation of arts. 5, par. 1, letters a), c), e), 13 and 88 of the Regulation. On 07/14/2023, the Company sent its defensive briefs on the basis of art. 18 of Law no. 689/1981, with which it observed that: - “The technical characteristics of the System do not allow the data collected through the geolocation system to be directly associated with the driver of the vehicle whose position is consulted through the System. In fact, although the System bears the wording “Driver”, the data entered therein do not relate to the actual driver of the vehicle, but rather to the collaborator to whom the vehicle is assigned for the purposes of entering the car into the System at the time of installation of the same. The assignee of the vehicle, as a rule, does not coincide with the driver of the same, since, since the System requires the entry of a name, the Company has opted to enter the names of its collaborators in a completely random manner (…)”; - “Given the absence in the System of any indication of personal data that would allow the direct identification of the drivers of company vehicles, such identification occurs only when specific events occur (for example, violations of the Highway Code, accidents, damage and/or theft of the vehicle – “Anomalous Events”). To this end, it is necessary for the Company to manually query a different database by entering the license plate number, as it has not activated the interface tool on its systems”; - “Finally, it should be noted that the localization of vehicles does not occur live, but deferred by 3/5 minutes, and that access to the System is reserved only for (i) prior authentication via password by two employees of the Company authorized to process the data by contract and who have been given appropriate instructions, (ii) technical personnel responsible for maintenance and revision interventions, who have been provided with passwords that are not enabled to view the recorded images”; - “the Authority also contested the adequacy of the information provided by the Company to employees pursuant to art. 13 GDPR, with reference to the processing of personal data carried out through the System. Specifically, it was highlighted that the information provided to employees through the information regarding the possibility of identifying the latter was incorrect, on the assumption that employees would not have been informed of the possibility of directly identifying the driver of the vehicle. This challenge, however, appears to be unfounded in light of what is set out in the preceding paragraph”; - with regard to the contested discrepancy between the processing carried out and the content of the authorization issued by the ITL, “the Company believes that this challenge also arises from an incorrect understanding of the functioning of the System, and must therefore be considered unfounded”. In fact, with respect to the requirement that “vehicle speed data be processed anonymously or in ways that allow the data subject to be identified only when necessary (ITL authorization, paragraph 7), “the methods of use of the System already provide that the identification of the data subject, i.e. the association between the vehicle and the driver, occurs only if an Anomalous Event occurs and in compliance with the security measures and procedures provided for and [already] described”; - “employees authorized to access the system containing the data directly identifying employees driving vehicles are given clear instructions regarding the conditions under which they can access such data, with the prohibition of connecting them to the data collected through the System”; - “the System therefore does not allow the viewing of data that could be considered excessive with respect to the purposes pursued”. With communication dated 11/10/2024, the Company waived the hearing initially requested pursuant to art. 18 of Law no. 689/1981. 4. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures pursuant to art. 58, par. 2, of the Regulation. Following the examination of the statements made by the party during the proceedings, as well as the documentation acquired, it is established that the Company, as data controller, has entered into a contract with Tim S.p.a. for the rental supply of a GSM/GPRS device, to be installed on company vehicles (specifically 50 tractors with semi-trailers), with the consequent provision of web access credentials to the Tim IT platform. The service, called Tim Your Way, is provided by Tim S.p.a. through the company WAY s.r.l., appointed as data controller by Tim S.p.a., in the name and on behalf of the data controller, pursuant to art. 28 of the Regulation. With respect to the processing methods implemented through the geolocation system, there are profiles of non-compliance with the regulations on the protection of personal data. In this regard, it should be noted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor". 4.1. Violation of art. 5, par. 1, letter a) and 13 of the Regulation. First of all, it should be noted that, with the act of initiation of the sanctioning procedure, it was highlighted that the information prepared by the Company (and made available to its employees by posting on the company notice board), was completely unsuitable to fully represent the processing carried out through the geolocation system. Contrary to what was believed, in fact, the aspect relating to the direct identifiability of the drivers of geolocalized vehicles does not represent the only critical element detected, as on the contrary several elements of non-compliance with the regulations on personal data protection have emerged. However, it is useful to clarify that, in light of the definition of “personal data” (“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”: art. 4, no. 1 of the Regulation), the association of the device with the license plate number of the vehicle, even if the driving of the vehicle is in fact entrusted to different drivers who take turns, allows the driver of the vehicle to be identified through the association with other information (for example, documents relating to shifts). (On the specific aspect, see provisions no. 396 of 06/28/2018, web doc. no. 9023246 and no. 247 of 05/24/2017, web doc. no. 6495708). In this case, however, the Company has on several occasions highlighted that “as a rule, each [of the drivers] is assigned the same vehicle” and that “the data collected can be referred to the employee who uses it only while he is carrying out his work activity. The association occurs through the interfacing of the new generation tachograph system used with the personal tachograph card supplied to the drivers and the WAY system” (pages 3 and 4 of the minutes of 06/21/2022, as well as the note of 02/09/2022). In contradiction to the above, the Company, in its defense briefs, instead stated that it had not activated the interface system and, therefore, that it had equipped itself with a database to be queried that allows the identity of the driver to be traced, only when anomalous events occurred, a circumstance that was not demonstrated in any way during the investigation or during the inspection. Even the further argument put forward, according to which the insertion of a name into the system is a necessary condition for its correct functioning, did not have a documentary correspondence with the outcome of the investigation carried out at Way s.r.l. (documents of 24/10/2022). In any case, regardless of the specific aspect of the direct identifiability of the drivers of geolocalized vehicles, the information contains numerous inconsistencies and typos that clearly reveal how it does not correspond to the treatments actually carried out. See, for example, the references to Astral S.p.A. as the subject from which the data are collected (point 2 of the information notice), to “supervision tasks of the company assets” and “access to the registration systems”, to data retention periods indicated in 18 without further specification (point 4), to the indication of the same Autotrasporti Cuccu Riccardo srl as “External Data Controller” (point 5). Furthermore, it is added that the information notice does not fully represent the methods of processing carried out through the geolocalization system, including for example the circumstance that the data are collected continuously. It is also stated that "the driver's identification takes place (...) through a satellite RFID system that recognises the user's pseudonymised ID via company badges", while it has been ascertained, from the examination of the documentation acquired during the investigation, that the geolocalisation system in use allows the acquisition of location, telemetry and other data "via on-board devices equipped with GSM/GPRS modems with SIM Card and GPS receiver" (contract signed with TIM and with Way relating to the Tim Your way service). Considering that, in the context of the employment relationship, the obligation to inform the employee is an expression of the duty of correctness pursuant to art. 5, par. 1, letter a) of the Regulation, the unlawfulness of the processing carried out through the unsuitable information, in violation of art. 5, par. 1, letter a) and 13 of the Regulation, must be confirmed. 4.2. Violation of art. 5, par. 1, letters a), c) and e), and 88 of the Regulation. In light of the findings of the investigation carried out, it emerged that the geolocation system in use at the Company was installed for the purposes of protecting company assets, safety at work and for organizational and production needs, as indicated in the authorization request addressed to the ITL of Cagliari-Oristano. As was ascertained during the investigation, the actual operating methods of the technological system used allow the Company, through the web platform made available by Way s.r.l., to acquire information relating to the position of the vehicle, its status (i.e. whether on or off), telemetry and, indirectly, also the activity of the drivers. Such information is acquired by the system continuously, albeit deferred by 3/5 minutes and also includes breaks in work activity; it is retained for a period of 180 days. That said, it is noted that such processing methods are excessive and not proportionate to the declared purposes and aims, which can be legitimately pursued through the processing of more limited information. In particular, the collection of detailed information (including the detection of the position even during the break from work) is suitable for carrying out continuous monitoring of the activity of employees in violation of the principle of data minimization (art. 5, par. 1., letter c) of the Regulation) which, instead, requires that the data collected are "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". Among other things, the Guarantor has often reiterated that the position of the vehicle should not normally be continuously monitored by the data controller, but only when this is necessary for the achievement of the legitimately pursued purposes (see provision no. 396 of 28/06/2018, web doc no. 9023246). Likewise, the retention of collected data for an extended period of time (equal to 180 days) does not comply with the principles of minimization and limitation of storage (art. 5, par. 1, letters c) and e), of the Regulation). Finally, it must be noted that the specific functions of the geolocalization system described above do not comply with the specific guarantees provided for by the authorization issued by the ITL of Cagliari Oristano on 19/05/2021, in particular with regard to the non-continuous detection of the geolocalized vehicle, the anonymization of the data collected, the adoption of technological solutions that prevent "any processing of data that is superfluous, irrelevant or exceeding the purposes pursued by the owner". The processing was therefore carried out in breach of the provisions of the authorization provision and, therefore, is contrary to the principle of lawfulness of processing (art. 5, par. 1, letter a), of the Regulation) in relation to art. 114 of the Code and art. 88 of the Regulation. In light of the above, the processing carried out is found to be unlawful, as it was carried out in violation of art. 5, par. 1, letters a), c) and e) and 88 of the Regulation and art. 114 of the Code. 4.3. Violation of art. 157 of the Code. It must also be taken into account that, in response to the request for information formulated by the Authority pursuant to art. 157 of the Code (note dated 05/25/2022), no response was received within the terms indicated, despite the request having been duly notified to the Company's certified email address. The Company, also informed of the consequences deriving from the lack of response, knowingly failed to provide the additional information, which had been formulated for the purposes of the overall assessment of the matter which was the subject of the complaint. As, in fact, the same declared during the inspection, it considered it unnecessary to respond to the Authority's invitation. This conduct made it necessary to conduct additional investigations that were delegated to the Guardia di Finanza's Privacy Protection Unit. Considering that the arguments put forward are not suitable to exclude the Company's liability, the violation of art. 157 of the Code must be confirmed. 5. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, paragraph 2, of the Regulation. For the above reasons, the Authority believes that the declarations made by the data controller during the investigation do not allow the findings notified by the Office with the act initiating the procedure to be overcome and that they are therefore unsuitable to allow the archiving of this proceeding, since, moreover, with reference to these profiles, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019. The processing of personal data carried out by Autotrasporti Cuccu Riccardo S.r.l. is unlawful, in the terms set out above, as it was carried out in violation of Articles 5, paragraph 1, letter a), c), e), 13, 88 of the Regulation, 114 and 157 of the Code. Given the corrective powers attributed by Article 58, paragraph 2, of the Regulation, in light of the circumstances of the specific case, it is deemed necessary to prescribe the following corrective measures: - prepare a suitable information notice to fully represent the processing carried out using the geolocalization system; - conform the processing to the guarantees prescribed with the authorization provision of the ITL of Cagliari Oristano, taking into account the principles of minimization and limitation of data retention in relation to the specific purposes to be pursued. Finally, it is believed that the conditions set out in Article 58, paragraph 2, of the Regulation are met. 17 of the Regulation of the Guarantor no. 1/2019. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). At the end of the proceedings, it appears that Autotrasporti Cuccu Riccardo S.r.l. has violated arts. 5, par. 1, letters a), c) and e), 13, 88 of the Regulation, 114 and 157 of the Code. For the violation of the aforementioned provisions, the application of the administrative pecuniary sanction provided for by art. 83 of the Regulation is envisaged. The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Autotrasporti Cuccu Riccardo S.r.l. which has been found to be unlawful, in the terms set out above. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation which provides that "If, in relation to the same processing or connected processing, a data controller [...] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5. With reference to the elements listed in art. 83, par. 2, of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in the case in question, the following circumstances were considered: a) in relation to the nature and gravity of the violation, the nature of the violation that concerned the general principles and obligations of the data controller was considered relevant; in relation to the duration of the violation, it was considered that the processing began in 2021 and is still ongoing; it was also considered that the processing concerned, in addition to the complainant, also other interested parties attributable to the vehicles subject to geolocalization (approximately 50); b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the data protection regulations, in relation to a plurality of provisions also concerning the general principles of processing, were taken into consideration; c) the absence of previous relevant violations was considered favourably. It is also believed that in this case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (art. 83, par. 1, of the Regulation), first of all the economic conditions of the offender, determined on the basis of the turnover of the Company, as per the financial statements for the year 2023, are relevant. Lastly, the amount of sanctions imposed in similar cases is taken into account. In light of the elements indicated above and the assessments made, it is believed, in this case, to apply to Autotrasporti Cuccu Riccardo s.r.l. the administrative sanction of the payment of a sum equal to Euro 50,000.00 (fifty thousand). In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the conduct particularly detrimental to the rights of the interested parties, which occurred in violation of the general principles regarding the protection of personal data. CONSIDERING ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letter f), of the Regulation, notes the unlawfulness of the processing carried out by Autotrasporti Cuccu Riccardo s.r.l. in the person of its legal representative pro tempore, with registered office in Elmas (CA), Via delle Miniere n. 22 P.I. 02661390928, for the violation of art. 5, par. 1, letter a), c), e), 13, 88 of the Regulation, 114 and 157 of the Code; pursuant to art. 58, par. 2, letter d), of the Regulation, requires the Company to comply, within 60 days from the date of notification of this provision, with the provisions set out in par. 5 of this decision, while at the same time requesting to provide, within the aforementioned deadline, an adequately motivated response pursuant to art. 157 of the Code; any failure to provide such response may result in the application of the administrative pecuniary sanction provided for by art. 83, par. 5, letter e) of the Regulation; ORDERS pursuant to art. 58, par. 2, letter i) of the Regulation to the same Company to pay the sum of Euro 50,000.00 (fifty thousand) as an administrative pecuniary sanction for the violations indicated in this provision; ORDERS therefore to the same Company to pay the aforementioned sum of Euro 50,000.00 (fifty thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is stated that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below remains intact. ORDERS pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/20129, the publication of the injunction order on the website of the Guarantor; pursuant to art. 154-bis, paragraph 3, of the Code and art. 37 of the Regulation of the Guarantor no. 1/20129, the publication of this provision on the website of the Guarantor; pursuant to art. 17 of Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 16 January 2025 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei - SEE ALSO NEWSLETTER OF 21 MARCH 2025 [web doc. n. 10112287] Measure of 16 January 2025 Register of measures n. 7 of 16 January 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councilor Fabio Mattei, general secretary; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101 of 10 August 2018, hereinafter the “Code”); HAVING SEEN the complaint submitted by Mr. XX pursuant to art. 77 of the Regulation against Autotrasporti Cuccu Riccardo S.r.l. Unipersonale; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Prof. Pasquale Stanzione; WHEREAS 1. The initiation of the preliminary investigation following the submission of the complaint. With a complaint filed on 09/23/2024, Mr. XX complained of a violation of the regulations on the protection of personal data by Autotrasporti Cuccu Riccardo S.r.l. Unipersonale (hereinafter “the Company”), his former employer, stating that the latter had installed a geolocation system on the vehicle used, in the performance of his work, without having previously provided him with the information referred to in art. 13 of the Regulation and without having activated the guarantee procedure referred to in art. 4 of Law no. 300/1970 (Workers' Statute). The Company was invited to provide observations on the facts that were the subject of the complaint, with the request for information formulated pursuant to art. 157 of the Code to which the same provided feedback, with a note dated 02/10/2022, with which it represented that: - "The ITL of Cagliari-Oristano, at the request of the undersigned of 15 March 2021, authorized, with a provision of 19 May 2021, the installation and use of the satellite system on board company vehicles. Said provision, in particular, authorized the installation for the purposes indicated in the application and precisely for the protection of company assets, to guarantee safety at work and for organizational and production needs"; - “Autotrasporti Cuccu Riccardo s.r.l., having received authorization from the ITL, provided all employees with the information required by art. 13 of the Regulation. This information is still prominently displayed on the company notice board, which all company workers must access every day to acquire the documentation necessary to carry out the service (…). All drivers have read the information. At present, no so-called simplified information has been installed on individual vehicles”; - “It should be noted that the company’s drivers are not authorized to use the vehicle outside of working hours. In fact, these are tractors with semi-trailers”; - “The data recorded by the system are processed, in compliance with the provisions of art. 5 of EU Regulation 2016/679, in a lawful, transparent and correct manner to achieve the purposes set out above. Furthermore, the conditions of lawfulness set out in art. 6 of the aforementioned Regulation exist”; - “taking into account the fact that the authorization to install satellite localization systems and equipment was requested mainly for the purposes of protecting company assets and protecting employees, also with reference to the organization of work, the geographical detection of the company vehicle is also active during breaks in the activity”; - “The recorded data, moreover, are attributable to the individual employee only for the time in which the same performs the work activity. Upon termination of service, the personal card is removed, no data of the worker is recorded or saved”. In light of the statements made and the documentation produced, it was deemed necessary to acquire further elements of evaluation, with respect to the processing of employees' personal data, carried out by means of the satellite detection system. Therefore, a further request for information was formulated, pursuant to art. 157 of the Code, which, although duly notified to the Company's certified email address, remained unanswered (note dated 03/25/2022). Then, through the Privacy and Technological Fraud Protection Unit of the Guardia di Finanza, the act of initiation of the sanctioning procedure was notified, pursuant to art. 166, paragraph 5, of the Code, for the violation of art. 157 of the Code. At the same time, the aforementioned Unit proceeded to collect the additional information requested, drawing up a specific report of operations carried out (drawn up on 21 and 22/06/2022), from which it emerged that: - "the company has equipped itself with the WAY geolocation system provided by the TIM operator since May 2021. The reasons for using the geolocation system are for the protection of company assets, workplace safety needs and organizational and production needs. On 15 March 2021, the Company submitted an application for authorization to install and use satellite location systems and equipment to the Cagliari Labor Inspectorate", which issued the authorization provision on 19/05/2021; - with regard to the lack of response to the request for information, “from a consultation with the lawyer (…) it was assessed that it was not necessary to respond, as it was a duplicate of the previous one, received on 11 January 2022, to which it had already sent responses”; - “the Company avails itself of the collaboration of approximately 70 employees, 50 of whom are drivers. Normally, each is assigned the same vehicle (tractor). All vehicles are equipped with the WAY system”; - “All drivers have been informed of the use of the WAY system and its functions, through a specific information notice posted on the notice board (…)”; - “The system locates the company tractors when necessary, the data collected can be referred to the employee using them only while they are carrying out their work activity. The association occurs through the interfacing of the tachograph system supplied to the drivers and the WAY system. (…)”; - "As stated in the authorization request (...) the detection/localization of the tractors is not live, but deferred by 3/5 minutes". During the inspection, access was made to the web platform to verify the functionality of the system. It was found that "the map shows the positions of the vehicles, identified only by the license plate number. Among the system's functions, those relating to the association of the driver's name and surname with the vehicle used were highlighted. In fact, it was found that the driver's data detected by the system did not correspond to the actual driver but to the data of the employee to whom the vehicle was associated at the time of installation" (minutes of 06/22/2022). Furthermore, the documentation relating to the contract signed with TIM concerning the rental of the geolocation system called “TIM Your Way”, dated 04/10/2021, was acquired. With a subsequent communication dated 07/05/2022, the Company informed the Authority that it had purchased the window stickers bearing the simplified information, to be placed on company vehicles and sent a copy of the designation as data controller pursuant to art. 29 of Legislative Decree 196/2003 (in the wording prior to the amendments introduced by Legislative Decree 101/2018) for the company WAY s.r.l., signed on 05/03/2021. 2. The investigation against WAY s.r.l., the company supplying the geolocation system. In order to fully evaluate the methods of processing performed, an investigation was also started against WAY s.r.l., identified as the provider of the geolocation service, as well as responsible for processing personal data. On the basis of the documentation transmitted by WAY s.r.l. on 24/10/2022 and from the inspections carried out by the aforementioned Unit at the company headquarters on 8 and 9 March 2023, it was found that: - “TIM S.p.A. is the signatory of the contract with the Customer (in this case Autotrasporti Cuccu Riccardo S.r.l.) and therefore the Data Processor with respect to the Customer himself who is configured as the Data Controller. W.A.Y. S.r.l., as a supplier of TIM S.p.A., is appointed by the latter as Second Data Processor upon authorization of the Data Controller, as can be seen from the commercial documents signed by TIM S.p.A. and the Customer”; - the type of data processed includes, in addition to location data (vehicle position), telemetry data (speed, progressive km travelled), vehicle status data, tachograph data relating to the DIN (Driver Identification Number), messaging data interchangeable between the web platform and the on-board device and any additional information that the customer wishes to enter independently, such as the driver's name and driving licence number; - “The system is designed to activate, upon request of the user, a specific additional function that allows the driver of the vehicle (so-called “Data Subject”) to deactivate the tracking device of the vehicle itself (so-called “privacy button”), currently not requested and therefore not implemented for the Customer in question. Furthermore, the Web platform allows the Data Controller to deactivate the tracking device of a vehicle, or other components of the service, independently via the Web platform interface or via request to the assistance service provided by the Second Data Controller. It should be noted that, also in this case, this option was not requested and therefore was not implemented for the Customer in question”; - “The Web platform allows you to record, in specific fields of its input forms, the data relating to the Data Subject (for example: name, surname, driving license number, etc.)”. 3. The initiation of the procedure for the adoption of corrective and sanctioning measures by the Authority. Following the examination of the declarations made and the documentation acquired as a whole, the Office notified the Company of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code (note of 06/16/2023), for the violation of arts. 5, paragraph 1, letters a), c), e), 13 and 88 of the Regulation. On 07/14/2023, the Company sent its defensive briefs on the basis of art. 18 of Law no. 689/1981, with which it observed that: - “The technical characteristics of the System do not allow the data collected through the geolocation system to be directly associated with the driver of the vehicle whose position is consulted through the System. In fact, although the System bears the wording “Driver”, the data entered therein do not relate to the actual driver of the vehicle, but rather to the collaborator to whom the vehicle is assigned for the purposes of entering the car into the System at the time of installation of the same. The assignee of the vehicle, as a rule, does not coincide with the driver of the same, since, since the System requires the entry of a name, the Company has opted to enter the names of its collaborators in a completely random manner (…)”; - “Given the absence in the System of any indication of personal data that would allow the direct identification of the drivers of company vehicles, such identification occurs only when specific events occur (for example, violations of the Highway Code, accidents, damage and/or theft of the vehicle – “Anomalous Events”). To this end, it is necessary for the Company to manually query a different database by entering the license plate number, as it has not activated the interface tool on its systems”; - “Finally, it should be noted that the localization of vehicles does not occur live, but deferred by 3/5 minutes, and that access to the System is reserved only for (i) prior authentication via password by two employees of the Company authorized to process the data by contract and who have been given appropriate instructions, (ii) technical personnel responsible for maintenance and revision interventions, who have been provided with passwords that are not enabled to view the recorded images”; - “the Authority also contested the adequacy of the information provided by the Company to employees pursuant to art. 13 GDPR, with reference to the processing of personal data carried out through the System. Specifically, it was highlighted that the information provided to employees through the information regarding the possibility of identifying the latter was incorrect, on the assumption that employees would not have been informed of the possibility of directly identifying the driver of the vehicle. This challenge, however, appears to be unfounded in light of what is set out in the preceding paragraph”; - with regard to the contested discrepancy between the processing carried out and the content of the authorization issued by the ITL, “the Company believes that this challenge also arises from an incorrect understanding of the functioning of the System, and must therefore be considered unfounded”. In fact, with respect to the requirement that “vehicle speed data be processed anonymously or in ways that allow the data subject to be identified only when necessary (ITL authorization, paragraph 7), “the methods of use of the System already provide that the identification of the data subject, i.e. the association between the vehicle and the driver, occurs only if an Anomalous Event occurs and in compliance with the security measures and procedures provided for and [already] described”; - “employees authorized to access the system containing the data directly identifying employees driving vehicles are given clear instructions regarding the conditions under which they can access such data, with the prohibition of connecting them to the data collected through the System”; - “the System therefore does not allow the viewing of data that could be considered excessive with respect to the purposes pursued”. With communication dated 11/10/2024, the Company waived the hearing initially requested pursuant to art. 18 of Law no. 689/1981. 4. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures pursuant to art. 58, par. 2, of the Regulation. Following the examination of the statements made by the party during the proceedings, as well as the documentation acquired, it is established that the Company, as data controller, has entered into a contract with Tim S.p.a. for the rental supply of a GSM/GPRS device, to be installed on company vehicles (specifically 50 tractors with semi-trailers), with the consequent provision of web access credentials to the Tim IT platform. The service, called Tim Your Way, is provided by Tim S.p.a. through the company WAY s.r.l., appointed as data controller by Tim S.p.a., in the name and on behalf of the data controller, pursuant to art. 28 of the Regulation. With respect to the processing methods implemented through the geolocation system, there are profiles of non-compliance with the regulations on the protection of personal data. In this regard, it should be noted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor". 4.1. Violation of art. 5, par. 1, letter a) and 13 of the Regulation. First of all, it should be noted that, with the act of initiation of the sanctioning procedure, it was highlighted that the information prepared by the Company (and made available to its employees by posting on the company notice board), was completely unsuitable to fully represent the processing carried out through the geolocation system. Contrary to what was believed, in fact, the aspect relating to the direct identifiability of the drivers of geolocalized vehicles does not represent the only critical element detected, as on the contrary several elements of non-compliance with the regulations on personal data protection have emerged. However, it is useful to clarify that, in light of the definition of “personal data” (“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”: art. 4, no. 1 of the Regulation), the association of the device with the license plate number of the vehicle, even if the driving of the vehicle is in fact entrusted to different drivers who take turns, allows the driver of the vehicle to be identified through the association with other information (for example, documents relating to shifts). (On the specific aspect, see provisions no. 396 of 06/28/2018, web doc. no. 9023246 and no. 247 of 05/24/2017, web doc. no. 6495708). In this case, however, the Company has on several occasions highlighted that "usually each [of the drivers] is assigned the same vehicle" and that "the data collected can be referred to the employee using the vehicle only while he is carrying out his work activity. The association occurs through the interfacing of the new generation tachograph system used with the personal tachograph card supplied to the drivers and the WAY system" (pages 3 and 4 of the minutes of 06/21/2022, as well as the note of 02/09/2022). In contradiction to what was reported above, the Company, in its defense briefs, instead declared that it had not activated the interfacing system and, therefore, that it had equipped itself with a database to be queried that allows the identity of the driver to be traced only when anomalous events occur, a circumstance that was not demonstrated in any way during the investigation or during the inspection. Even the further argument put forward, according to which the insertion of a name into the system is a necessary condition for its correct functioning, did not have a documentary correspondence to the outcome of the investigation carried out at Way s.r.l. (documents of 24/10/2022). In any case, regardless of the specific aspect of the direct identifiability of the drivers of geolocalized vehicles, the information contains numerous inconsistencies and typos that clearly reveal how it does not correspond to the processing actually carried out. See, for example, the references to Astral S.p.A. as the entity from which the data is collected (point 2 of the information), to "supervision duties of the company assets" and "access to registration systems", to data retention periods indicated in 18 without further specification (point 4), to the indication of the same Autotrasporti Cuccu Riccardo srl as "External Data Controller" (point 5). It is also added that the information does not fully represent the methods of processing carried out through the geolocation system, including for example the circumstance that the data are collected continuously. It is also stated that "the identification of the driver occurs (...) through a satellite RFID system that recognizes the pseudonymized ID of the user through company badges", while it is ascertained, from the examination of the documentation acquired during the investigation, that the geolocation system in use allows the acquisition of location, telemetry and other data "through on-board devices equipped with GSM/GPRS modems equipped with SIM Card and GPS receiver" (contract signed with TIM and with Way relating to the Tim Your way service). Considering that, in the context of the employment relationship, the obligation to inform the employee is an expression of the duty of correctness pursuant to art. 5, par. 1, lett. a) of the Regulation, the unlawfulness of the processing carried out through the unsuitable information must be confirmed, in violation of Articles 5, par. 1, letter a) and 13 of the Regulation. 4.2. Violation of Article 5, par. 1, letter a), c) and e), and 88 of the Regulation. In light of the findings of the investigation carried out, it emerged that the geolocation system in use at the Company was installed for the purposes of protecting company assets, safety at work and for organizational and production needs, as indicated in the authorization request addressed to the ITL of Cagliari-Oristano. As was ascertained during the investigation, the actual operating methods of the technological system used allow the Company, through the web platform made available by Way s.r.l., to acquire information relating to the position of the vehicle, its status (i.e. whether on or off), telemetry and, indirectly, also the activity of the drivers. This information is acquired by the system continuously, albeit deferred by 3/5 minutes and also includes breaks in work activity; it is stored for a period of 180 days. That said, it is noted that these processing methods are excessive and not proportionate to the declared purposes and aims, which can be legitimately pursued by processing more limited information. In particular, the collection of detailed information (including the detection of the position even during the break in work activity) is suitable for carrying out continuous monitoring of the activity of employees in violation of the principle of data minimization (art. 5, par. 1., letter c) of the Regulation) which, instead, requires that the data collected are "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". Moreover, the Guarantor has often reiterated that the position of the vehicle should not be continuously monitored by the data controller, but only when this is necessary to achieve the legitimately pursued purposes (see provision no. 396 of 28/06/2018, web doc no. 9023246). Similarly, the retention of collected data for an extended period of time (equal to 180 days) does not comply with the principles of minimization and limitation of storage (art. 5, par. 1, letters c) and e), of the Regulation). Finally, it must be noted that the specific functions of the geolocalization system described above do not comply with the specific guarantees provided for by the authorization issued by the ITL of Cagliari Oristano on 19/05/2021, in particular with regard to the non-continuous detection of the geolocalized vehicle, the anonymization of the data collected, the adoption of technological solutions that prevent "any processing of data that is superfluous, irrelevant or exceeding the purposes pursued by the owner". The processing was therefore carried out in breach of the provisions of the authorization provision and, therefore, is contrary to the principle of lawfulness of processing (art. 5, par. 1, letter a), of the Regulation) in relation to art. 114 of the Code and art. 88 of the Regulation. In light of the above, the processing carried out is found to be unlawful, as it was carried out in violation of art. 5, par. 1, letter a), of the Regulation. a), c) and e) and 88 of the Regulation and art. 114 of the Code. 4.3. Violation of art. 157 of the Code. It must also be taken into account that, in response to the request for information formulated by the Authority pursuant to art. 157 of the Code (note dated 05/25/2022), no response was received within the indicated terms, despite the request having been duly notified to the Company's certified email address. The Company, also informed of the consequences deriving from the lack of response, knowingly failed to provide the additional information, which had been formulated for the purposes of the overall assessment of the matter which was the subject of the complaint. As, in fact, the Company itself declared during the inspection, it considered it unnecessary to respond to the Authority's invitation. This conduct made it necessary to carry out additional investigations which were delegated to the Privacy Protection Unit of the Guardia di Finanza. Considering that the arguments put forward are not suitable to exclude the liability of the Company, the violation of art. 157 of the Code must be confirmed. 5. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation. For the above reasons, the Authority believes that the declarations made by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the procedure to be overcome and that they are therefore unsuitable to allow the archiving of the present proceeding, not resorting, moreover, with reference to these profiles, to any of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019. The processing of personal data carried out by Autotrasporti Cuccu Riccardo S.r.l. is unlawful, in the terms set out above, as it was carried out in violation of art. 5, par. 1, letter a) of the Regulation. a), c), e), 13, 88 of the Regulation, 114 and 157 of the Code. Given the corrective powers attributed by art. 58, par. 2, of the Regulation, in light of the circumstances of the specific case, it is deemed necessary to prescribe the following corrective measures: - prepare an information notice suitable to fully represent the processing carried out through the geolocalization system; - conform the processing to the guarantees prescribed with the authorization provision of the ITL of Cagliari Oristano, taking into account the principles of minimization and limitation of data retention in relation to the specific purposes to be pursued. Finally, it is believed that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 are met. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; article 166, paragraph 7, of the Code). At the end of the proceedings, it appears that Autotrasporti Cuccu Riccardo S.r.l. has violated articles 5, par. 1, letters a), c) and e), 13, 88 of the Regulation, 114 and 157 of the Code. For the violation of the aforementioned provisions, the application of the administrative pecuniary sanction provided for by article 83 of the Regulation is provided for. The Guarantor, pursuant to article 58, par. 2, letter i) of the Regulation and article 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by article 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Autotrasporti Cuccu Riccardo S.r.l. which has been found to be unlawful, in the terms set out above. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation which provides that "If, in relation to the same processing or connected processing, a data controller [...] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum amount set out in the same art. 83, par. 5. With reference to the elements listed in art. 83, par. 2, of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the following circumstances were considered: a) in relation to the nature and gravity of the violation, the nature of the violation that concerned the general principles and obligations of the data controller was considered relevant; in relation to the duration of the violation, it was considered that the processing started in 2021 and is still ongoing; it was also considered that the processing concerned, in addition to the complainant, also other interested parties attributable to the vehicles subject to geolocalization (approximately 50); b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the data protection regulations, in relation to a plurality of provisions also concerning the general principles of processing, were taken into consideration; c) the absence of previous relevant violations was considered favourably. It is also believed that in this case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (art. 83, par. 1, of the Regulation), first of all the economic conditions of the offender, determined on the basis of the turnover of the Company, as per the financial statements for the year 2023, are relevant. Lastly, the amount of sanctions imposed in similar cases is taken into account. In light of the elements indicated above and the assessments made, it is believed, in this case, to apply to Autotrasporti Cuccu Riccardo s.r.l. the administrative sanction of the payment of a sum equal to Euro 50,000.00 (fifty thousand). In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the conduct particularly harmful to the rights of the interested parties, which occurred in violation of the general principles regarding the protection of personal data. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, paragraph 1, letter f), of the Regulation, notes the unlawfulness of the processing carried out by Autotrasporti Cuccu Riccardo s.r.l. in the person of its legal representative pro tempore, with registered office in Elmas (CA), Via delle Miniere n. 22 P.I. 02661390928, for the violation of articles 5, par. 1, letter a), c), e), 13, 88 of the Regulation, 114 and 157 of the Code; pursuant to art. 58, par. 2, letter d), of the Regulation, requires the Company to comply, within 60 days from the date of notification of this provision, with the provisions set out in par. 5 of this decision, while at the same time requesting that it provide, within the aforementioned deadline, adequately motivated feedback pursuant to art. 157 of the Code; any failure to provide feedback may result in the application of the administrative pecuniary sanction provided for by art. 83, par. 5, letter c). e) of the Regulation; ORDERS pursuant to art. 58, par. 2, letter i) of the Regulation, the same Company to pay the sum of Euro 50,000.00 (fifty thousand) as an administrative pecuniary sanction for the violations indicated in this provision; ORDERS therefore the same Company to pay the aforementioned sum of Euro 50,000.00 (fifty thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below remains intact. ORDERS pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/20129, the publication of the injunction order on the website of the Guarantor; pursuant to art. 154-bis, paragraph 3, of the Code and art. 37 of the Regulation of the Guarantor no. 1/20129, the publication of this provision on the website of the Guarantor; pursuant to art. 17 of Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 16 January 2025 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei
