Garante per la protezione dei dati personali (Italy) - 9777996
| Garante per la protezione dei dati personali - 9777996 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 28 GDPR Article 37 GDPR Article 57(1)(a) GDPR Article 2-ter Codice Privacy |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 28.04.2022 |
| Published: | |
| Fine: | 200.000 EUR |
| Parties: | Amiu s.p.a. |
| National Case Number/Name: | 9777996 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Italian |
| Original Source: | GPDP (in IT) |
| Initial Contributor: | Elsje Gold |
The Italian DPA fined a public waste collection company (processor) €200,000 for installing video surveillance systems without prior authorisation of the Municipality of Taranto (controller) and for posting videos on Facebook with identifiable persons without a legal basis.
English Summary
Facts
The controller is the Municipality of Taranto. The processor is Amiu s.p.a., a public entity facilitating waste collection services for the Municipality of Taranto. A report from the DPA revealed that the processor installed video surveillance systems to detect and sanction illegal activities. Some of these videos showing identifiable persons were posted on its Facebook page. On 14 January 2020, the processor contacted the supplier of the video surveillance system (ITS) without notifying the controller.
Holding
The DPA held that the processor violated Article 28(2), as it did not notify the controller prior to contacting ITS about the video surveillance system.
The DPA noted that public entities can lawfully process personal data for the fulfilment of a legal obligation or for the performance of a task in the public interest pursuant to Article 6(1)(c) and (e) GDPR. The DPA followed that even if the processing is lawful, it must also be in accordance with the principles laid down in Article 5. Since no indication of a legal basis for the placement of the videos on its Facebook page was found (Article 6 and Article 2-ter of Code Privacy), the DPA held that the processor violated the principles of "lawfulness, correctness and transparency" (Article 5(1)(a) GDPR).
The DPA further held that the controller violated the principle of "purpose limitation" (Article 5(1)(b)). The DPA found no indication of any compatibility with the purposes for which the personal data was previously collected (detection of illegal activities) for further processing (publication on Facebook).
Lastly, the DPA held that the processor violated Article 28, as it found that the processor had not appointed a data protection officer pursuant to Article 37.
The DPA fined Amiu s.p.a. €200.000 for the aforementioned violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
