Garante per la protezione dei dati personali (Italy) - 9880398

From GDPRhub
Garante per la protezione dei dati personali - 9880398
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 88 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.03.2023
Published:
Fine: 50,000 EUR
Parties: H&M
National Case Number/Name: 9880398
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Newsletter of Garante per la protezione dei dati personali (in IT)
Initial Contributor: n/a

H&M was fined €50,000 for monitoring its employees with surveillance cameras in violation of the GDPR and of national labor provisions.

English Summary

Facts

Following a report by a trade union about video surveillance in multiple companies, in April 2022, the Italian Garante launched an investigation with the company H&M (controller) concerning the video surveillance systems in place at their registered office and in their stores.

The investigation service raised multiple points, among others

  • that all the controller’s shops were equipped with surveillance cameras;
  • the video surveillance system was active 24 hours a day and that images were kept for 24 hours;
  • in some of the shops, cameras were placed at employees’ entrance and in other areas reserved to the employees; and
  • the processing concerned more than 500 employees.

The controller argued that the employees were informed of the presence of the cameras through information notices. It relied on a security and protection purpose and referred to an authorization of processing that would have been issued by a territorial Labor Inspectorate.

The controller also stated that only 543 employees out of a total of 4,300 were actually monitored and that the cameras were only monitoring an area of passage.

Holding

The Garante assessed if the processing was lawful within the meaning of Article 5(1)(a) GDPR.

According to Article 88 GDPR, the GDPR is applicable without prejudice to more protective national rules. In Italy, a national provision (Article 4 of the Law no. 300 of 1970) is more specific than the GDPR. It requires, in the context of an employment relationship, that the processing should be agreed upon in an agreement with the trade union representatives or authorized by the Labor Inspectorate. Contrary to the controller’s statement, in this case, the Garante found that no agreement nor authorization was in place.

The Garante held the fact that the cameras only monitored passage areas is not relevant since the monitoring of video surveillance is subject to the full application of data protection provisions. It added that even if 543 out of a total of 4,300 were concerned, it was still a high number of data subjects.

In view of the above, the Garante considered that the controller breached Articles 5(1)(a) and 88 GDPR as well as national Labor provisions and imposed a €50,000 fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 26 May 2023



[doc. web no. 9880398]

Provision of 2 March 2023

Register of measures
no. 58 of 2 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

HAVING REGARD to the report submitted pursuant to art. 144 of the Code dated 29 March 2019 by Filcams CGIL Roma-Lazio against H&M Hennes & Mauritz s.r.l.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The preliminary investigation following a report.

On 28, 29 April and 17, 18 May 2022, following the cessation of the state of emergency linked to the Covid-19 pandemic, an on-site inspection was carried out at the registered office of the company H&M Hennes & Mauritz s.r.l. (hereinafter, the Company), concerning, in particular, the processing of data carried out through video surveillance systems, during which it was ascertained that:

"currently the company is present in Italy with 4 brands and 166 stores [...] and has 4,317 employees" (see report of operations carried out 28.4.2022, p. 2);

"the party showed the ROPA - registration of processing activities platform, through which the company manages, for all the world offices where it is present, the processing register" (see report cited, p. 2);

"with reference to the workers' data, the company is the data controller" (see report cited, p. 3);

"in ROPA there is an indication of the performance of the DPIA" (see report cited, p. 3); "the company, which plays the role of data controller, once an agreement has been reached with the RSA where present or, in the absence of union representation, once the authorization has been obtained from the specific Territorial Labor Inspectorate (ITL), sends the documentation relating to the disclosure to the shop manager, also specifying the characteristics of the treatment, the manager, in his time, it prints the individual copies to be delivered to each employee, acquiring proof that they have been viewed. Furthermore, each store has created a "privacy bulletin board", in the area reserved for employees, where the information is displayed" (see report cit., p. 3);

"as regards information to customers, the party specified that in various points of the shops brief information is posted [...] before the range of action of the camera, and that, at the request of customers, the shop manager is required to show the complete information, kept in the cabinets behind the tills" (see report cited, p. 4);

"in all stores there are at least 3 video cameras, in the back-area of the store to which only authorized employees or suppliers have access, which film: the corridor leading to the administration office, the administration office where the safe is placed, the entrance reserved for employees. The brief information is placed near the camera and before its range of action. In some shops, located in particular areas considered to be at risk of theft, there are cameras also in the sales area, their location and in number depending on the type of shop. Also in this case, the brief information is placed near the video camera and before its range of action" (see report cited, p. 4);

"in larger stores there may be more cameras in the back area, even up to 27 as in the Milan Cathedral store" (see report cited, p. 4);

"the company believes that all employees are involved in the processing [via video surveillance systems], due to the location of the cameras in the area reserved for employees, in areas where all employees are required to pass" (see report cited , p. 5);

“in sending the information to the employees, the company also sends the store manager the names of those who are authorized to access the live images. These images are accessible via a monitor in the administrative office, which can be accessed via badge or code. This office can only be accessed by the store manager, the department manager and the administrative manager - where present. Access to the images recorded in a special DVR is permitted only to the store manager and a union representative or, in the absence of one, a representative of the sales staff. These authorized subjects are provided with a personal password” (see report cited, p. 5);

“The video surveillance system is active 24 hours a day, 7/7 and the images are kept for 24 hours, after which they are overwritten. The DVR used for recording images is located in a technical room, in the back area of the store, locked or with access via code, exclusively by managers. Where the manual access code to the technical room is not provided, the key is kept in a safe and checked on a monthly basis" (see report cited, p. 5);

"the company accesses the recorded images only if requested by the police or judicial authorities" (see report cited, p. 5);

"in the back-area there are a maximum of 3 cameras and [...] any additional cameras are positioned in the sales area" (see report of operations carried out 29.4.2022, p. 1, 2);

“the cameras in the sales area are not used in all stores. Where they are used, they are generally placed near exits and stairs. In some cases, the television cameras can film the cash registers with the instructions to film only the hands of the employees" (see report cited, p. 2);

“Remote access to live or recorded images is not possible, as the DVR is not connected to the corporate network. The passwords for local access to the recorded images are created by the installer and supplied, in a sealed envelope, to the store manager and the union representative or the representative of the sales staff" (see report cited, p. 2);

"for the Viterbo store [...] the ITL issued the authorization on 19 July 2019" (see report cited, p. 2);

in the last 12 months "there have been [...] accesses [to the data recorded in the video surveillance systems] following a complaint to the competent authority even if, given the small number of shops that have cameras in the sales area, often at the request of authority can not be acted upon. These accesses are always communicated by email to the corporate security department" (see report cited, p. 3);

“The security department has a team of internal auditors […] who work on a quarterly schedule […]. High security risk stores [...] receive an audit every quarter while medium security risk stores [...] receive an audit every six months. [...] In addition to this, the store managers or persons delegated to do so, carry out a monthly self-audit, the outcome of which is sent to the area auditor" (see report cited, p. 3).

From the report dated 17 May 2022 it emerges that "in relation [...] to the Stezzano shop [...] the party specified that for this shop there are two authorizations from the ITL, since the first request concerned the placement of the video camera at the external door of the employee entrance. For condominium issues, the camera was installed, in September 2021, inside the shop, at the same door, hence the second request. However, this second authorization limited operation at night and the company took note of this limitation in preparing the documentation requested by the Authority, immediately turning off the cameras and notifying the competent Labor Inspectorate. However, the party specified that, in the information provided to the employees, it was specified that the operating hours of the cameras were 0-24 ". At the store in Piazza del Duomo, it was found that “in relation to the «back area» there are two cameras inside the structure and one outside, on the employees' entrance door; the two cameras inside the back area are fixed and film the door of the cash office and the safe respectively, inside the cash office; in the cash office there is a monitor that transmits live color images and a DVR dedicated to recording the images taken by the cameras; [...] it has been verified that the cashier cameras are partially obscured in order not to film the cashiers; it has been verified that the camera in the cash office, located towards the safe, is partially obscured so as not to film the employees".

By accessing the images recorded in the DVR, it was ascertained that "with regard to a single D4 camera relating to the safe, there are images dating back to 4 May 2022, from 00:23, as well as the dates of 5, 6, 13, 14 and 15 May (0-24); the recordings relating to the other cameras are in line with the company policy which provides for cancellation after 24 hours, by overwriting”. The Company specified that "the store manager, the administrative manager, the department managers (4 employees), the warehouse workers (3 employees), the apprentice store managers (3 employees) can access the live images".

On 30 May 2022, the Company, in resolving the reservations formulated during the inspection, sent, among other things, an "Excel file [...] with the list of points of sale in Italy, divided by Region, with the indication of the dates of the Union Agreements/ITL Authorizations, date of activation of the systems and location of the video cameras" then "the declarations of our supplier/installer of the CCTV systems relating to the reservation formulated in the report dated 18 May 2022 on Page 2 and precisely: [ …] Declaration relating to the anomaly found with the D4 camera in the Milano Duomo IT0444 shop, object of the inspection on 17 May 2022”.

The on-site assessment at the Company's headquarters was carried out as part of the investigation established following the presentation to this Authority, on 29 March 2019 by Filcams CGIL Rome-Lazio, of a report pursuant to the 'art. 144 of the Code with which the activation of video surveillance systems in ten local units of the Company was represented in a manner that does not comply with the provisions of the law.

In fact, following a request from this Department, on 16 July 2019 the Company, in providing feedback, had declared that:

“the [...] Company has activated video surveillance systems at 12 of its 13 total points of sale currently active in Rome and Lazio and more precisely: -1. Rome, Euroma 2 Shopping Center, Viale dell'Oceano Pacifico 83, from 06/23/08 – 2. Rome Porta di Roma Shopping Center, Via Alberto Lionello, from 07/25/07 – 3. Rome, Rome East Shopping Center, Via Collatina, from 03/31/07 – 4. Rome, Via del Corso 422, from 10/24/13 – 5. Rome, La Romanina Shopping Center, Via Enrico Ferri 8, 11/12/2015 – 6. Rome, Via di Valle Aurelia 1, from 04/19/18 – 7. Rome, Via Tuscolana 785, from 10/31/13 – 8. Rome, Appio Shopping Center, Via Appia Nuova 450, from 04/16/15 – 9. Rome, Castel Romano Shopping Village, Via Ponte di Piscina Cupa 64, from 10/25/12 – 10. Fiumicino, Market Central Da Vinci Shopping Centre, Via Geminiano Montanari, from 10/19/2007 – 11. Viterbo, Via Giacomo Matteotti 40, from 17/11/2016 - 12. Latina, Corso della Repubblica 165, from 02/12/2009" (see note 16.7.2019 cit., p. 1);

"at the thirteenth point of sale in Lazio located in Rome, Centro Commerciale Gran Roma, via Prenestina bis snc, recently opened (16/05/2019) video surveillance systems have not yet been installed and the authorization request procedure is currently underway at the ITL in Rome” (see cited note, p. 1);

"on 31 May 2019 a framework agreement was signed with Filcams CGIL of Rome and Lazio in the person of the Territorial Official [...] relating to the installation and use of video surveillance systems throughout the Lazio region, to be reproduced in subsequent individual agreements for each point of sale where union representatives are present" (see cited note, p. 2);

"subsequently, on 3 June 2019, the individual agreements were concluded with the RSAs of the points of sale where they are present, i.e. in all the 12 stores described above with the exception of the one in Rome, Via Ponte di Piscina Cupa 64 (Shopping Center Castel Romano), for which authorization was obtained on 20 May 2019 pursuant to art. 4 Law 20/5/70 n. 300 by the Labor Inspectorate of Rome and that of Viterbo for which an application for authorization was sent on 18 June 2019 to the competent Territorial Labor Inspectorate of Viterbo" (see note cit., p. 2);

"all the systems indicated above are active 24 hours a day" (see note cit., p. 2);

"all the systems in question have the sole specific purpose of protecting the safety of workplaces, workers and customers and protecting the company's assets" (see cited note, p. 2);

"for all the 12 points of sale mentioned above, the subjects authorized by specific written appointments to access the images (live only) projected via the monitor in the safe office are exclusively the so-called Point of Sale Manager, namely: the director, the administrative employee, the warehouse worker, the department head and the visual. Access is permitted only through gates controlled by door-opening badges with specific levels of authorization" (see cited note, page 2);

"for all the 12 points of sale mentioned above, access to the recorded images (stored [...] for 24 hours) can only take place in the necessary presence of both the director (or, if a director is not foreseen, the department head), both delegates in writing to this activity, both of the RSA (or, if not present, of a representative of the workers designated by them) through the use of a double password combined and exclusively in the presence of a report of the acquisition of the images of the Forces of the order. All subjects authorized to access and download the recorded images have been specially appointed with a specific written appointment” (see cited note, p. 2, 3);

"in all the 12 points of sale indicated above, before the range of action of each camera, there is information in a simplified form pursuant to the Provision of this Guarantor of 8 April 2010 on video surveillance with an explicit reference to the information available to customers and workers from store managers" (see cited note, p. 3).

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 30 September 2022 the Office, on the basis of the checks carried out, pursuant to art. 166, paragraph 5, of the Code, proceeded to notify the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a), 88 of the Regulation and art. 114 of the Code.

With defense briefs sent on October 28, 2022, the Company represented that:

- "invests many resources in the development and management of an ad hoc regulatory compliance system, in order to guarantee rigorous and scrupulous compliance, within its organization, with all the rules aimed at protecting the personal data of its customers , suppliers, employees and stakeholders in general" (see note 10.28.2022 cit., p. 1);

- "in the light of what emerged during the inspection operations, it appears from the documentation submitted that, out of a total of 166 shops, the violations of the present proceeding are really limited to a small number of shops which [...] did not affect the rights and freedoms of the individuals concerned” (see cited note, p. 3);

- "the violations subject to reporting (mostly sanctioned by the competent ITL) concerned exclusively the lack of the authorization provision for the installation of the system but, in all cases, the employee had been informed by the Company of the presence of the systems themselves and was aware of who was the data controller and how to exercise their rights, if necessary. In addition, the images were overwritten every 24 hours as indicated by company policies, they were protected by a double password system (stored in a safe) and, in any case, the area being filmed was strictly limited to transit access for store personnel (except in a single case) for exclusive anti-robbery purposes and, therefore, with the aim of protecting employees from possible risks to their physical safety, since these are areas where the cash of the shops is kept" (see note cited , p. 3);

- "the violations highlighted must also be assessed within a very particular time frame, during which the Company was rapidly expanding and store openings followed one another at a rapid pace" (see cited note, p. 3);

- "unfortunately, this situation has produced some inefficiencies and, in particular, has had the effect - in the few points of sale in question - of not being perfectly compliant with the opening procedures established by the Company: the competent offices, that is, they did not notice the lack of certain documentary aspects (the authorizations for video surveillance [...]) which, however, are indicated and envisaged by the Company as part of the indispensable documentation that must be present at the opening of the points of sale" (see note cit., p. 3);

- "the violations under discussion are, therefore, simply the result of an imperfect application of the company procedures for verifying the installation process of the video surveillance system in some specific points of sale but certainly do not represent the modus operandi of [...] the Company, as demonstrated by the fact that all the other points of sale (the vast majority) were found to comply with the provisions of the law on the protection of personal data (refer to the Excel file summarizing the situation of all points of sale, with the related attached documents, produced by the Company to release the reserves [...])" (see cited note, p. 3, 4);

- "therefore, it was a "route incident" which, moreover, represented an opportunity to improve and perfect the corporate control system which, as documented by the Company [...] is today effectively proceduralized, supervised and monitored by the individual heads of internal functions, by a local data privacy coordinator assisted by an external DPO, as well as by a Group structure specifically dedicated to regulatory compliance regarding the processing of personal data" (see cited note, p. 4) ;

- "regarding the 13 points of sale in Lazio [...] the non-conformities of the 10 points of sale in the metropolitan area of Rome (reported by the Union) have already been subject to sanctioning proceedings by the ITL [Territorial Labor Inspectorate] , with payment of the related fines by the Company [...]: the sales outlets in Viterbo (IT0495) and Latina (IT0357) were not subject to fines by ITL; at the thirteenth point of sale in Lazio, located in Rome, Gran Roma Shopping Center (IT0526), at the time of the ITL inspection, no video surveillance system was found to be installed" (see cited note, p. 4);

- "for the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: I) the total number of data subjects involved in the 12 points of sale where the systems in question were installed is very small in relation to the total number of employees employed by the Company in the total 166 stores (these are no more than 543 employees out of a total of approximately 4,300 employees); II) the employees of the stores concerned were, however, aware of the presence of the video surveillance system and its functioning and positioning also through the presence of brief information notices in the areas in front of the areas subject to video surveillance. Furthermore, the shop managers periodically sent the Company technical intervention communications in the event of system anomalies and the same was subject to periodic checks relating to its functioning, as required by the audit procedures in place at the time (which, today, are been integrated also with the verification of compliance with data protection rules [...]); III) the lack of the authorization documentation is therefore derived from an imperfect application of the company procedures for verifying the installation process of the video surveillance system, with the exclusion of any intentionality and malicious behavior; […] IV) as soon as it became aware of the authorization problem, the Company immediately adopted all appropriate measures to mitigate the effects of the violation found and, in particular, immediately shut down and/or uninstalled the systems until it was possession of authorisations; V) in any case, the time limit for storing images has always been limited to 24 hours as per the company's global policy" (see note cited. p. 4, 5);

- "the cameras were positioned exclusively in the back area of the shops (i.e. without filming customers, in 11 out of 12 outlets) for mere anti-robbery purposes, to protect the safety of the employees themselves. Specifically, the aforementioned cameras placed in the back area were (and still are) mainly in number of 3 (three) positioned as follows: - the first, above the entrance reserved for employees, exclusively in a transit area and not for work ; - the second, in the access corridor to the administrative office (so-called «cash office») which, for security reasons, is accessible only after identification of the staff via a monitor which only displays the area in front of the entrance door, being the office where cash and confidential employee documents are kept. Also in this case it is a transit area and not a working area; - the third, located inside the administrative office, which takes only the safe and, therefore, a small number of people given that only the managers of the sales outlets have access to this office (on average 5 managers per sales outlet)" ( see note cit., p. 6);

- "regarding the technical and organizational measures adopted by the Company in relation to all points of sale where the cameras are installed (Article 83, paragraph 2, letter d, GDPR), demonstrating the adoption of a level of security appropriate to the risk, reference is made to the documents [...]: - video surveillance policy; - audit program (annual systematic planning of internal audits at all points of sale in Italy, including an information security and data protection section also in relation to the video surveillance system); - checklist for verifying the compliance of the video surveillance systems and internal management procedures following the sending of documents to the store managers, to ascertain the effective adoption of the envisaged measures in the individual points of sale; - information to employees with a detailed description of the number and position of the individual video cameras; - specific designations to the personnel authorized to manage the images; - email of specific instructions that is sent to the shops before the cameras are activated; - image protection system using DVRs protected by double passwords (one held by the store manager of the shop and the other held by a worker representative) and located in a technical room with controlled access authorized only to the managers of the sales points ; - the download of the images, [...] takes place only following receipt of the report of the acquisition of the images by the Police; - no remote access to images; - periodic survey on video surveillance systems; adoption of information to interested parties, both short and long, always available to employees (displayed on the bulletin board) as well as customers (where cameras are also present in the sales area): VII) on the part of the Company there has always been the maximum availability towards the Inspectors during the operations of the months of April and May 2022 [...]; VIII) the categories of personal data involved in the violation are limited to the images of the last 24 hours, mainly on personnel transit areas; IX) [the] Authority became aware of the violation following a report from the Lazio Territorial Union; X) following the 2019 report and the ITL dispute, the Company promptly took steps to regularize the situation in each point of sale reported, with the release of the necessary authorizations in just over a month; XI) the interested parties have not suffered any damage” (see cited note p. 6, 7);

- "regarding the Le Fontane store, Catanzaro (IT335) [...] it should be noted that the violation was the subject of a sanctioning procedure by ITL, with payment of the relative sanctions by the Company [...]. For the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: I) the violation falls within the few cases in which there was an imperfect application of the company procedures for verifying the installation process of the video surveillance system at the time of opening the store; II) the violation was discovered, incidentally, during an inspection of the ITL linked to a request for early maternity leave and not for reports deriving from the violation of employee rights; III) furthermore, all the elements already expressed above in relation to the sales outlets in Lazio are recalled" (see cited note, p. 8);

- "regarding the Centro del Molise sales point, Campobasso, Molise (IT484) [...] it should be noted that the violation has already been subject to sanctioning proceedings by ITL, with payment of the related sanctions by the Company [...] . For the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: I) the violation falls within the few cases in which there was an imperfect application of the company procedures for verifying the installation process of the video surveillance system at the time of opening the store; II) the violation was discovered, incidentally, during an ITL inspection linked to a request for early maternity leave and not for reports deriving from violations of employee rights; III) furthermore, all the elements already expressed above in relation to the sales outlets in Lazio are recalled" (see cited note, p. 8);

- "regarding the Costaverde store, Molise (IT516) [...] it should be noted that the violation has already been the subject of sanctioning proceedings by ITL, with payment of the related sanctions by the Company [...]. For the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: i) the violation falls within the cases in which there was an imperfect application of the company procedures for verifying the installation process of the video surveillance system at the time of opening the store; II) the violation was discovered, incidentally, during an ITL inspection linked to a request for early maternity leave and not for reports deriving from violations of employee rights; III) furthermore, all the elements already expressed above in relation to the sales outlets in Lazio are recalled" (see cited note, p. 9);

- “regarding the store in Gravina, Tuscany (IT545), it should be noted that there has been no violation. The Authority erroneously noted the activation dates of the video surveillance system. In the excel file filed by [...] the Company on 25 May 2022, it appears that: - the date of activation of the system is 8 November 2018 (not 11 August 2018); - the trade union agreement signed is on 25 October 2018, therefore prior to the activation of the plant" (see cited note, p. 9);

- "regarding the Lecce Mongolfiera sales point, Puglia (IT447) [...] it should be noted that there has been no violation. The Authority erroneously noted the activation dates of the video surveillance system. In the Excel file filed by [...] the Company on May 25, 2022, it appears that: - the system activation date is December 5, 2019 (not May 12, 2019); - the trade union agreement signed is on 25 June 2019, therefore prior to the activation of the plant" (see cited note, pp. 9, 10);

- "regarding the CC Due Valli store, Turin Pinerolo, Piedmont (IT520) [...] it should be noted that there has been no violation. The Authority erroneously noted the activation dates of the video surveillance system. In the Excel file filed by [...] the Company on May 25, 2022, it appears that: - the system activation date is November 8, 2019 (not August 11, 2019); - the authorization from ITL is dated 4 September 2019 and, therefore, prior to the activation of the plant" (see note cited, p. 10);

- "regarding the Milan Cathedral sales point (IT444) [...]. With reference to the technical anomaly of the D4 video camera, for the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: a) it was an unknown, completely unpredictable and hidden technical anomaly of the DVR recording system, as also demonstrated by the fact that the recording did not take place continuously, but it is limited to some random time period within the days […]; b) it was a single video camera out of a total of 27, which also filmed the area close to the safe, i.e. [...] a limited area, where the transit of people is extremely limited and sporadic and it only concerns store managers (the only personnel authorized to access the area); c) the statement that the D4 camera would have malfunctioned "from the installation of the aforesaid camera and until May 23, 2022" (p. 8 Your communication): the on-site checks carried out personally by the Inspectors revealed that the anomaly did not occur before 4 May 2022 at 00:23. In fact, the Inspectors verified that, before that date, there were no other recordings saved, therefore the exposure time beyond 24 hours was very limited (less than 15 days and for non-continuous fractions of time)” (see note cit., p. 10, 11);

- "regarding the store in Stezzano, Bergamo (IT412) [...] for the purpose of assessing all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: a) the circumstance noted by [the] Authority is evidently the result of an erroneous drafting of the second authorization by ITL, considering that the first authorization issued by ITL itself was exactly compliant with the requirements by the Company and the factual situation in the store (24-hour registration), as also reported in the disclosure pursuant to art. 13 GDPR delivered to employees; b) the Company, in good faith, assumed that the second authorization was identical in content to the first and, that is, it allowed the recording of the images for 24 hours of recording and was not aware of the discrepancy and, that is, that the 'ITL had modified this requirement, limiting it only to the night period, in which the staff was absent; c) [...] the Company would like to underline and reiterate that the employees have received information conforming to the effective registration for all 24 hours and, therefore, the interested parties have not suffered any violation of their rights nor have they suffered any damage; d) as soon as the Company took note of the error in the second authorization from ITL, it proceeded to deactivate the plant to comply with the authorization provision erroneously drafted by ITL itself; e) it should be added, however, that ITL became aware of the error and, on 14 October 2022, corrected its provision, authorizing registration for 24 hours, as requested by the Company from the outset […] f ) in any case, it should be noted that the period of the infringement was limited in time; also in this case, it was only the three cameras in the back area, 2 of which guarded the personnel entrances (transit area and not in the sales area) and one above the safe with the involvement of a very small number of employees (at the Stezzano sales point there are a total of 14 employees), always and exclusively for purely anti-robbery purposes” (see cited note, p. 11, 12);

- "in compliance [...] with the request of [the] Authority [...] we produce: - documentation of the Conegliano Veneto sales point (IT0396): ITL authorization of 23 October 2019, system activation on 2 September 2022 [...] – documentation of the Forlì sales point (IT0398): ITL authorization dated 18 February 2020, system activation dated 12 October 2022" (see cited note, p. 12).

3. The outcome of the investigation and of the procedure for the adoption of corrective and sanctioning measures.

As a result of the examination of the declarations made to the Authority during the proceeding as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations which do not comply with the regulations on the protection of personal data .
In this regard, it should be noted that, unless the fact constitutes a more serious offence, anyone who, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

3.1. Treatments carried out, through video surveillance systems, in the absence of an agreement with the union representatives or authorization from the Labor Inspectorate.

On the merits, it emerged that the Company, also on the basis of what it has declared, has installed and used video surveillance systems at a variety of points of sale, suitable for filming workers during their working activity, in the absence of an agreement with the union representatives o authorization issued by the Labor Inspectorate pursuant to art. 4 of law no. 300 from 1970.

In particular, it was found that the Company installed and activated video surveillance systems, in the following points of sale, on the specifically indicated dates:

Point of sale  Activation date

Rome Shopping Center Euroma 2, Viale dell'Oceano Pacifico 83 23/06/08



Rome Porta di Roma Shopping Center, Via Alberto Lionello 25/07/07

Rome East Rome Shopping Center, Via Collatina 31/03/07

Rome Via del Corso 422 10/24/13

Rome La Romanina Shopping Center, Via Enrico Ferri 8 12/11/15

Rome Via di Valle Aurelia 1 19/04/18

Rome Via Tuscolana 785 10/31/13

Rome Appio Shopping Center, Via Appia Nuova 450 16/04/15

Rome Shopping Village Castel Romano, Via Ponte di Piscina Cupa 64 25/10/12

Fiumicino Da Vinci Shopping Center, Via Geminiano Montanari 10/19/07

Viterbo Via Giacomo Matteotti 40 17/11/16

Latin Corso della Repubblica 165 02/12/09



With reference to these systems, only on 31 May 2019 was a framework agreement signed with Filcams CGIL of Rome and Lazio relating to the installation and use of video surveillance systems throughout the Lazio region, to be reproduced, in subsequent individual agreements, for each point of sale where union representatives are present.

As a consequence of this, with reference to the points of sale indicated above, the agreements with the union representatives were stipulated after 31 May 2019 (precisely on 3 June 2019) and, therefore, only after significant periods of time from their installation and activation.

As regards the shop in Rome, via Ponte di Piscina Cupa 64, the authorization from the Labor Inspectorate was issued on 20 May 2019 and as regards the shop in Viterbo on 19 July 2019.

It was also ascertained that the Company had recourse to video surveillance systems, before entering into an agreement with the trade union representatives or obtaining the release of the authorization from the Labor Inspectorate pursuant to art. 4 of law no. 300 of 1970 (see Excel file provided by the Company), also at the shops:

Point of sale Activation date

The Fountains, Catanzaro (IT0335) 8/26/17

Center of Molise, Campobasso, Molise (IT0484) 10/11/16

Costaverde, Molise (IT0516) 17/11/16

Gavinana Center, Tuscany (IT0545) 11/8/18

Lecce hot air balloon, Puglia (IT0447) 12/5/19

Due Valli Shopping Center, Turin Pinerolo, Piedmont (IT0520) 11/8/19



With reference to these points of sale, in fact, precisely from the examination of the Excel file delivered by the Company on 25 May 2022, to resolve the reservations formulated during the inspection, it emerged that: only on 10/18/2018, was authorization issued by the Labor Inspectorate for the Le Fontane shop, Catanzaro (IT0335); only on 13/5/2019, the authorization was issued by the Labor Inspectorate for the Centro del Molise shop, Campobasso, Molise (IT0484); only on 21/12/2018, the authorization was issued for the Costaverde store, Molise (IT0516); only on 25/10/2018, the first agreement was signed with the union representatives for the Centro Gavinana store, Tuscany (IT0545); only on 25/6/2019, was the agreement signed with the trade union representatives for the Lecce Mongolfiera shop, Puglia (IT0447); only on 4/9/2019, the authorization was issued by the Labor Inspectorate for the Due Valli Shopping Centre, Turin Pinerolo, Piedmont (IT0520).

With reference to what has been ascertained above regarding the use of video surveillance systems in the context of the Company's commercial establishments, it is recalled that the processing of personal data carried out in the context of the employment relationship, if necessary for the purpose of managing the relationship itself ( v., as regards the so-called common data, Article 6, paragraph 1, letters b) and c) of the Regulation), must be carried out in compliance with the general principles indicated by the art. 5 of the Regulation, and, in particular, of the principle of lawfulness, on the basis of which the processing is lawful if it complies with the applicable sector regulations (Article 5, paragraph 1, letter a) of the Regulation).

Consistent with this approach, the art. 88 of the Regulation is without prejudice to the national rules of greater protection ("more specific rules") aimed at ensuring the protection of rights and freedoms with regard to the processing of workers' personal data. The national legislator has approved, as a more specific provision, art. 114 of the Code which, among the conditions of lawfulness of the treatment, established the observance of the provisions of art. 4, the. no. 300 of 1970. The violation of the aforementioned art. 88 of the Regulation is subject, if the requisites are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, letter. d) of the Regulation.

Based on the aforementioned art. 4, the. no. 300 of 1970, video surveillance equipment, if from the same derives "also the possibility of remote control" of employee activity, "may be used exclusively for organizational and production needs, for workplace safety and for the protection of company assets ” and the relative installation must, in any case, be carried out following the stipulation of a collective agreement with the unitary trade union representatives or with the company union representatives or, where it has not been possible to reach such an agreement or in the absence of the representatives, only in preceded by the issue of a specific authorization by the Labor Inspectorate.

The activation and conclusion of this guarantee procedure is therefore an indefectible condition for the installation of video surveillance systems. Violation of this provision is punishable by law (see article 171 of the Code).

Considering the above, it is therefore ascertained that the Company has processed personal data through video surveillance systems capable of filming workers during the course of their work (the Company itself has specified that "all employees [are] involved in the processing [through video surveillance systems], due to the location of the cameras in the area reserved for employees, in areas where all employees are required to pass", report of operations performed 28.4.2022, p. 5) in a manner different from the provisions of system, in particular, without having activated the guarantee procedure provided for by art. 4 of law no. 300 of 1970, a guarantee procedure which, according to what was declared by the Company, is managed by the latter, therefore in a centralized way (in this regard it has been declared, in fact, that "the company, which plays the role of data controller, a once an agreement has been reached with the RSA where present or, in the absence of trade union representation, once authorization has been obtained from the specific Territorial Labor Inspectorate (ITL), it shall send the documentation relating to the disclosure to the shop manager, specifying also the characteristics of the treatment", report of operations performed 28.4.2022, p. 3, and "the management of relations with the trade union representatives or with the ITL, for the purpose of installing the video surveillance systems, is carried out centrally and in unified way for all the stores, as well as the relationship with the company that takes care of the installation and activation of the systems", report of operations performed 29.4.2022, p. 2).

The activation of the aforementioned guarantee procedure does not integrate a mere formality nor can it be qualified, as instead claimed by the Company, as a simple "lack of some documentary aspects".

The aforementioned guarantee procedure, as repeatedly underlined also by the legitimacy jurisprudence, "protects interests of a collective and super-individual nature", whereby, in the event that the employer does not activate it, his conduct will harm the collective interests in defense of which it is set (see, among others, Court of Cassation, section III pen., 12.17.2019, n. 50919).

Only through this procedure, therefore, through the trade union representatives or the Labor Inspectorate, can the suitability of damaging the dignity of workers of technological tools from which remote control of workers may derive be possible be assessed and can the effective compliance of these systems with technical-production or safety requirements. The mandatory nature of the aforementioned procedure also responds to the situation of disproportion existing between the position of the employer and that of the workers.

Among other things, and in any case, the same Company admitted that the situation deriving from the "violations to be reported" "unfortunately produced some inefficiencies and, in particular, had the effect [...] of not being perfectly compliant with the opening procedures established by the Company".

From the documentation produced, therefore, it emerged that for a significant period of time the management, at a national level, of the Company with reference to the treatments deriving from the use of video surveillance systems, in many points of sale, was at least confused, not rigorous and not punctual, despite the importance of activating the aforementioned guarantee procedure.

The treatments in question were found to be illegal, in some cases, up to the deactivation of the video cameras following the intervention of the Labor Inspectorate for the shops subject to inspection by the latter and, for the others, up to the stipulation of the agreement or the issuance of the authorisation.

It should also be considered that, as declared by the Company itself, the processing involved no more than 543 employees: a very significant number of data subjects, therefore.

Furthermore, the circumstance, represented by the Company, that the employees had been informed of the presence of the plant and its functioning and positioning also through brief information posted in the areas in front of the areas covered by the shooting.

In fact, it is not sufficient (albeit necessary) to inform pursuant to art. 13 of the Regulation, the employees regarding the characteristics of the treatment carried out through video surveillance systems, precisely considering the already highlighted mandatory nature of the procedure.

With regard, then, to the objection of the Company according to which the cameras, in most cases, would film "an area of passage and not of work activity" it is recalled that the Guarantor has constantly considered that even the areas in which they transit or stop - sometimes continuously - employees (e.g. accesses to the structure and garages, goods loading/unloading areas, vehicle and pedestrian entrances), if subjected to video surveillance, are subject to the full application of the regulations on the protection of personal data ( see, among others, provisions of 16 September 2021, no. 331, web doc. no. 9719768; 30 July 2015, no. 455, web doc. no. 4261028; 4 July 2013, no. 334, doc. web no. 2577203; 18 April 2013, nos. 199 and 200, web doc. no. 2483269; 9 February 2012, no. 56, web doc. no. 188699; 17 November 2011, no. 434, web doc. no. 1859558; 26 February 2009, web doc. n. 1601522).

Moreover, this is in accordance with the provisions of the legitimacy jurisprudence (see Cass. March 6, 1986, n. 1490; see also, with reference to an instrument other than video surveillance, Cassation n. 15892 dated March 13, 2007).

In the present case, the video recording systems are positioned in such a way as to film areas where, precisely, employees necessarily transit to carry out their work activity or even to go inside areas where the work activity takes place ( entrances reserved for employees, access corridors to the administrative office, administrative office).

The conduct held by the Company therefore constitutes a violation of the principle of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation in relation to Article 114 of the Code) and art. 88 of the Regulation as regards the applicable discipline on the matter.

As regards the aforementioned points of sale in Lazio, in relation to which the Company specified that 10 were "subject to sanctions by the ITL" and that "the points of sale in Viterbo (IT0495) and Latina (IT0357) were not subject to sanction by the ITL”, it is recalled that the powers that the law recognizes to the Guarantor for the protection of personal data, which concern the processing of personal data, with reference to art. 114 of the Code, are added to (and do not replace or diminish) the powers of the Labor Inspectorate.

Therefore, where the Authority deems the violation of art. 114 of the Code, must ascertain the same, providing for the necessary corrective and sanctioning measures, both in the case in which the Inspectorate has proceeded, for the profiles within its competence, to sanction the person who has behaved in violation of art. 4 of law 300 of 1970, and in the event that the same has not done so.

The art. 4 of law no. 300 of 1970 provides for the competence of the INL to issue the administrative authorization necessary for the installation of audiovisual systems and other tools from which also derives the possibility of remote control of workers for organizational and production needs, for safety at work and for the protection of corporate assets, therefore with reference to purely labor profiles.

The art. 114 of the Code hinges on the Guarantor's competence in relation to verifying compliance with the personal data protection regulations also for the purposes of remote controls, attributing both sanctioning and corrective powers, providing, among other things, its own completely different legal framework from that envisaged for the labor side.

The areas of operation of the two disciplines, although connected, are therefore autonomous. As part of the assessments relating to the proportion of the sanction applicable to the specific case, the Authority may in any case take into account the administrative sanctions applied by the Inspectorate and paid by the Company.

3.2. Processing of personal data carried out in violation of what was authorized by the Labor Inspectorate.

It has also been ascertained that the Company, at the Milan store (Duomo) has, using the D4 video camera relating to the safe, recorded and stored the images for a time exceeding the term established in the agreement stipulated pursuant to art. 4 of Law no. 300 of 1970 equal to 24 hours (on 17.5.2022, during the inspection, in fact, images were found dating back to 4 May 2022, from 00:23, as well as the dates of 5, 6, 13, 14 and 15 May, 0-24).

In this regard, the Company, in resolving the reservations formulated during the inspection, presented a statement from the installer Project Impianti s.r.l. according to which “the anomalous recordings kept for more than 24 hours by the aforementioned video camera depended on a technical problem. Specifically, we verified that the camera was not set correctly compared to the others, most likely due to a technical error in the programming phase of the same given that each device must be configured individually both in terms of settings and in terms of addressing".

In this regard, it was also declared that "this anomaly was resolved by our technicians on [23.5.2022] and that the system is now new and perfectly functional and only keeps the images for 24 hours".

In the defense writings, the Company specified that "the anomaly [of the aforementioned camera] did not occur before 4 May 2022 at 00:23", considering that only images dating back to that date were found during the inspection.

This said, despite the fact that the anomaly of the camera in question depended on the setting of the same in the installer's declaration presented by the Company, given that during the inspection, images recorded by the camera in question dating back to 4 May 2022 were found , it is ascertained that the Company has, through the D4 video camera relating to the safe at the store in Milan (Duomo), processed personal data in violation of what is explicitly provided for in the agreement stipulated on 1 April 2015 with the trade union representatives ( the agreement provides, in this regard, that "the images will not be kept for a period exceeding 24 hours after this period they will be automatically deleted") at least from 4 May 2022 (and not from the date of installation of the same, as indicated in the dispute of the 30.9.2022) until 23 May 2022.

It was also ascertained that, in the Stezzano (BG) store, the Company, from September 2021 (the date, according to what was declared by the Company, of the installation of a camera that was previously positioned outside, inside the store and, therefore, modification of the plant, with respect to what was authorized by the Inspectorate) and until the inspection assessment carried out by the Guarantor, as reported in the report of the assessment of 17 May 2022, kept the cameras activated even during working hours, despite the 'Labour Inspectorate had specified, in the authorization of 4.3.2020 (authorization which replaced that of 13.1.2020), that "The two internal cameras located in the Staff Area [...] must remain switched off during the opening hours of the operational headquarters to customers".

In this regard, the Company declared that it had taken note of the hourly limitation of the operation of the cameras only in preparing the documentation requested by the Authority and that it had, consequently, proceeded to switch them off (see report of operations carried out 17.5.2022).

The Company has also declared, limiting itself to attaching, in addition to the first two authorizations issued by the Labor Inspectorate, also the new authorization issued on 14 October 2022 by the Labor Inspectorate, that the limitation of the activation of the video surveillance system it would derive from an "erroneous drafting of the second authorization by the ITL".

In this regard, we limit ourselves to observing that it is the responsibility of the Company that has requested authorization from the Inspectorate to verify its content at the time of release and to adjust the treatment accordingly or to ask the Inspectorate for clarifications or corrections, if necessary, also having regard to the principle of accountability (Article 5, paragraph 2, of the Regulation).

Therefore, for the above, the conduct held by the Company constitutes a violation of the principle of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation in relation to Article 114 of the Code) and art. 88 of the Regulation as regards the applicable discipline on the matter.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and which are therefore unsuitable to allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company through video surveillance systems is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lit. a), 88 of the Regulation and 114 of the Code.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding it appears that H&M Hennes & Mauritz s.r.l. has violated the articles 5, par. 1, lit. a), 88 of the Regulation and 114 of the Code. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 5, letter. a), d) of the Regulation, through the adoption of an injunction order (art. 18, law 11.24.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the fine must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the general principles of processing, and, in particular, the principle of lawfulness (with reference to the specific provisions relating to processing in the scope of the employment relationship); the considerable periods of time in which the Company used video surveillance systems without having activated the guarantee procedure pursuant to art. 4 of law no. 300 of 1970 and the significant number of interested parties involved and the fact that the violation involved various locations and different profiles (absence of authorization and treatments carried out in violation of the authorizations issued) demonstrating an overall inadequate management of the process of implementation of the discipline in the context of the employment relationship;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration, which complied with the data protection regulations only following the activity of the Labor Authority and Inspectorate;

c) in favor of the Company, the cooperation with the Authority was taken into account in order to remedy the violations and the absence of previous relevant violations against the Company.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2021.

For the proportioning of the fine, it was also taken into consideration that, in relation to some of the points of sale affected by the violations ascertained by the Authority, the Company, following an inspection by the Labor Inspectorate, proceeded to pay the sum envisaged for the conduct in relation to the profiles integrating the offense deriving from the violation of the combined provisions of the articles 4 and 38 of the law. no. 300 from 1970.

Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply against H&M Hennes & Mauritz s.r.l. the administrative sanction of the payment of a sum equal to 50,000 (fifty thousand) euros.

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of treatment, in particular the principle of lawfulness, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by H&M Hennes & Mauritz s.r.l., in the person of its legal representative, with registered office in Via Turati, Milan, 9, 20121, Tax Code 03269110965, pursuant to art. 143 of the Code, for the violation of the articles 5, par. 1, lit. a), 88 of the Regulation and 114 of the Code;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to H&M Hennes & Mauritz s.r.l., to pay the sum of 50,000 (fifty thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to the same Company to pay the aforementioned sum of 50,000 (fifty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, and believes that the conditions set forth in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, March 2, 2023

PRESIDENT
Station

THE SPEAKER
guille

THE DEPUTY SECRETARY GENERAL
Philippi



SEE ALSO Newsletter of 26 May 2023



[doc. web no. 9880398]

Provision of 2 March 2023

Register of measures
no. 58 of 2 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

HAVING REGARD to the report submitted pursuant to art. 144 of the Code dated 29 March 2019 by Filcams CGIL Roma-Lazio against H&M Hennes & Mauritz s.r.l.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The preliminary investigation following a report.

On 28, 29 April and 17, 18 May 2022, following the cessation of the state of emergency linked to the Covid-19 pandemic, an on-site inspection was carried out at the registered office of the company H&M Hennes & Mauritz s.r.l. (hereinafter, the Company), concerning, in particular, the processing of data carried out through video surveillance systems, during which it was ascertained that:

"currently the company is present in Italy with 4 brands and 166 stores [...] and has 4,317 employees" (see report of operations carried out 28.4.2022, p. 2);

"the party showed the ROPA - registration of processing activities platform, through which the company manages, for all the world offices where it is present, the processing register" (see report cited, p. 2);

"with reference to the workers' data, the company is the data controller" (see report cited, p. 3);

"in ROPA there is an indication of the performance of the DPIA" (see report cited, p. 3); "the company, which plays the role of data controller, once an agreement has been reached with the RSA where present or, in the absence of union representation, once the authorization has been obtained from the specific Territorial Labor Inspectorate (ITL), sends the documentation relating to the disclosure to the shop manager, also specifying the characteristics of the treatment, the manager, in his time, it prints the individual copies to be delivered to each employee, acquiring proof that they have been viewed. Furthermore, each store has created a "privacy bulletin board", in the area reserved for employees, where the information is displayed" (see report cit., p. 3);

"as regards information to customers, the party specified that in various points of the shops brief information is posted [...] before the range of action of the camera, and that, at the request of customers, the shop manager is required to show the complete information, kept in the cabinets behind the tills" (see report cited, p. 4);

"in all stores there are at least 3 video cameras, in the back-area of the store to which only authorized employees or suppliers have access, which film: the corridor leading to the administration office, the administration office where the safe is placed, the entrance reserved for employees. The brief information is placed near the camera and before its range of action. In some shops, located in particular areas considered to be at risk of theft, there are cameras also in the sales area, their location and in number depending on the type of shop. Also in this case, the brief information is placed near the video camera and before its range of action" (see report cited, p. 4);

"in larger stores there may be more cameras in the back area, even up to 27 as in the Milan Cathedral store" (see report cited, p. 4);

"the company believes that all employees are involved in the processing [via video surveillance systems], due to the location of the cameras in the area reserved for employees, in areas where all employees are required to pass" (see report cited , p. 5);

“in sending the information to the employees, the company also sends the store manager the names of those who are authorized to access the live images. These images are accessible via a monitor in the administrative office, which can be accessed via badge or code. This office can only be accessed by the store manager, the department manager and the administrative manager - where present. Access to the images recorded in a special DVR is permitted only to the store manager and a union representative or, in the absence of one, a representative of the sales staff. These authorized subjects are provided with a personal password” (see report cited, p. 5);

“The video surveillance system is active 24 hours a day, 7/7 and the images are kept for 24 hours, after which they are overwritten. The DVR used for recording images is located in a technical room, in the back area of the store, locked or with access via code, exclusively by managers. Where the manual access code to the technical room is not provided, the key is kept in a safe and checked on a monthly basis" (see report cited, p. 5);

"the company accesses the recorded images only if requested by the police or judicial authorities" (see report cited, p. 5);

"in the back-area there are a maximum of 3 cameras and [...] any additional cameras are positioned in the sales area" (see report of operations carried out 29.4.2022, p. 1, 2);

“the cameras in the sales area are not used in all stores. Where they are used, they are generally placed near exits and stairs. In some cases, the television cameras can film the cash registers with the instructions to film only the hands of the employees" (see report cited, p. 2);

“Remote access to live or recorded images is not possible, as the DVR is not connected to the corporate network. The passwords for local access to the recorded images are created by the installer and supplied, in a sealed envelope, to the store manager and the union representative or the representative of the sales staff" (see report cited, p. 2);

"for the Viterbo store [...] the ITL issued the authorization on 19 July 2019" (see report cited, p. 2);

in the last 12 months "there have been [...] accesses [to the data recorded in the video surveillance systems] following a complaint to the competent authority even if, given the small number of shops that have cameras in the sales area, often at the request of authority can not be acted upon. These accesses are always communicated by email to the corporate security department" (see report cited, p. 3);

“The security department has a team of internal auditors […] who work on a quarterly schedule […]. High security risk stores [...] receive an audit every quarter while medium security risk stores [...] receive an audit every six months. [...] In addition to this, the store managers or persons delegated to do so, carry out a monthly self-audit, the outcome of which is sent to the area auditor" (see report cited, p. 3).

From the report dated 17 May 2022 it emerges that "in relation [...] to the Stezzano shop [...] the party specified that for this shop there are two authorizations from the ITL, since the first request concerned the placement of the video camera at the external door of the employee entrance. For condominium issues, the camera was installed, in September 2021, inside the shop, at the same door, hence the second request. However, this second authorization limited operation at night and the company took note of this limitation in preparing the documentation requested by the Authority, immediately turning off the cameras and notifying the competent Labor Inspectorate. However, the party specified that, in the information provided to the employees, it was specified that the operating hours of the cameras were 0-24 ". At the store in Piazza del Duomo, it was found that “in relation to the «back area» there are two cameras inside the structure and one outside, on the employees' entrance door; the two cameras inside the back area are fixed and film the door of the cash office and the safe respectively, inside the cash office; in the cash office there is a monitor that transmits live color images and a DVR dedicated to recording the images taken by the cameras; [...] it has been verified that the cashier cameras are partially obscured in order not to film the cashiers; it has been verified that the camera in the cash office, located towards the safe, is partially obscured so as not to film the employees".

By accessing the images recorded in the DVR, it was ascertained that "with regard to a single D4 camera relating to the safe, there are images dating back to 4 May 2022, from 00:23, as well as the dates of 5, 6, 13, 14 and 15 May (0-24); the recordings relating to the other cameras are in line with the company policy which provides for cancellation after 24 hours, by overwriting”. The Company specified that "the store manager, the administrative manager, the department managers (4 employees), the warehouse workers (3 employees), the apprentice store managers (3 employees) can access the live images".

On 30 May 2022, the Company, in resolving the reservations formulated during the inspection, sent, inter alia, an "Excel file [...] with the list of points of sale in Italy, divided by Region, with the indication of the dates of the Union Agreements/ITL Authorizations, date of activation of the systems and location of the video cameras" then "the declarations of our supplier/installer of the CCTV systems relating to the reservation formulated in the report dated 18 May 2022 on Page 2 and precisely: [ …] Declaration relating to the anomaly found with the D4 camera in the Milano Duomo IT0444 shop, object of the inspection on 17 May 2022”.

The on-site assessment at the Company's headquarters was carried out as part of the investigation established following the presentation to this Authority, on 29 March 2019 by Filcams CGIL Rome-Lazio, of a report pursuant to the 'art. 144 of the Code with which the activation of video surveillance systems in ten local units of the Company was represented in a manner that does not comply with the provisions of the law.

In fact, following a request from this Department, on 16 July 2019 the Company, in providing feedback, had declared that:

“the [...] Company has activated video surveillance systems at 12 of its 13 total points of sale currently active in Rome and Lazio and more precisely: -1. Rome, Euroma 2 Shopping Center, Viale dell'Oceano Pacifico 83, from 06/23/08 – 2. Rome Porta di Roma Shopping Center, Via Alberto Lionello, from 07/25/07 – 3. Rome, Rome East Shopping Center, Via Collatina, from 03/31/07 – 4. Rome, Via del Corso 422, from 10/24/13 – 5. Rome, La Romanina Shopping Center, Via Enrico Ferri 8, 11/12/2015 – 6. Rome, Via di Valle Aurelia 1, from 04/19/18 – 7. Rome, Via Tuscolana 785, from 10/31/13 – 8. Rome, Appio Shopping Center, Via Appia Nuova 450, from 04/16/15 – 9. Rome, Castel Romano Shopping Village, Via Ponte di Piscina Cupa 64, from 10/25/12 – 10. Fiumicino, Market Central Da Vinci Shopping Centre, Via Geminiano Montanari, from 10/19/2007 – 11. Viterbo, Via Giacomo Matteotti 40, from 17/11/2016 - 12. Latina, Corso della Repubblica 165, from 02/12/2009" (see note 16.7.2019 cit., p. 1);

"at the thirteenth point of sale in Lazio located in Rome, Centro Commerciale Gran Roma, via Prenestina bis snc, recently opened (16/05/2019) video surveillance systems have not yet been installed and the authorization request procedure is currently underway at the ITL in Rome” (see cited note, p. 1);

"on 31 May 2019 a framework agreement was signed with Filcams CGIL of Rome and Lazio in the person of the Territorial Official [...] relating to the installation and use of video surveillance systems throughout the Lazio region, to be reproduced in subsequent individual agreements for each point of sale where union representatives are present" (see cited note, p. 2);

"subsequently, on 3 June 2019, the individual agreements were concluded with the RSAs of the points of sale where they are present, i.e. in all the 12 stores described above with the exception of the one in Rome, Via Ponte di Piscina Cupa 64 (Shopping Center Castel Romano), for which authorization was obtained on 20 May 2019 pursuant to art. 4 Law 20/5/70 n. 300 by the Labor Inspectorate of Rome and that of Viterbo for which an application for authorization was sent on 18 June 2019 to the competent Territorial Labor Inspectorate of Viterbo" (see note cit., p. 2);

"all the systems indicated above are active 24 hours a day" (see note cit., p. 2);

"all the systems in question have the sole specific purpose of protecting the safety of workplaces, workers and customers and protecting the company's assets" (see cited note, p. 2);

"for all the 12 points of sale mentioned above, the subjects authorized by specific written appointments to access the images (live only) projected via the monitor in the safe office are exclusively the so-called Point of Sale Manager, namely: the director, the administrative employee, the warehouse worker, the department head and the visual. Access is permitted only through gates controlled by door-opening badges with specific levels of authorization” (see cited note, page 2);

"for all the 12 points of sale mentioned above, access to the recorded images (stored [...] for 24 hours) can only take place in the necessary presence of both the director (or, if a director is not foreseen, the department head), both delegates in writing to this activity, both of the RSA (or, if not present, of a representative of the workers designated by them) through the use of a double password combined and exclusively in the presence of a report of the acquisition of the images of the Forces of the order. All subjects authorized to access and download the recorded images have been specially appointed with a specific written appointment” (see cited note, p. 2, 3);

"in all the 12 points of sale indicated above, before the range of action of each camera, there is information in a simplified form pursuant to the Provision of this Guarantor of 8 April 2010 on video surveillance with an explicit reference to the information available to customers and workers from store managers" (see cited note, p. 3).

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 30 September 2022 the Office, on the basis of the checks carried out, pursuant to art. 166, paragraph 5, of the Code, proceeded to notify the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a), 88 of the Regulation and art. 114 of the Code.

With defense briefs sent on October 28, 2022, the Company represented that:

- "invests many resources in the development and management of an ad hoc regulatory compliance system, in order to guarantee rigorous and scrupulous compliance, within its organization, with all the rules aimed at protecting the personal data of its customers , suppliers, employees and stakeholders in general" (see note 10.28.2022 cit., p. 1);

- "in the light of what emerged during the inspection operations, it appears from the documentation submitted that, out of a total of 166 stores, the violations of this proceeding are actually limited to a small number of stores which [...] did not affect the rights and freedoms of the individuals concerned” (see cited note, p. 3);

- "the violations subject to reporting (mostly sanctioned by the competent ITL) concerned exclusively the lack of the authorization provision for the installation of the system but, in all cases, the employee had been informed by the Company of the presence of the systems themselves and was aware of who was the data controller and how to exercise their rights, if necessary. In addition, the images were overwritten every 24 hours as indicated by company policies, they were protected by a double password system (stored in a safe) and, in any case, the area being filmed was strictly limited to transit access for store personnel (except in a single case) for exclusive anti-robbery purposes and, therefore, with the aim of protecting employees from possible risks to their physical safety, since these are areas where the cash of the shops is kept" (see note cited , p. 3);

- "the violations highlighted must also be assessed within a very particular time frame, during which the Company was rapidly expanding and store openings followed one another at a rapid pace" (see cited note, p. 3);

- "unfortunately, this situation has produced some inefficiencies and, in particular, has had the effect - in the few points of sale in question - of not being perfectly compliant with the opening procedures established by the Company: the competent offices, that is, they did not notice the lack of certain documentary aspects (the authorizations for video surveillance [...]) which, however, are indicated and envisaged by the Company as part of the indispensable documentation that must be present at the opening of the points of sale" (see note cit., p. 3);

- "the violations under discussion are, therefore, simply the result of an imperfect application of the company procedures for verifying the installation process of the video surveillance system in some specific points of sale but certainly do not represent the modus operandi of [...] the Company, as demonstrated by the fact that all the other points of sale (the vast majority) were found to comply with the provisions of the law on the protection of personal data (refer to the Excel file summarizing the situation of all points of sale, with the related attached documents, produced by the Company to release the reserves [...])" (see cited note, p. 3, 4);

- "therefore, it was a "route incident" which, moreover, represented an opportunity to improve and perfect the corporate control system which, as documented by the Company [...] is today effectively proceduralized, supervised and monitored by the individual heads of internal functions, by a local data privacy coordinator assisted by an external DPO, as well as by a Group structure specifically dedicated to regulatory compliance regarding the processing of personal data" (see cited note, page 4) ;

- "regarding the 13 points of sale in Lazio [...] the non-conformities of the 10 points of sale in the metropolitan area of Rome (reported by the Union) have already been subject to sanctioning proceedings by the ITL [Territorial Labor Inspectorate] , with payment of the related fines by the Company [...]: the sales outlets in Viterbo (IT0495) and Latina (IT0357) were not subject to fines by ITL; at the thirteenth point of sale in Lazio, located in Rome, Gran Roma Shopping Center (IT0526), at the time of the ITL inspection, no video surveillance system was found to be installed" (see note cit., p. 4);

- "for the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: I) the total number of data subjects involved in the 12 points of sale where the systems in question were installed is very small in relation to the total number of employees employed by the Company in the total 166 stores (these are no more than 543 employees out of a total of approximately 4,300 employees); II) the employees of the stores concerned were, however, aware of the presence of the video surveillance system and its functioning and positioning also through the presence of brief information notices in the areas in front of the areas subject to video surveillance. Furthermore, the shop managers periodically sent the Company technical intervention communications in the event of system anomalies and the same was subject to periodic checks relating to its functioning, as required by the audit procedures in place at the time (which, today, are been integrated also with the verification of compliance with data protection rules [...]); III) the lack of the authorization documentation is therefore derived from an imperfect application of the company procedures for verifying the installation process of the video surveillance system, with the exclusion of any intentionality and malicious behavior; […] IV) as soon as it became aware of the authorization problem, the Company immediately adopted all appropriate measures to mitigate the effects of the violation found and, in particular, immediately shut down and/or uninstalled the systems until it was possession of authorisations; V) in any case, the time limit for storing images has always been limited to 24 hours as per the company's global policy" (see note cited. p. 4, 5);

- "the cameras were positioned exclusively in the back area of the shops (i.e. without filming customers, in 11 out of 12 outlets) for mere anti-robbery purposes, to protect the safety of the employees themselves. Specifically, the aforementioned cameras placed in the back area were (and still are) mainly in number of 3 (three) positioned as follows: - the first, above the entrance reserved for employees, exclusively in a transit area and not for work ; - the second, in the access corridor to the administrative office (so-called «cash office») which, for security reasons, is accessible only after identification of the staff via a monitor which only displays the area in front of the entrance door, being the office where cash and confidential employee documents are kept. Also in this case it is a transit area and not a working area; - the third, located inside the administrative office, which takes only the safe and, therefore, a small number of people given that only the managers of the sales outlets have access to this office (on average 5 managers per sales outlet)" ( see note cit., p. 6);

- "regarding the technical and organizational measures adopted by the Company in relation to all points of sale where the cameras are installed (Article 83, paragraph 2, letter d, GDPR), demonstrating the adoption of a level of security appropriate to the risk, reference is made to the documents [...]: - video surveillance policy; - audit program (annual systematic planning of internal audits at all points of sale in Italy, including an information security and data protection section also in relation to the video surveillance system); - checklist for verifying the compliance of the video surveillance systems and internal management procedures following the sending of documents to the store managers, to ascertain the effective adoption of the envisaged measures in the individual points of sale; - information to employees with a detailed description of the number and position of the individual video cameras; - specific designations to the personnel authorized to manage the images; - email of specific instructions that is sent to the shops before the cameras are activated; - image protection system using DVRs protected by double passwords (one held by the store manager of the store and the other held by a worker representative) and located in a technical room with controlled access authorized only to the managers of the sales points ; - the download of the images, [...] takes place only following receipt of the report of the acquisition of the images by the Police; - no remote access to images; - periodic survey on video surveillance systems; adoption of information to interested parties, both short and long, always available to employees (displayed on the bulletin board) as well as customers (where cameras are also present in the sales area): VII) on the part of the Company there has always been the maximum availability towards the Inspectors during the operations of the months of April and May 2022 [...]; VIII) the categories of personal data involved in the violation are limited to the images of the last 24 hours, mainly on personnel transit areas; IX) [the] Authority became aware of the violation following a report from the Lazio Territorial Union; X) following the 2019 report and the ITL dispute, the Company promptly took steps to regularize the situation in each point of sale reported, with the release of the necessary authorizations in just over a month; XI) the interested parties have not suffered any damage” (see cited note p. 6, 7);

- "regarding the Le Fontane store, Catanzaro (IT335) [...] it should be noted that the violation was the subject of a sanctioning procedure by ITL, with payment of the relative sanctions by the Company [...]. For the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: I) the violation falls within the few cases in which there was an imperfect application of the company procedures for verifying the installation process of the video surveillance system at the time of opening the store; II) the violation was discovered, incidentally, during an inspection of the ITL linked to a request for early maternity leave and not for reports deriving from the violation of employee rights; III) furthermore, all the elements already expressed above in relation to the sales outlets in Lazio are recalled" (see cited note, p. 8);

- "regarding the Centro del Molise sales point, Campobasso, Molise (IT484) [...] it should be noted that the violation has already been subject to sanctioning proceedings by ITL, with payment of the related sanctions by the Company [...] . For the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: I) the violation falls within the few cases in which there was an imperfect application of the company procedures for verifying the installation process of the video surveillance system at the time of opening the store; II) the violation was discovered, incidentally, during an ITL inspection linked to a request for early maternity leave and not for reports deriving from violations of employee rights; III) furthermore, all the elements already expressed above in relation to the sales outlets in Lazio are recalled" (see cited note, p. 8);

- "regarding the Costaverde store, Molise (IT516) [...] it should be noted that the violation has already been the subject of sanctioning proceedings by ITL, with payment of the related sanctions by the Company [...]. For the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: i) the violation falls within the cases in which there was an imperfect application of the company procedures for verifying the installation process of the video surveillance system at the time of opening the store; II) the violation was discovered, incidentally, during an ITL inspection linked to a request for early maternity leave and not for reports deriving from violations of employee rights; III) furthermore, all the elements already expressed above in relation to the sales outlets in Lazio are recalled" (see cited note, p. 9);

- “regarding the store in Gravina, Tuscany (IT545), it should be noted that there has been no violation. The Authority erroneously noted the activation dates of the video surveillance system. In the excel file filed by [...] the Company on 25 May 2022, it appears that: - the date of activation of the system is 8 November 2018 (not 11 August 2018); - the trade union agreement signed is on 25 October 2018, therefore prior to the activation of the plant" (see cited note, p. 9);

- "regarding the Lecce Mongolfiera sales point, Puglia (IT447) [...] it should be noted that there has been no violation. The Authority erroneously noted the activation dates of the video surveillance system. In the Excel file filed by [...] the Company on May 25, 2022, it appears that: - the system activation date is December 5, 2019 (not May 12, 2019); - the trade union agreement signed is on 25 June 2019, therefore prior to the activation of the plant" (see cited note, pp. 9, 10);

- "regarding the CC Due Valli store, Turin Pinerolo, Piedmont (IT520) [...] it should be noted that there has been no violation. The Authority erroneously noted the activation dates of the video surveillance system. In the Excel file filed by [...] the Company on May 25, 2022, it appears that: - the system activation date is November 8, 2019 (not August 11, 2019); - the authorization from ITL is dated 4 September 2019 and, therefore, prior to the activation of the plant" (see note cited. p. 10);

- "regarding the Milan Cathedral sales point (IT444) [...]. With reference to the technical anomaly of the D4 video camera, for the purpose of evaluating all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: a) it was an unknown, completely unpredictable and hidden technical anomaly of the DVR recording system, as also demonstrated by the fact that the recording did not take place continuously, but it is limited to some random time period within the days […]; b) it was a single video camera out of a total of 27, which also filmed the area close to the safe, i.e. [...] a limited area, where the transit of people is extremely limited and sporadic and it only concerns store managers (the only personnel authorized to access the area); c) the statement that the D4 camera would have malfunctioned "from the installation of the aforesaid camera and until 23 May 2022" (page 8, your communication) is not considered correct: from the on-site checks carried out personally by the Inspectors, it emerged that the anomaly did not occur before May 4, 2022 at 00:23. In fact, the Inspectors verified that, before that date, there were no other recordings saved, therefore the exposure time beyond 24 hours was very limited (less than 15 days and for non-continuous fractions of time)” (see note cit., p. 10, 11);

- "regarding the store in Stezzano, Bergamo (IT412) [...] for the purpose of assessing all the useful elements pursuant to and for the purposes of art. 83, par. 2, GDPR, it should be noted that: a) the circumstance noted by [the] Authority is evidently the result of an erroneous drafting of the second authorization by ITL, considering that the first authorization issued by ITL itself was exactly compliant with the requirements by the Company and the factual situation in the store (24-hour registration), as also reported in the disclosure pursuant to art. 13 GDPR delivered to employees; b) the Company, in good faith, assumed that the second authorization was identical in content to the first and, that is, it allowed the recording of the images for 24 hours of recording and was not aware of the discrepancy and, that is, that the 'ITL had modified this requirement, limiting it only to the night period, in which the staff was absent; c) [...] the Company would like to underline and reiterate that the employees have received information conforming to the effective registration for all 24 hours and, therefore, the interested parties have not suffered any violation of their rights nor have they suffered any damage; d) as soon as the Company took note of the error in the second authorization from ITL, it proceeded to deactivate the plant to comply with the authorization provision erroneously drafted by ITL itself; e) it should be added, however, that ITL became aware of the error and, on 14 October 2022, corrected its provision, authorizing registration for 24 hours, as requested by the Company from the outset […] f ) in any case, it should be noted that the period of the infringement was limited in time; also in this case, it was only the three cameras in the back area, 2 of which guarded the personnel entrances (transit area and not in the sales area) and one above the safe with the involvement of a very small number of employees (at the Stezzano sales point there are a total of 14 employees), always and exclusively for purely anti-robbery purposes” (see cited note, p. 11, 12);

- "in compliance [...] with the request of [the] Authority [...] we produce: - documentation of the Conegliano Veneto sales point (IT0396): ITL authorization of 23 October 2019, system activation on 2 September 2022 [...] – documentation of the Forlì sales point (IT0398): ITL authorization dated 18 February 2020, system activation dated 12 October 2022" (see cited note, p. 12).

3. The outcome of the investigation and of the procedure for the adoption of corrective and sanctioning measures.

As a result of the examination of the declarations made to the Authority during the proceeding as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations which do not comply with the regulations on the protection of personal data .
In this regard, it should be noted that, unless the fact constitutes a more serious offence, anyone who, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

3.1. Treatments carried out, through video surveillance systems, in the absence of an agreement with the union representatives or authorization from the Labor Inspectorate.

On the merits, it emerged that the Company, also on the basis of what it has declared, has installed and used video surveillance systems at a variety of points of sale, suitable for filming workers during their working activity, in the absence of an agreement with the union representatives o authorization issued by the Labor Inspectorate pursuant to art. 4 of law no. 300 from 1970.

In particular, it was found that the Company installed and activated video surveillance systems, in the following points of sale, on the specifically indicated dates:

Point of sale  Activation date

Rome Shopping Center Euroma 2, Viale dell'Oceano Pacifico 83 23/06/08



Rome Porta di Roma Shopping Center, Via Alberto Lionello 25/07/07

Rome East Rome Shopping Center, Via Collatina 31/03/07

Rome Via del Corso 422 10/24/13

Rome La Romanina Shopping Center, Via Enrico Ferri 8 12/11/15

Rome Via di Valle Aurelia 1 19/04/18

Rome Via Tuscolana 785 10/31/13

Rome Appio Shopping Center, Via Appia Nuova 450 16/04/15

Rome Shopping Village Castel Romano, Via Ponte di Piscina Cupa 64 25/10/12

Fiumicino Da Vinci Shopping Center, Via Geminiano Montanari 10/19/07

Viterbo Via Giacomo Matteotti 40 17/11/16

Latin Corso della Repubblica 165 02/12/09



With reference to these systems, only on 31 May 2019 was a framework agreement signed with Filcams CGIL of Rome and Lazio relating to the installation and use of video surveillance systems throughout the Lazio region, to be reproduced, in subsequent individual agreements, for each point of sale where union representatives are present.

As a consequence of this, with reference to the points of sale indicated above, the agreements with the union representatives were stipulated after 31 May 2019 (precisely on 3 June 2019) and, therefore, only after significant periods of time from their installation and activation.

As regards the shop in Rome, via Ponte di Piscina Cupa 64, the authorization from the Labor Inspectorate was issued on 20 May 2019 and as regards the shop in Viterbo on 19 July 2019.

It was also ascertained that the Company had recourse to video surveillance systems, before entering into an agreement with the trade union representatives or obtaining the release of the authorization from the Labor Inspectorate pursuant to art. 4 of law no. 300 of 1970 (see Excel file provided by the Company), also at the shops:

Point of sale Activation date

The Fountains, Catanzaro (IT0335) 8/26/17

Center of Molise, Campobasso, Molise (IT0484) 10/11/16

Costaverde, Molise (IT0516) 17/11/16

Gavinana Center, Tuscany (IT0545) 11/8/18

Lecce hot air balloon, Puglia (IT0447) 12/5/19

Due Valli Shopping Center, Turin Pinerolo, Piedmont (IT0520) 11/8/19



With reference to these points of sale, in fact, precisely from the examination of the Excel file delivered by the Company on 25 May 2022, to resolve the reservations formulated during the inspection, it emerged that: only on 10/18/2018, was authorization issued by the Labor Inspectorate for the Le Fontane shop, Catanzaro (IT0335); only on 13/5/2019, the authorization was issued by the Labor Inspectorate for the Centro del Molise shop, Campobasso, Molise (IT0484); only on 21/12/2018, the authorization was issued for the Costaverde store, Molise (IT0516); only on 25/10/2018, the first agreement was signed with the union representatives for the Centro Gavinana store, Tuscany (IT0545); only on 25/6/2019, was the agreement signed with the trade union representatives for the Lecce Mongolfiera shop, Puglia (IT0447); only on 4/9/2019, the authorization was issued by the Labor Inspectorate for the Due Valli Shopping Centre, Turin Pinerolo, Piedmont (IT0520).

With reference to what has been ascertained above regarding the use of video surveillance systems in the context of the Company's commercial establishments, it is recalled that the processing of personal data carried out in the context of the employment relationship, if necessary for the purpose of managing the relationship itself ( v., as regards the so-called common data, Article 6, paragraph 1, letters b) and c) of the Regulation), must be carried out in compliance with the general principles indicated by the art. 5 of the Regulation, and, in particular, of the principle of lawfulness, on the basis of which the processing is lawful if it complies with the applicable sector regulations (Article 5, paragraph 1, letter a) of the Regulation).

Consistent with this approach, the art. 88 of the Regulation is without prejudice to the national rules of greater protection ("more specific rules") aimed at ensuring the protection of rights and freedoms with regard to the processing of workers' personal data. The national legislator has approved, as a more specific provision, art. 114 of the Code which, among the conditions of lawfulness of the treatment, established the observance of the provisions of art. 4, the. no. 300 of 1970. The violation of the aforementioned art. 88 of the Regulation is subject, if the requisites are met, to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, letter. d) of the Regulation.

Based on the aforementioned art. 4, the. no. 300 of 1970, video surveillance equipment, if from the same derives "also the possibility of remote control" of employee activity, "may be used exclusively for organizational and production needs, for workplace safety and for the protection of company assets ” and the relative installation must, in any case, be carried out following the stipulation of a collective agreement with the unitary trade union representatives or with the company union representatives or, where it has not been possible to reach such an agreement or in the absence of the representatives, only in preceded by the issue of a specific authorization by the Labor Inspectorate.

The activation and conclusion of this guarantee procedure is therefore an indefectible condition for the installation of video surveillance systems. Violation of this provision is punishable by law (see article 171 of the Code).

Considering the above, it is therefore ascertained that the Company has processed personal data through video surveillance systems capable of filming workers during the course of their work (the Company itself has specified that "all employees [are] involved in the processing [through video surveillance systems], due to the location of the cameras in the area reserved for employees, in areas where all employees are required to pass", report of operations performed 28.4.2022, p. 5) in a manner different from the provisions of system, in particular, without having activated the guarantee procedure provided for by art. 4 of law no. 300 of 1970, a guarantee procedure which, according to what was declared by the Company, is managed by the latter, therefore in a centralized way (in this regard it has been declared, in fact, that "the company, which plays the role of data controller, a once an agreement has been reached with the RSA where present or, in the absence of trade union representation, once authorization has been obtained from the specific Territorial Labor Inspectorate (ITL), it shall send the documentation relating to the disclosure to the shop manager, specifying also the characteristics of the treatment", report of operations performed 28.4.2022, p. 3, and "the management of relations with the trade union representatives or with the ITL, for the purpose of installing the video surveillance systems, is carried out centrally and in unified way for all the stores, as well as the relationship with the company that takes care of the installation and activation of the systems", report of operations performed 29.4.2022, p. 2).

The activation of the aforementioned guarantee procedure does not integrate a mere formality nor can it be qualified, as instead claimed by the Company, as a simple "lack of some documentary aspects".

The aforementioned guarantee procedure, as repeatedly underlined also by the legitimacy jurisprudence, "protects interests of a collective and super-individual nature", whereby, in the event that the employer does not activate it, his conduct will harm the collective interests in defense of which it is set (see, among others, Court of Cassation, section III pen., 12.17.2019, n. 50919).

Only through this procedure, therefore, through the trade union representatives or the Labor Inspectorate, can the suitability of damaging the dignity of workers of technological tools from which remote control of workers may derive be possible be assessed and can the effective compliance of these systems with technical-production or safety requirements. The mandatory nature of the aforementioned procedure also responds to the situation of disproportion existing between the position of the employer and that of the workers.

Among other things, and in any case, the same Company admitted that the situation deriving from the "violations to be reported" "unfortunately produced some inefficiencies and, in particular, had the effect [...] of not being perfectly compliant with the opening procedures established by the Company".

From the documentation produced, therefore, it emerged that for a significant period of time the management, at a national level, of the Company with reference to the treatments deriving from the use of video surveillance systems, in many points of sale, was at least confused, not rigorous and not punctual, despite the importance of activating the aforementioned guarantee procedure.

The treatments in question were found to be illegal, in some cases, up to the deactivation of the video cameras following the intervention of the Labor Inspectorate for the shops subject to inspection by the latter and, for the others, up to the stipulation of the agreement or the issuance of the authorisation.

It should also be considered that, as declared by the Company itself, the processing involved no more than 543 employees: a very significant number of data subjects, therefore.

Furthermore, the circumstance, represented by the Company, that the employees had been informed of the presence of the plant and its functioning and positioning also through brief information posted in the areas in front of the areas covered by the shooting.

In fact, it is not a sufficient element (albeit necessary) to inform pursuant to art. 13 of the Regulation, the employees regarding the characteristics of the treatment carried out through video surveillance systems, precisely considering the already highlighted mandatory nature of the procedure.

With regard, then, to the objection of the Company according to which the cameras, in most cases, would film "an area of passage and not of work activity" it is recalled that the Guarantor has constantly considered that even the areas in which they transit or stop - sometimes continuously - employees (e.g. accesses to the structure and garages, goods loading/unloading areas, vehicle and pedestrian entrances), if subjected to video surveillance, are subject to the full application of the regulations on the protection of personal data ( see, among others, provisions of 16 September 2021, no. 331, web doc. no. 9719768; 30 July 2015, no. 455, web doc. no. 4261028; 4 July 2013, no. 334, doc. web no. 2577203; 18 April 2013, nos. 199 and 200, web doc. no. 2483269; 9 February 2012, no. 56, web doc. no. 188699; 17 November 2011, no. 434, web doc. no. 1859558; 26 February 2009, web doc. n. 1601522).

Moreover, this is in accordance with the provisions of the legitimacy jurisprudence (see Cass. March 6, 1986, n. 1490; see also, with reference to an instrument other than video surveillance, Cassation n. 15892 dated March 13, 2007).

In the present case, the video recording systems are positioned in such a way as to film areas where, precisely, employees necessarily transit to carry out their work activity or even to go inside areas where the work activity takes place ( entrances reserved for employees, access corridors to the administrative office, administrative office).

The conduct held by the Company therefore constitutes a violation of the principle of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation in relation to Article 114 of the Code) and art. 88 of the Regulation as regards the applicable discipline on the matter.

As regards the aforementioned points of sale in Lazio, in relation to which the Company specified that 10 were "subject to sanctions by the ITL" and that "the points of sale in Viterbo (IT0495) and Latina (IT0357) were not subject to sanction by the ITL”, it is recalled that the powers that the law recognizes to the Guarantor for the protection of personal data, which concern the processing of personal data, with reference to art. 114 of the Code, are added to (and do not replace or diminish) the powers of the Labor Inspectorate.

Therefore, where the Authority deems the violation of art. 114 of the Code, must ascertain the same, providing for the necessary corrective and sanctioning measures, both in the case in which the Inspectorate has proceeded, for the profiles within its competence, to sanction the person who has behaved in violation of art. 4 of law 300 of 1970, and in the event that the same has not done so.

The art. 4 of law no. 300 of 1970 provides for the competence of the INL to issue the administrative authorization necessary for the installation of audiovisual systems and other tools from which also derives the possibility of remote control of workers for organizational and production needs, for safety at work and for the protection of corporate assets, therefore with reference to purely labor profiles.

The art. 114 of the Code hinges on the Guarantor's competence in relation to verifying compliance with the personal data protection regulations also for the purposes of remote controls, attributing both sanctioning and corrective powers, providing, among other things, its own completely different legal framework from that envisaged for the labor side.

The areas of operation of the two disciplines, although connected, are therefore autonomous. As part of the assessments relating to the proportion of the sanction applicable to the specific case, the Authority may in any case take into account the administrative sanctions applied by the Inspectorate and paid by the Company.

3.2. Processing of personal data carried out in violation of what was authorized by the Labor Inspectorate.

It has also been ascertained that the Company, at the Milan store (Duomo) has, using the D4 video camera relating to the safe, recorded and stored the images for a time exceeding the term established in the agreement stipulated pursuant to art. 4 of Law no. 300 of 1970 equal to 24 hours (on 17.5.2022, during the inspection, in fact, images were found dating back to 4 May 2022, from 00:23, as well as the dates of 5, 6, 13, 14 and 15 May, 0-24).

In this regard, the Company, in resolving the reservations formulated during the inspection, presented a statement from the installer Project Impianti s.r.l. according to which “the anomalous recordings kept for more than 24 hours by the aforementioned video camera depended on a technical problem. Specifically, we verified that the camera was not set correctly compared to the others, most likely due to a technical error in the programming phase of the same given that each device must be configured individually both in terms of settings and in terms of addressing".

In this regard, it was also declared that "this anomaly was resolved by our technicians on [23.5.2022] and that the system is now new and perfectly functional and only keeps the images for 24 hours".

In the defense writings, the Company specified that "the anomaly [of the aforementioned camera] did not occur before 4 May 2022 at 00:23", considering that only images dating back to that date were found during the inspection.

This said, despite the fact that the anomaly of the camera in question depended on the setting of the same in the installer's declaration presented by the Company, given that during the inspection, images recorded by the camera in question dating back to 4 May 2022 were found , it is ascertained that the Company has, through the D4 video camera relating to the safe at the store in Milan (Duomo), processed personal data in violation of what is explicitly provided for in the agreement stipulated on 1 April 2015 with the trade union representatives ( the agreement provides, in this regard, that "the images will not be kept for a period exceeding 24 hours after this period they will be automatically deleted") at least from 4 May 2022 (and not from the date of installation of the same, as indicated in the dispute of the 30.9.2022) until 23 May 2022.

It was also ascertained that, in the Stezzano (BG) store, the Company, from September 2021 (the date, according to what was declared by the Company, of the installation of a camera that was previously positioned outside, inside the store and, therefore, modification of the plant, with respect to what was authorized by the Inspectorate) and until the inspection assessment carried out by the Guarantor, as reported in the report of the assessment of 17 May 2022, kept the cameras activated even during working hours, despite the 'Labour Inspectorate had specified, in the authorization of 4.3.2020 (authorization which replaced that of 13.1.2020), that "The two internal cameras located in the Staff Area [...] must remain switched off during the opening hours of the operational headquarters to customers".

In this regard, the Company declared that it had taken note of the hourly limitation of the operation of the cameras only in preparing the documentation requested by the Authority and that it had, consequently, proceeded to switch them off (see report of operations carried out 17.5.2022).

The Company has also declared, limiting itself to attaching, in addition to the first two authorizations issued by the Labor Inspectorate, also the new authorization issued on 14 October 2022 by the Labor Inspectorate, that the limitation of the activation of the video surveillance system it would derive from an "erroneous drafting of the second authorization by the ITL".

In this regard, we limit ourselves to observing that it is the responsibility of the Company that has requested authorization from the Inspectorate to verify its content at the time of release and to adjust the treatment accordingly or to ask the Inspectorate for clarifications or corrections, if necessary, also having regard to the principle of accountability (Article 5, paragraph 2, of the Regulation).

Therefore, for the above, the conduct held by the Company constitutes a violation of the principle of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation in relation to Article 114 of the Code) and art. 88 of the Regulation as regards the applicable discipline on the matter.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and which are therefore unsuitable to allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company through video surveillance systems is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lit. a), 88 of the Regulation and 114 of the Code.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding it appears that H&M Hennes & Mauritz s.r.l. has violated the articles 5, par. 1, lit. a), 88 of the Regulation and 114 of the Code. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 5, letter. a), d) of the Regulation, through the adoption of an injunction order (art. 18, law 11.24.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the fine must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the general principles of processing, and, in particular, the principle of lawfulness (with reference to the specific provisions relating to processing in the scope of the employment relationship); the considerable periods of time in which the Company used video surveillance systems without having activated the guarantee procedure pursuant to art. 4 of law no. 300 of 1970 and the significant number of interested parties involved and the fact that the violation involved various locations and different profiles (absence of authorization and treatments carried out in violation of the authorizations issued) demonstrating an overall inadequate management of the process of implementation of the discipline in the context of the employment relationship;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration, which complied with the data protection regulations only following the activity of the Labor Authority and Inspectorate;

c) in favor of the Company, the cooperation with the Authority was taken into account in order to remedy the violations and the absence of previous relevant violations against the Company.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the Company with reference to the ordinary financial statements for the year 2021.

For the proportioning of the fine, it was also taken into consideration that, in relation to some of the points of sale affected by the violations ascertained by the Authority, the Company, following an inspection by the Labor Inspectorate, proceeded to pay the sum envisaged for the conduct in relation to the profiles integrating the offense deriving from the violation of the combined provisions of the articles 4 and 38 of the law. no. 300 from 1970.

Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply against H&M Hennes & Mauritz s.r.l. the administrative sanction of the payment of a sum equal to 50,000 (fifty thousand) euros.

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of treatment, in particular the principle of lawfulness, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by H&M Hennes & Mauritz s.r.l., in the person of its legal representative, with registered office in Via Turati, Milan, 9, 20121, Tax Code 03269110965, pursuant to art. 143 of the Code, for the violation of the articles 5, par. 1, lit. a), 88 of the Regulation and 114 of the Code;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulations to H&M Hennes & Mauritz s.r.l., to pay the sum of 50,000 (fifty thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to the same Company to pay the aforementioned sum of 50,000 (fifty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, and believes that the conditions set forth in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, March 2, 2023

PRESIDENT
Station

THE SPEAKER
guille

THE DEPUTY SECRETARY GENERAL
Philippi