Garante per la protezione dei dati personali (Italy) - 10128005
From GDPRhub
| Garante per la protezione dei dati personali - 10128005 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 13 GDPR Article 25 GDPR Article 35 GDPR Article 88 GDPR Guidelines 3/2019 on processing of personal data through video devices Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Guidelines on Consent under Regulation 2016/679 Opinion 2/2017 on data processing at work Article 18, L. 81/2017 Article 4, L. 300/1970 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13 March 2025 |
| Published: | |
| Fine: | 50,000 EUR |
| Parties: | Azienda regionale per lo sviluppo dell'agricoltura calabrese |
| National Case Number/Name: | 10128005 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | ligialagev |
The DPA fined a local public entity €50,000 for unlawfully geo-tracking employees during remote work in order to monitor compliance with workplace agreements. The DPA clarified that employers cannot bring disciplinary proceedings based on unlawfully collected data.
English Summary
Facts
The Calabrian Regional Agency for Agricultural Development (the controller) implemented a remote work policy that required employees to use a time-tracking application called "Time Relax" when working remotely. The application required employees to enable location services on their devices and collected their precise geographical coordinates during clock-in and clock-out procedures. The controller used this geolocation data to verify that employees were working from locations specified in their individual remote work agreements.
In addition to routine location tracking during daily time-stamping, the controller conducted targeted inspections of specific employees. During these inspections, an officer would call the employee during their availability hours and request them to perform double time-stamping (clock-in and clock-out) through the Time Relax application. The employee was then required to send an email declaring their exact location during the inspection. The officer would subsequently verify whether the declared location matched both the email declaration and the location data recorded by the application.
An employee of the controller (the data subject) was subjected to such an inspection. The controller found discrepancies found between their declared work location in the remote work agreement and their actual location during the inspection. On these grounds, the controller initiated disciplinary proceedings against the data subject.
The data subject filed a complaint with the DPA, alleging violations of data protection principles. Additionally, the Department of Public Administration reported the controller's practices to the DPA.
During the proceedings, the controller claimed that the monitoring was carried out with the consent of its employees. The controller also pointed out that its monitoring system was implemented in agreement with trade union representatives, as required under Italian labor law.
Holding
Overall, the DPA found violations of Articles 5(1)(a), (b) and (c), and 6 GDPR, as well as Article 113 of the Italian Data Protection Code[1]. On these grounds, the DPA issued a €50,000 fine.
On purpose limitation and Italian law
The DPA clarified that the remote monitoring of employees is prohibited in Italian law, with limited exemptions when the monitoring is necessary for legally specified purposes ("for organisational and productive necessities"; "for workplace safety"; "for the protection of company assets")[2].
The DPA held that in the case at hand, remote monitoring did not fall under an exemption and was illegal under the Italian law.
For this reason, the DPA concluded that the processing violated the principle of purpose limitation (Article 5(1)(b) GDPR), as it pursued an illegal purpose under Italian law.
In this regard, the DPA held it irrelevant that trade union representatives agreed to the monitoring system beforehand. The DPA clarified that data protection law and labor law are complementary. So, an agreement with trade union representatives did not exempt the controller from complying with the GDPR.
On the DPA's other findings
Second, the DPA held that the controller could not collect valid consent from its employees. In this regard, the DPA referenced EDPB and WP29 guidance, as well as the DPA's own case law.
Furthermore, because the collection of personal data was unlawful, the further processing of the same data for the purpose of bringing discliplinary proceedings against the data subject, was also unlawful. Therefore, the further processing of personal data in the context of disciplinary proceedings, violated Articles 5(1)(a), (b) and 6 GDPR. In this regard, the DPA referenced Recital 50 of the GPDR as well as the Italian data protection code[3].
The DPA also considered that the controller failed to conduct a Data Protection Impact Assessment (DPIA). Given that processing employee geolocation data in remote work contexts presents high risks to rights and freedoms, particularly considering the vulnerability of employees in workplace contexts and the systematic monitoring involved, a DPIA was clearly required under Article 35 GDPR.
Additionally, the DPA found that the systematic collection of precise location information, went beyond what was necessary for managing remote work arrangements. So, the monitoring violated the principle of data minimisation as well as Article 113 of the Italian Data Protection Code.
Finally, the DPA found violations of the transparency requirements under Article 13 GDPR because the controller's documentation did not contain all essential information required. Additionally, the documentation containing the information, was never meant to serve as a privacy notice and was drafted to fulfill different obligations.
Comment
The DPA did not explain why consent was not a valid legal basis in the case at hand. However, the reasoning is somewhat implied by the reference to EDPB guidance and to the DPA's own case law. The power imbalance between employer and employee is such that an employee's consent is typically not "freely given", as required by Art. 4(11) GDPR. For this reason, the EDPB discourages employers from processing employee data base on the employees' consent (with narrow exceptions).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO: NEWSLETTER OF MAY 8, 2025 [web doc. n. 10128005] Provision of March 13, 2025 Register of provisions n. 135 of March 13, 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councilor Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING REGARD to Legislative Decree no. 30 June 2003 196 containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter the “Code”); CONSIDERING Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Data Protection Authority no. 1/2019”); Having seen the documentation in the files; Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. n. 1098801; Rapporteur: Attorney Guido Scorza; WHEREAS 1. Introduction. This provision concerns the complaint lodged by Mrs. XX on XX, as subsequently integrated on XX, and the report submitted, pending the investigation already started in response to the aforementioned complaint, on XX by the Department of Public Function of the Presidency of the Council of Ministers, both concerning the processing, by the Regional Agency for Development and Services in Agriculture (hereinafter also “ARSAC” or “Company”), of data relating to the geolocation of personnel who carry out their work activity in smart working mode. 1.1. The complaint In particular, with the aforementioned complaint, the interested party, an employee of the Company, complained of alleged violations in the field of personal data protection with reference to the performance of certain checks, carried out by the Company on XX and XX, to verify the compatibility of the geographical position from which the complainant was carrying out her work in agile mode with respect to what is indicated in the individual agreement on agile work signed between the complainant and the Company. More specifically, from the complaint and the documentation attached to it, it emerges, in particular, that: - in the context of the aforementioned checks, "the employee was asked, in order to carry out the check regarding the workstation for agile work, that she should have carried out: a stamping on the TIMERELAX platform both on exit and on entry, the employee carried out the following stampings: at 09.29 on exit and at 09.30 on return, subsequently she was asked to send an email with reference to the check carried out in agile work, to the institutional email address of the [employee responsible for carrying out the control]” (see the Company report entitled Smart Working Control Report no. XX of XX); - “from the control carried out, the geolocalization, even if at times the maps used are not completely updated, was found to be incompatible with what was declared and granted in the smart working contract stipulated with ARSAC. From the control stamping, the employee was found to be present in Piazzale […], while the closest location, required in the Agile Work contract, was found to be Via […], which is approximately 40-50 km from the georeferenced point. The same employee in the control phone call […] immediately mentioned the inconsistency of the position” (see the Company report called Agile Work Control Report no. XX of XX); - “another inconsistency detected, in the monitoring carried out by the [employee in charge of carrying out the control] on day XX in which the employee was again in agile work, concerns the entry stamping, carried out by the employee via smartphone, which is geolocalized [… at …], which is approximately 5 km from the closest location communicated in the contract, Via […]” (see the Company report called Agile Work Control Report no. XX of XX); - the complainant was charged with a disciplinary charge on the basis of the alleged “failure to comply with the times and methods of the procedures set out in the regulation relating to the performance of the work in agile mode” and the detected “discretion between the declared location and the geolocation ascertained by the Inspection Office in carrying out the checks” (see note contesting the disciplinary charge, of XX); - “ARSAC asks employees to report the performance of work activities in agile mode via PC or smartphone [… via the application] Time Relax [… which] requires the location service to be enabled at the time of access […], and once the location has been consented to, it waits for the GPS signal […], and then finally erroneously locates the position […] at the time of stamping. The above applies to both entry and exit stamping” (see note of XX); - “however, no information was provided to the employee on the processing of personal data that would be carried out by the employer” (see note of XX). 1.2. The report of the Department of Public Function of the Presidency of the Council of Ministers With report of XX, the Department of Public Function of the Presidency of the Council of Ministers reported to the Guarantor through the Inspectorate for Public Function, within the scope of its institutional duties and for the follow-ups of its competence (see art. 60, paragraph 6, of Legislative Decree 30 March 2001, no. 165), that it had “become aware of practices that could be in conflict with the legislation on the protection of personal data implemented at the Regional Agency for the Development of Calabrian Agriculture (ARSAC)”. In detail, the report shows that the aforementioned Department of Public Function had “having learned that the Procedures Control Unit-Inspectorate of the aforementioned Body would carry out the localization of the devices (notebooks and smartphones) used by its employees on the days in which they carry out their work activity in the agile working mode referred to in art. 18 of Law 81/2017” and that “with a note of XX [… had already] requested the Extraordinary Commissioner of ARSAC to provide detailed and timely elements regarding the lawfulness of the data processing carried out”. In light of the foregoing, the aforementioned Department of Public Function deemed it necessary to “provid[e] for the transmission of the documentation received for the assessments within the competence of [… the Guarantor], requesting that [… the] Inspectorate be kept informed”. 2. The preliminary investigation. Within the scope of the preliminary investigation, with a note of XX, ARSAC declared, in particular, that: “the monitoring of the actual performance of work in agile mode by the head of the Procedure Control Unit is based on criteria agreed with the management. [… This] is carried out only on the days and in the time slot granted to the employee (so-called contact time slot), and with the tools and methods necessary for such verification, including the Time relax platform according to the provisions contained in the Regulation on agile work […] adopted by this Body and the related individual employment contract”; “in particular, the Agile Work control is carried out through a direct call to the employee by the head of the Control-Inspection Organizational Unit, always in compliance with the contact time slot, with which the same employee is invited to perform a double clocking in using the Time relax application, one on entry and one on exit, subject to prior consent to geolocation, otherwise remote clocking in would not be possible in the context of agile work; subsequently, the employee subjected to inspection is invited to send an email in reference to the object of the inspection carried out in smart working to the institutional email address of the Control Unit, so that the worker can declare the exact place where he is at the time of the stampings subject to inspection. In the next phase, the aforementioned manager proceeds to reorganize the information acquired, in order to verify the correspondence between the place or places of work indicated by the worker in the individual smart working contract with respect to that declared in the email and resulting in the Time relax application on the day and at the time subject to inspection. The results of said control activity are included in the Visit/Inspection Report, which, in a sealed envelope, is delivered, via internal protocol to the Institution, to the General Director of A.R.S.A.C.”; “the [… complainant] with the aforementioned individual agreement has expressed its consent to the processing of personal data by the Institution aimed at fulfilling the necessary obligations for carrying out the procedure for participation in the smart working method.This is indeed an informed consent also in reference to this specific aspect”; “the Time relax application is technically presented as a geolocation platform as far as the presence detection operations (clocking in) are concerned, the use of which was ratified upstream by means of an agreement with the trade union representatives, in full compliance with art. 4 of Law 300/1970 and subsequent amendments, according to the minutes of the XX delegation meeting […] in which the “Company regulation of agile work” was approved […] including the use of the geolocation function solely and exclusively for the purposes of clocking in. […] The use of the Time relax platform as a verification system for carrying out agile work was then included in the “Agile work of the PIAO period XX” section […]”; “the legal basis for the processing of personal data relating to the geographical position of workers in agile mode, which makes such processing lawful, is constituted, upstream, by the cit. union agreement of XX referred to in A.R.S.A.C. protocol no. XX […] of ratification/approval of the “Company Regulations on agile work”” (see also supplementary minutes-agreement of XX)”; “to this end, the employee, for his/her own protection, on the days authorised for agile work, is required to register his/her presence on the “time relax” application including the request and use of any personal permits [… ]. This procedure, as already highlighted and documented, was also followed in relation to the agile work request made by [… complainant] in XX and reiterated for the year XX, according to the attached individual agreement, from which it is clearly evident that the same [… complainant] has expressed suitable informed consent to the processing of data also with reference to geolocation”; “the [… complainant], as well as any other employee concerned, was given adequate information, pursuant to art. 13 of the Regulation, also considering the provisions of art. 4, paragraph 3, of Law 20 May 1970, no. 300”; "the aforementioned choice is part of the exercise of the employer's powers of work organization where the service is performed by the worker outside the company premises and, this with a view to ensuring first and foremost the protection of the worker's safety and health in the workplace even in smart working mode, in accordance with the provisions of Law 81/2017 and subsequent amendments, and, at the same time, the protection of data confidentiality, which the public employee is required to comply with in light of Presidential Decree no. 62/2013 and subsequent amendments and the current A.R.S.A.C. Code of Conduct. In fact, said application does not allow the storage of geographic coordinates but only allows, at the time of stamping, upon entry/exit, to detect the location where the worker authorized to work smart working is located. It is specified that no other detections are carried out during working hours other than the aforementioned inspection control, which in any case - it is reiterated - is completely hypothetical and random, and is carried out by means of a telephone warning that precedes the verification stamping. This control, due to its random nature, is in all respects comparable to that usually carried out by the inspection service on personnel in attendance"; “The “Time relax” application necessarily requires, after its installation on the computer device chosen by the employee, access protected by “USERNAME AND PASSWORD”, which are communicated by the employee via email during registration to the system. Once logged in, the app presents the employee with a screen in which the name and surname that has been registered appears so that the employee is able to confirm their identity and informs them of any requests for supporting documents, requests for stamping, messages and information on deductible balances. At this point the employee can decide whether to perform geolocalized stamping. When accessing the stamping function, the Time Relax App requires the employee's consent to be able to access the position. Once consent is given, only at that point does the app begin searching for the position. Once the position has been verified, the employee can decide when to perform the stamping, selecting the direction (start or end of the activity). Only and exclusively at this point does the App request the geographical coordinates of the position in which they are located from the smartphone and transmit them to the system for collecting the stampings together with the worker's identification code, the direction of stamping and the date and time of execution. […]. Within Time Relax, the data is available to employees who already carry out personnel management and administration activities, as well as to the hierarchical superiors of each employee. Specifically, the subjects who have access to the data of smart working are: the Manager, the stamping station, the Company that owns the Time relax platform in the capacity of its Data Processing Manager […] and the person in charge of the inspection service […]”. With a note of XX, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged during the investigation, notified ARSAC, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation. This is because the processing of data relating to the geographical location of the generality of employees in smart working and the subsequent use of the same to initiate disciplinary proceedings against the complainant were found to have occurred in violation of Articles 5, paragraph 1, letters a), b) and c), 6, 13, 25, 35 and 88 of the Regulation and Articles 113 and 114 of the Code. With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981). With a note of XX, ARSAC, in expressing its willingness to be heard by the Authority pursuant to Article 166, paragraph 6, of the Code and reserving the right to produce further defensive documentation, including also the elements referred to in art. 83 of the Regulation, requested by the Authority with the aforementioned XX, stated that "on XX, the "geolocalization" function of the TIMERELAX "clocking" platform was deactivated, in self-protection". At the hearing, held on XX, ARSAC read the defense documentation subsequently transmitted with note of XX, from which it appears, among other things, that: - “the disciplinary proceedings (currently suspended) against the employee […] began with a random check carried out on the basis of the guidelines of the ARSAC inspection service, on a percentage equal to 20% of employees in smart working […]. The employee, at the time of the check, mentioned an inconsistency regarding the place where the work activity was carried out in smart working mode. The place was different from the three indicated in the signed contract”; “the data relating to geolocation was not assessed for the purposes of the entire proceedings since the employee herself declared […] to be in a different place from those indicated in her smart working contract”; - “the contract signed by the employee provided for the performance of the work in […] places […] that do not correspond to the place where the employee was at the time of the check […]”; “the employee declares that she performed her work in a “bed & breakfast […], communicating this discrepancy to her manager only on XX”; - “the prohibition, pursuant to art. 4, Stat. lav., of the use of equipment for the purpose of remote monitoring of workers' activity, was respected by ARSAC, since the control of geolocation was aimed at an organizational, production and workplace safety need (the employee was located tens of kilometers away from the point communicated in the authorization for smart working) and not for disciplinary purposes, so much so that the disciplinary procedure was activated not because of the viewing of the geolocalized position (as the employee claims in the complaint) but because the interested party said, on the phone, that she was not in the place she had originally communicated, and in any case this procedure was suspended and the interested party did not receive any sanction"; - "the processing of personal data [… in question concerned] a limited number of employees (about 100 out of 540)"; "the same geolocation function was deactivated at XX"; - "the processing of data through virtual stamping had to include geolocation on the legal basis of the general administrative act [ARSAC Resolution no. XX of XX] pursuant to art. 2-ter, paragraphs 1 and 1-bis, of Legislative Decree no. 196/2003 and subsequent amendments. [… as] shared with the internal Data Protection Officer appointed at the time. The use of geolocation […] allowed the employer to verify that the worker was carrying out his/her activity in the appropriate location […]. However, only the data relating to the workplace and that relating to entry and exit were retained. The use of the Time Relax APP with geolocation function was activated with the sole purpose of providing workers with greater guarantees in the context of smart working, in particular, the possibility of using permits for work (to carry out activities also at other Administrations or Bodies such as Courts, Revenue Agencies, Council Offices, etc.) or for personal reasons”; “everything was done with maximum transparency and having stipulated a specific agreement with the trade union representatives pursuant to art. 4, Stat. Lav.”; - the Company “in any case has interrupted the processing that is the subject of the procedure and has undertaken a process of completing compliance with the legislation on personal data protection”. On XX, ARSAC has finally provided further elements in relation to the facts under investigation. 3. The legislation on the protection of personal data in the workplace. With regard to the processing of personal data in the context of the employment relationship, it is highlighted in general that the employer can process the personal data of workers, including those relating to particular categories of data (see art. 9, par. 1, of the Regulation), when there is an appropriate legal basis, if the processing is necessary for the management of the employment relationship and to fulfill specific obligations or tasks arising from the sector legislation as well as when the processing is "necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the data controller" (art. 6, par. 1, letter c) and e), 2 and 3; 9, par. 2, letter b), and 4; 88 of the Regulation; 2-ter of the Code). In this context, the same legal bases mentioned above that typically occur in the workplace apply to the processing of personal data carried out in the context of the execution of the agile employment contract - regulated by a regulation aimed at encouraging the adoption of work organization methods based on spatial-temporal flexibility, objective-based assessment and the reconciliation of working life and private life (see articles 18 to 23 of Law no. 81 of 22 May 2017). The employer must also comply with national regulations, which "include appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of data subjects, in particular with regard to transparency of processing [...] and workplace monitoring systems" (articles 6, paragraph 2, and 88, paragraph 2, of the Regulation). On this point, the Code, confirming the system prior to the amendments made by Legislative Decree no. 10 August 2018, 101, makes express reference to the national sector provisions that protect the dignity of people in the workplace, with particular reference to possible checks by the employer (articles 113 "Data collection and relevance" and 114 "Guarantees regarding remote monitoring"). As a result of this reference, and taking into account art. 88, paragraph 2, of the Regulation, compliance with arts. 4 and 8 of law 20 May 1970, no. 300, and art. 10 of Legislative Decree no. 276/2003 (in cases where the conditions are met) constitutes a condition for the lawfulness of the processing. It should also be noted that, even if the work is carried out in an agile manner, "the employer is required to guarantee the worker respect for his personality and moral freedom" pursuant to art. 115 of the Code, expressly addressed to teleworking, agile working and domestic work. The employer, as data controller, is required in any case to comply with the principles of data protection (art. 5 of the Regulation). The employer is also required to comply with the principles of "data protection by design" and "data protection by default", by virtue of which the employer must implement appropriate technical and organizational measures, "both when determining the means of processing and at the time of the processing itself", in particular in order to "integrate the necessary safeguards into the processing in order to meet the requirements of the [Regulation] and protect the rights of data subjects" as well as "to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed", also with reference to the profiles relating to the storage and quantity of data collected (art. 25 of the Regulation). 4. Outcome of the investigation. 4.1. Processing of data relating to the geographic location of staff performing smart working activities. From the investigation carried out on the basis of the elements acquired and the facts that emerged following the investigation, as well as the subsequent assessments of the Office, it is established that, by virtue of the adoption of resolution no. XX of XX and the attached regulation on smart working, which forms an integral part thereof, ARSAC made use - from XX, the month in which resolution no. XX and the attached regulation were adopted, until XX - of an application (Time Relax) through which, at the time of entry and exit by each employee and with their prior consent to geolocalisation, it acquired the geographic coordinates of the smartphone or PC of the employee who had clocked in, together with their identification code, the date and time of clocking in, specifying whether entry or exit. This was done in order to verify that the geographical position from which the staff was carrying out their work in agile mode corresponded to one of those indicated in each individual agreement on agile work and, for the effect, according to what was declared by the Company, also for the benefit of declared organizational and production needs, protection of the health and safety of workers as well as protection of personal data processed through work tools. More specifically, it is established that the data relating to the geolocation of the employee in agile mode was processed: a) both, in general, when the employee stamped in and out daily, at the start and end of work or, in any case, when using any permits that the employee took advantage of within his availability band; in such cases, a check was carried out from time to time to ensure that the data relating to the geographical position detected and the employee's place of work provided for in the agile work agreement corresponded; b) either, as occurred in the case that was the subject of the complaint, in the context of specific targeted control activities on specific employees carried out in application of the internal procedures previously in use at the Company, according to which: i. the employees to be subjected to checks were selected randomly; ii. the employee subjected to checks was contacted by telephone by the head of the competent organizational unit, in compliance with the availability time slot, and was invited to make a double stamping using the Time Relax application, one on entry and one on exit; iii. immediately afterwards, the employee subjected to checks was invited to declare the exact location where he was at the time of the stampings subject to inspection by sending an email to the institutional email address of the aforementioned organizational unit; iv. in the next phase, the aforementioned manager proceeded to verify the correspondence between the place or places of work indicated by the worker in the individual smart working contract with respect to what was declared via email and what was resulting from the Time Relax application on the day and at the time in which the inspection was carried out; see. the results of this control activity were then included in a report which, in a closed and sealed envelope, was delivered, via internal protocol, to the General Manager of the Company. From the documentation in the files it is clear that the use of the Time Relax application and, in particular, of its geolocalization function in relation to the employee clocking-in activity had been the subject of negotiation between the Company and the trade union representatives (see the minutes of XX, with which, in particular, the “Company Regulations for Smart Working” had been approved). From the examination of the documents, it also appears that the Company, after having subjected the complainant to a specific check with the methods indicated above under letter b), initiated disciplinary proceedings against her on the basis of the detected "discrepancy between the declared location and the geolocation ascertained by the Inspection Office in carrying out the checks" (see note contesting the disciplinary charge, of XX). In both of the cases mentioned above (letters a) and b)), the collection, via the aforementioned application, of the data relating to the employee's location appears to have been carried out for the purpose of verifying that the geographical position from which the staff carries out their work in agile mode corresponded to that indicated in each individual agreement on agile work. In this context, it must be considered that the treatment in question, “being inserted” – as stated by the Company itself – “within the scope of the exercise of the employer’s powers of work organization” and thus giving rise to a “monitoring of the actual performance of agile work” (see note of XX), was directly aimed at verifying the worker’s compliance with the obligations arising from the agreement on agile work with regard to the location where the work activity is carried out. In its defense briefs, the Company specified that such treatment also allowed it to pursue specific interests attributable to legitimate employer needs (see note of XX; see also note of XX). 4.2. The detection of the geographical position of the place where agile work is carried out. National legislation defines agile work as a “method of performing the subordinate employment relationship” whereby the work performance is carried out, in relation to the specificity of the tasks performed, “in phases, cycles and objectives, without precise constraints on time and place of work” (see articles 18 to 23 of Law 22 May 2017, no. 81). In this context, in fact, agile work performance, differently from carrying out the work activity at the employer’s premises, is typically characterised by a flexibility which, without prejudice to the possible operation of availability bands, pertains to both the place and time of its performance (art. 18, paragraph 1, of Law 22 May 2017, no. 81). For the above, any checks on the fulfillment of the work performance carried out in agile mode may consist, for example, in the drafting by the worker of periodic reports or summary documents regarding the activity carried out or in moments of comparison during the days of presence at the office on the objectives achieved in relation to those assigned (Directive of the Ministry of Public Education of the XX; but, see already the Guidelines containing rules relating to the organization of work aimed at promoting the conciliation of life and work times, contained in the Directive Pres. Council of Ministers n. 3 of 2017). Even if the service is performed in agile mode, the use of technological tools by the employer, which also provide the possibility of remotely monitoring the workers' activity, can only take place for the pursuit of the mandatory purposes provided for by law, i.e. "[...] for organizational and production needs, for safety at work and for the protection of company assets", in compliance with the procedural guarantees established therein (art. 4, paragraph 1, of Law 20 May 1970, no. 300). The law on agile work, in fact, expressly refers to the limits, conditions and guarantee procedures of art. 4 of Law 20 May 1970, no. 300 (see art. 21 of Law 22 May 2017, no. 81). In this context, also following the amendments made to Law 20 May 1970, no. 300, by art. 23 of Legislative Decree September 14, 2015, no. 151, the various needs for monitoring compliance with the duties of diligence of the worker - which also fall within the prerogatives of the employer if pursued personally by the employer or through its hierarchical organization (articles 2086 and 2104 of the Civil Code) - cannot be pursued with remote technological tools, which, by reducing the space of freedom and dignity of the person in a mechanical and inelastic way, entail direct monitoring of the worker's activity not permitted by the current legal system and the constitutional framework. These purposes do not, in fact, appear to be attributable to any of the specific purposes selected by the legislator and referred to above (“organizational and productive", "work safety" and "protection of company assets"), given that remote monitoring of work activity is permitted by law, in compliance with the guarantee conditions provided therein, only incidentally, that is, in the pursuit of such legitimate purposes, thus assuming a typically indirect and unintentional nature. This principle is also confirmed by the jurisprudence of the Court of Cassation (see Criminal Cassation, III section, no. 22148/2017, in the part in which it recalls the orientation, “fully valid also following the amendment of Legislative Decree 14 September 2015, no. 151, art. 23”, according to which “devices aimed at the mere remote monitoring of work performance [must be] absolutely prohibited […for] conflict with the principles of the Constitution”). This means that the pursuit of the aforementioned purpose of direct control is not admissible in the legal system even in the presence of a possible agreement with the unitary trade union representation or with the company trade union representatives, since this is a purpose that falls outside the framework of guarantees outlined by the sector provisions and, more radically, by the internal constitutional framework, as highlighted by the aforementioned case law. It follows that, in terms of personal data protection, the related processing lacks an appropriate legal basis, being in conflict with the principle of "lawfulness, fairness and transparency" and with the specific national provisions of greater protection safeguarded by the Regulation, in violation of Articles 5, paragraph 1, letter a), and 6, given that the aforementioned conduct falls outside the framework of lawfulness provided for by Article 114 of the Code (see Article 88 of the Regulation). In confirmation of the principles mentioned above, it is also important to point out that, with circular no. 4/2017, the National Labor Inspectorate, in providing interpretative clarifications regarding art. 4 of Law 20 May 1970, n. 300, although with reference to other instruments, specified that, in any case, "the installation and use of "[...] instruments from which also derives the possibility of remote control of the workers' activity", can be justified exclusively for the needs set out in art. 4 [... and], therefore, only in such cases can an "incidental" control on the worker's activity be legitimised, [...] avoiding prolonged, constant, indiscriminate and invasive controls", also specifying that "the fundamental "paradigm" of art. 4 [...] should not be overturned in such a way as to carry out a penetrating control on the performance of the workers, in order to guarantee adequate and more efficient organizational and production methods within the company" and concluding, therefore, that, in such cases, the instruments used "not only do not fall within the definition of a useful instrument to "... make the work performance..." but [...] those organizational and production needs that justify the issue of the authorization provision are not even identified part of the Labour Inspectorate” (see, specifically on the subject of geolocalisation of devices assigned to employees, also INL circular of XX, prot. no. XX). The Guarantor has also expressed itself in these terms with its own provisions (see, in particular, provisions of 1 December 2022, no. 409, web doc. no. 9833530; 28 October 2021, no. 384, web doc. no. 9722661; and 16 November 2017, no. 479, web doc. no. 7355533; see also, albeit with regard to the different context relating to the installation of video devices in proximity to presence detection systems, the opinion of the Guarantor on the draft decree of the President of the Council of Ministers concerning the implementation of the provision referred to in art. 2 of Law no. 56 of 19 June 2019, provision of no. 167 of 19 September 2019, spec. point 4.2, web doc. no. 9147290; see also the provision on video surveillance of 8 April 2010, par. 4.1, web doc. no. 1712680, which, although dating back to the previous legal framework on data protection, contains indications that can still be considered valid: "in surveillance activities, the prohibition of remote control of work activity must be respected, therefore the installation of equipment specifically intended for the aforementioned purpose is prohibited: therefore, filming must not be carried out in order to verify compliance with the duties of diligence established for compliance with working hours and correctness in the performance of the work, e.g. by directing the camera at the badge"). This orientation is also confirmed in the European and international legal framework (see European Data Protection Board, Guidelines 3/2019 on the processing of personal data through video devices, version 2.0, adopted on 29 January 2020, par. 37, where it is stated that “in most cases an employee in the workplace does not expect to be monitored by his or her employer”; see already Art. 29 Working Party, Opinion 2/2017 on data processing at the workplace, adopted on 8 June 2017, WP 249; see also the Recommendation of the Council of Europe of 1 April 2015, CM/Rec (2015), par. 15.1, where it is stated that “it should not be permitted to introduce and use information systems and technologies whose direct and primary purpose is the monitoring of the activity and behaviour of employees”). It should be noted, in this regard, that even the same processing of personal data that can be lawfully carried out by the employer (i.e., precisely, those of an indirect or unintentional nature) cannot assume a massive and indiscriminate nature, having to be carried out rather according to a principle of graduality and progressiveness and, therefore, only after experimenting with measures that are less restrictive of workers' rights (see Hearing of the Guarantor on the Jobs Act at the Labour Commission of the Chamber of Deputies 9 July 2015, web doc. no. 4119045; as well as "Statement by Antonello Soro, President of the Guarantor for privacy, on the judgment of the Court of Strasbourg" - ECHR, judgment of 17 October 2019, López Ribalda and others v. Spain-, web doc. no. 9164334, "the essential requirement for checks on work […] to be legitimate therefore remains, for the Court, their rigorous proportionality and non-excessiveness: cornerstones of the protection discipline data whose "social function" is confirmed, also from this perspective, increasingly central because it is capable of combining dignity and economic initiative, freedom and technique, guarantees and duties”). In light of the above considerations, it must be specified that, in general, the regulatory intersection between the discipline on the protection of personal data and that on remote monitoring of work activity, although it is suitable to ensure enhanced protection of the worker, as a vulnerable interested party due to the asymmetry of the contractual relationship with the employer, highlights the complementarity between two bodies of legislation that remain, however, autonomous and distinct from each other. This therefore means that the employer, data controller, in addition to the applicable sector legislation, must always comply with the principles of personal data protection. The possible presence of an agreement with trade union representatives regarding the use of a specific system that involves the processing of workers' personal data constitutes, in fact, a necessary condition, but not always sufficient, to ensure the overall lawfulness of the processing and compliance with the principles of personal data protection. Nor can the treatment in question be considered lawful on the basis that, based on the declarations made by the Company, the legal basis would in this case be represented by "the general administrative act composed of ARSAC Resolution no. XX of XX, with the attached regulation on "Agile Work", an integral part of the resolution" (see note of XX). Regardless of the correct qualification of the Company's resolution as a general administrative act pursuant to the current legal system, in fact, general administrative acts cannot contravene or modify the higher-ranking reference rules, having a mere integrative effect on the legal system. As highlighted in recent decisions by the Authority, the hierarchical criterion of the sources of law establishes, in fact, the prevalence of the higher-ranking source over the lower-ranking source, precluding the latter from derogating from it or conflicting with the content of the higher-ranking source; therefore, the general administrative act does not contain the ability to introduce innovations or changes to the system in relation to the processing of personal data – such as, in fact, the processing of data relating to the geolocation of personnel who carry out their work activity in an agile manner –, as this act cannot fully absorb the current legislation, the essential characteristics of which must be and remain outlined by the provisions of higher rank than it (see, in particular, provision of 11 April 2024, no. 235, web doc. no. 10019523; see also provision of 6 July 2023, nos. 286 and 287, web doc. no. 9920145; provision of 13 April 2023, no. 125, web doc. no. 9907846; provision of 22 July 2021, no. 273, web doc. n. 9683814). The legal basis of the processing must, in fact, be “suitable” also in light of the structure of the sources of the “constitutional system” of the Member State (see recital 41 of the Regulation and see also Constitutional Court, judgment n. 271/2005, according to which the regulation of personal data protection falls within the exclusive competence of the State referred to the “civil system”) and it must satisfy specific requirements, both in terms of quality of the source, necessary contents and appropriate and specific measures to protect the rights and freedoms of the interested parties, and in terms of proportionality of the regulatory intervention with respect to the purposes that are intended to be pursued (art. 6, paragraphs 2 and 3, letter b), of the Regulation). Furthermore, as recently clarified by the Guarantor also with regard to different work environments, in the system of the Regulation and the Code, differentiated levels of protection of personal data are not permitted on a territorial basis or between different public work contexts and between these and private ones or, again, at the level of a single administration, as occurred in the case in question, where, moreover, a disparity of treatment was created to the detriment of only those employees who benefit from smart working. This is especially true when, as in the case at hand, the matter has already been the subject of balancing and regulation by the legislator with uniform provisions at national level that protect the dignity and moral personality of the worker regardless of the ways in which he or she carries out his or her work activity, in person or in smart working mode, in any work environment (articles 88 of the Regulation, 114 and 115 of the Code and 18, paragraph 1, and 21 of Law 22 May 2017, no. 81), also taking into account that, by choice of the legislator, the performance of smart working occurs "without precise constraints of […] place of work". Nor, again, can the circumstance invoked by the Company be considered relevant, according to which "the Time Relax App requires the employee's consent in order to access the position" (see note of XX), given that, as stated on many occasions by the Guarantor (see, among many, provision of 14 January 2021, no. 16, web doc. no. 9542071), the consent of employees does not constitute, in this context, a valid basis for the lawfulness of the processing of personal data, regardless of the public or private nature of the employer (recital no. 43; art. 4, point 11), and art. 7, paragraphs 3 and 4, of the Regulation; see the consolidated orientation at European level, Article 29 Working Party, Opinion 2/2017 on data processing in the workplace, WP 249, p. 7 and 26 and Guidelines on consent pursuant to EU Regulation 2016/679 - WP 259 - of 4 May 2020). This is without prejudice to the obligations set forth in the Code with regard to the processing of location data by providers of the publicly accessible electronic communications service and providers of the public communications network or the third party providing the value-added service (Articles 121, paragraph 1-bis, and 126 of the Code, implementing Directive 2002/58/EC). Moreover, given that the law allows remote monitoring of work activities through the use of technological equipment by the employer only to a merely incidental and unintentional extent, the processing of data aimed at directly monitoring the work activities of individual employees also highlights a conflict with the principle of "purpose limitation" pursuant to Article 5, paragraph 1, letter a). b), of the Regulation, to the extent that it pursues a non-"legitimate" purpose. In light of the foregoing considerations, it must be considered that the processing, by ARSAC via the Time Relax application, of the data relating to the geographical location of the staff who carry out their work activity in agile mode was carried out from XX - the month in which resolution no. XX and the attached regulation were adopted - to XX, in a manner that does not comply with the principles of "lawfulness, fairness and transparency" and "purpose limitation" as well as in the absence of a suitable basis for lawfulness, in violation of Articles 5, paragraph 1, letters a) and b), and 6, given that the aforementioned conduct falls outside the framework of lawfulness provided for by Article 114 of the Code (see Article 88 of the Regulation). 4.2.1. The collection of personal data relating to the employee's private life. Considering that, especially in the case of recourse to agile working methods, the boundary line between the work and professional sphere and the strictly private sphere cannot always be drawn clearly, the cancellation of any expectation of confidentiality of the interested party in the workplace cannot be envisaged, which is why the European Court of Human Rights has confirmed over time that the protection of private life (art. 8 European Convention on Human Rights) also extends to the workplace, where the personality and relationships of the person who works are expressed (see Judgments of the European Court of Human Rights Niemietz v. Germany, 16.12.1992 (rec. no. 13710/88), spec. para. 29; Copland v. UK, 03.04.2007 (rec. no. 62617/00), spec. para. 41; Bărbulescu v. Romania [GC], 5.9.2017 (rec. no. 61496/08), spec. paras. 70-73 and 80; Antović and Mirković v. Montenegro, 28.11. 2017 (rec. no. 70838/13), spec. paras. 41-42). Therefore, data processing carried out by means of information technology, in the context of the employment relationship, must comply with respect for fundamental rights and freedoms as well as the dignity of the data subject, for the protection of workers and third parties (see Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the employment context, spec. point 3). With regard to the specific case, according to what emerges from the documents and confirmed by the data controller, it appears that the original characteristics of the Time Relax application were not proportionate to the purpose pursued by the Company (see recital 49 and art. 6, par. 1, letter e) of the Regulation), giving rise to a systematic collection of information that was not necessary due to the peculiarities of the performance of the service in agile mode, also in conflict with the prohibition for the employer to collect irrelevant data provided for by art. 113 of the Code (with reference to art. 8 of law 20 May 1970, no. 300, and art. 10 of legislative decree 10 September 2003, no. 276) and, therefore, with the same principle of "lawfulness, fairness and transparency" referred to in art. 5, par. 1, letter a), of the Regulation. The need to ensure that the work performance of employees in smart working mode is actually carried out at the locations indicated in the reference agreement cannot, in fact, justify any form of interference in private life - as occurred in the case in question, by collecting and processing information relating to the specific location where the interested party was temporarily located - giving rise to the processing of personal data that falls within the scope of application of art. 113 of the Code, in violation of art. 5, par. 1, letter c). a), 6 and 88 of the Regulation and 113 of the Code (with regard to the risks for the interested parties and the responsibilities for the owner in relation to the acquisition of information relating to the private sphere of employees, see provision of 15 April 2021 no. 137 currently being published; but also see, provision of 26 March 2020, no. 64 - “Distance learning: initial indications” -, web doc. no. 9300784, par. 5 and, already, Guidelines on electronic mail and the Internet, provision of 1 March 2007, no. 13, web doc. no. 1387522 in particular, point 5.2., letter a), whose principles can still be considered valid). In this regard, it should be added that the need to ensure the confidentiality and security of the data processed even in the case of smart working - also invoked in this specific case by the Company, which referred, in particular, to the risk of promiscuous environments during work calls and access to open wi-fi networks (see note of XX) - must be pursued first of all by giving specific instructions to authorised employees (articles 4, par. 10, 29, 32 par. 4, of the Regulation; see art. 2-quaterdecies of the Code), also in consideration of the technical and organisational measures adopted in general to protect the data, and not instead through the geolocalisation of the staff who carry out their work activity in smart working mode. This is also in light of the principle established by art. 115 of the Code, according to which even in the context of the agile working relationship the employer is required to guarantee the worker respect for his personality and moral freedom. In any case, the processing in question, giving rise to a collection of data that is neither limited nor pertinent to the purpose of managing the agile working relationship, also conflicted with the principle of "data minimization", in violation of art. 5, par. 1, letter c), of the Regulation. It should also be noted that the Company did not ensure, either when determining the means of processing or during the processing itself, that the protection of personal data was integrated into the processing from the design stage and by default, “incorporating into the processing appropriate measures and safeguards to ensure the effectiveness of the principles of data protection and the rights and freedoms of data subjects” and ensuring that “by default only the processing strictly necessary to achieve the specific and lawful purpose was carried out” (see “Guidelines 4/2019 on Article 25 - Data protection by design and by default”, adopted by the European Data Protection Board on 20 October 2020). It must therefore be concluded that the processing in question was also carried out in conflict with the principles of data protection “by design” and “by default”, in violation of art. 25 of the Regulation. 4.2.2. The inadequacy of the information regarding the processing. Furthermore, although some information elements relating to the data processing operations relating to the geolocation of employees in agile mode can be found in the corporate documentation transmitted by the Company during the investigation, it should be noted that these documents do not contain all the essential information elements required by art. 13 of the Regulation. Such acts, such as, for example, the Company's "Regulation on agile working", were, in fact, drawn up to fulfil obligations other than those deriving from the data protection legislation and therefore cannot replace the information that the owner must provide to the interested parties, before starting the processing, regarding the essential characteristics of the same and for the purpose of allowing them to be fully aware of the type of processing operations that could also be carried out by drawing, within a lawful framework, on the data collected during the working activity (see in this regard, among the many, most recently, the provision of 11 April 2024, no. 234, web doc. no. 10013356, in relation to the use of video surveillance systems, as well as the provision of 13 May 2021, no. 190, web doc. no. 9669974; see also judgments of the European Court of Human Rights of 5 September 2020. 2017 - Application no. 61496/08 - Case Barbulescu v. Romania, spec. para. nos. 133 and 140 and judgment of 9 January 2018 - Application nos. 1874/13 and 8567/13 - Case López Ribalda and others v. Spain, spec. para. no. 115). This appears to have occurred, therefore, in violation of Articles 5, para. 1, letter a), and 13 of the Regulation. 4.2.3. Failure to carry out a data protection impact assessment. Given, moreover, that the documents do not show evidence of the performance of the impact assessment of the processing of data relating to the geolocation of employees in agile mode on the protection of personal data pursuant to Article 35 of the Regulation, the following is highlighted. Pursuant to Article 35 of the Regulation, “where a type of processing, in particular when it involves the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing on the protection of personal data”. In implementation of the principle of “accountability” (see art. 5, par. 2, and 24 of the Regulation), it is up to the controller to assess whether the processing that is intended to be carried out is likely to result in a high risk to the rights and freedoms of natural persons - by reason of the technologies used and considering the nature, scope, context and purposes pursued - which makes a prior assessment of the impact on the protection of personal data necessary (see recital 90 of the Regulation). With more specific reference to the processing of personal data carried out by the Company, the processing of data collected through the satellite localization system involves specific risks to the rights and freedoms of data subjects in the workplace (art. 35 of the Regulation). Both in consideration of the particular “vulnerability” of data subjects in the workplace context (see recital 75 and art. 88 of the Regulation and the “Guidelines on data protection impact assessment and the criteria for determining whether a processing operation is “likely to result in a high risk” pursuant to Regulation 2016/679”, WP 248 of 4 April 2017, which, among the categories of vulnerable data subjects, expressly mention “employees”), as well as the fact that in this context the use of systems that may also indirectly involve “systematic monitoring”, understood as “processing used to observe, monitor or control data subjects, including data collected via networks” (see criterion no. 3 indicated in the Guidelines, cit., but see also criteria 4 and 7), may present risks - as emerged in the case in question - in terms of monitoring the activity of employees (see arts. 35 and 88, par. 2, of the Regulation; see also provision 11 October 2018, no. 467, web doc. no. 9058979, annex no. 1, which expressly mentions the “processing carried out in the context of the employment relationship through technological systems […] from which the possibility of remotely monitoring the activity of employees arises”; see also, among others, provision no. 234 of 10 June 2021, web doc. no. 9675440). For these reasons, in pointing out the occurrence, in this case, of the conditions for carrying out an impact assessment on the protection of personal data, a circumstance that would have allowed the owner to be aware of the specific and high risks for the rights and freedoms of the data subjects involved, to mitigate them by directing their choices in this regard in a more conscious and, if necessary, different manner, it must be concluded that the Company has also acted in violation of art. 35 of the Regulation. *** For all the above reasons, it must therefore be considered that the processing, by the Company through the Time Relax application, of the data relating to the geographical location of the employee staff, being directly aimed at pursuing a purpose not permitted by the sector regulations and relating to the verification of a particular profile of the workers' activity, namely that concerning compliance with the agreement with reference to the location of the work performance in agile mode, was carried out, both in the cases referred to in letter a) and in those referred to in letter b) of paragraph 4.1 of this provision, in a manner not compliant with the principles of "lawfulness, fairness and transparency", "purpose limitation", "data minimization", "data protection by design" and "data protection by default", as well as in the absence of a suitable basis for lawfulness, in violation of Articles 5, paragraph 1, letter c) and d) of the GDPR. a), b) and c), 6, 13, 25, 35 and 88 of the Regulation and art. 113 of the Code. 4.3. The processing of data relating to the geolocation of the complainant for disciplinary purposes. With regard to the use of data relating to the geographical position of the complainant for disciplinary purposes, in acknowledging that, according to what was declared by the Company, the disciplinary proceedings are currently “suspended”, the following is noted. Starting from 2015, the current regulatory framework allows the data collected pursuant to art. 4, paragraphs 1 and 2, of Law no. 300 of 20 May 1970, to be used by the employer for further processing necessary for the management of the employment relationship, only if such data have been lawfully collected in pursuit of the purposes set out in paragraphs 1 and 2 of art. 4 of Law no. 300 and in compliance with the conditions and limits established by this provision and the data protection regulations, providing employees with all information on further processing. In other words, the employer may use the personal data of workers for further purposes attributable to the scope of managing the relationship (see the example contained in art. 88 of the Regulation) to the extent that the original collection was lawfully carried out, having regard to the main purpose, originally pursued, and in compliance with the general principles of data protection. This is also in light of the provisions of art. 2-decies of the Code, which provides in principle that personal data collected and processed in violation of the relevant regulations on the processing of personal data cannot be used (this principle has been confirmed in numerous provisions of the Authority and in general guidance documents; see, among many, FAQ no. 13 on the subject of oncological oblivion, web doc. no. 10044898, and FAQ no. 12 available at https://www.garanteprivacy.it/temi/coronavirus/faq#scuola). The data controller may, in fact, use only personal data lawfully collected, in the presence of an appropriate legal basis, having previously "satisfied all the requirements for the lawfulness of the original processing" (see recital no. 50 of the Regulation) and, therefore, to the extent that the original collection was carried out in an overall framework of lawfulness, also taking into account "the context in which the personal data were collected, in particular with regard to the relationship between the data subject and the data controller", "the possible consequences of the envisaged further processing for the data subjects" as well as "the existence of adequate guarantees" (see art. 6, par. 4, of the Regulation). These principles have been reiterated by the Guarantor in numerous provisions, albeit with regard to the use of different technologies in the workplace (see provision of 11 April 2024, no. 234, web doc. no. 10013356, on video surveillance; provision of 13 May 2021, no. 190, web doc. no. 9669974, on the collection of employee internet browsing data; provision of 28 October 2021, no. 384, web doc. no. 9722661, on the collection of call centre operators' data). As for the specific case, although the Company has finally declared that the data acquired through the Time Relax application was not used to assert specific disciplinary responsibilities of the complainant (see note of XX), it should be noted that, instead, both the report drawn up by the organizational unit responsible for carrying out the control and the subsequent disciplinary dispute note give account of the aforementioned use for disciplinary purposes (see Agile Work Control Report no. XX of XX and note of dispute of the disciplinary charge, of XX). Although, in fact, during the targeted control of the complainant in XX, the latter, contacted by telephone, had declared "that she was not in the place she had originally communicated" (see note of XX), the competent office nevertheless asked the employee to clock in and out once so that the Time Relax application would record the information relating to her geographical location. Such personal data were, therefore, acquired in the records of the Administration and used as a basis for the initiation of the disciplinary procedure, given that in the note contesting the charge, of XX, it was expressly contested, among other things, the "discrepancy between the declared location and the geolocation ascertained by the Inspection Office in carrying out the checks". For these reasons, the circumstance on the basis of which the disciplinary procedure was subsequently suspended cannot be considered sufficient to exclude the liability of the data controller. Given the above, considering that the data relating to the geographical location of the complainant were acquired by the Company, via the Time Relax application, to carry out direct checks on the geographical position in which the complainant was carrying out the service in agile mode - processing not permitted by the legal system, which conflicts with both the legislation on the protection of personal data and the specific legislation on agile work (see previous paragraphs of this provision) -, it must be concluded that the further use of the aforementioned data for disciplinary purposes occurred in a manner that did not comply with the principles of "lawfulness, fairness and transparency" and "purpose limitation" as well as in the absence of a suitable basis for lawfulness, in violation of Articles 5, paragraph 1, letters a) and b), and 6 of the Regulation, given that the aforementioned conduct falls outside the framework of lawfulness provided for by Article 114 of the Code (see Article 88 of the Regulation). 5. Conclusions. In light of the above assessments, it is noted that the statements made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act of initiation of the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing, by ARSAC via the Time Relax application, of the data relating to the geographical location of the generality of employees in smart working and the subsequent use of the same to initiate disciplinary proceedings against the complainant is found to have occurred in violation of art. 5, par. 1, lett. a), b) and c), 6, 13, 25, 35 and 88 of the Regulation and art. 113 of the Code. Taking into account that the violation of the aforementioned provisions occurred as a result of a single conduct (same treatment or treatments linked to each other), art. 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violations, relating to arts. 5, 6, 13, 25, 35 and 88 of the Regulation, as well as 113 of the Code, are subject to the sanction provided for by art. 83, paragraph 5, of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000. In this context, considering, in any case, that the conduct has exhausted its effects - given that the Company appears to have taken, in self-defense, the decision to deactivate the geolocation function of the Time Relax application and ordered the suspension of the disciplinary proceedings against the complainant - the conditions for the adoption of further corrective measures pursuant to art. 58, paragraph 2, of the Regulation do not exist. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (art. 58, paragraph 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, paragraph 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount by taking into due account the elements provided for in art. 83, par. 2, of the Regulation. Taking into account that: the processing concerned approximately one hundred employees who carried out their work activities in smart working mode for a significant period of time (art. 83, par. 2, letter a), of the Regulation); although the Company had mistakenly believed that it could carry out the aforementioned processing also by virtue of its own general administrative act and an agreement with the trade union representatives, it nevertheless implemented monitoring aimed at controlling the worker's activity which was not permitted by the applicable sector legislation (art. 83, par. 2, letter b), of the Regulation); the processing, even if it did not concern data belonging to the special categories referred to in art. 9 of the Regulation, concerned very sensitive information, concerning the geographical location of smart working workers, including the complainant herself, also leading to interference in their private sphere (see art. 83, par. 2, letter g), of the Regulation); it is believed that, in this case, the level of severity of the violation committed by the data controller is high (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into consideration: the owner offered sufficient cooperation with the Authority during the investigation, having, moreover, taken, in self-defense, the decision to deactivate the geolocation function of the Time Relax application and ordered the suspension of the disciplinary proceedings against the complainant (Article 83, paragraph 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by ARSAC (Article 83, paragraph 2, letter e), of the Regulation); in this case, the choice to use the Time Relax application was initially undertaken after sharing it with the Company's Data Protection Officer (Article 83, paragraph 2, letter k), of the Regulation). In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of €50,000.00 (fifty thousand/00) for the violation of Articles 5, 6, 13, 25, 35 and 88 of the Regulation, as well as 113 of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, to be effective, proportionate and dissuasive. It is also deemed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the fact that the data processing in question, which involved a significant number of interested parties, was carried out, for a considerable period of time, giving rise to a form of monitoring of the work activity carried out in an agile manner not permitted by the applicable sector legislation; this even through specific targeted control procedures on an individual basis aimed at ascertaining the exact geographical position of the worker, with consequent interference in the private sphere. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. GIVEN ALL THE ABOVE, THE GUARANTOR declares, pursuant to art. 57, par. 1, letter f), of the Regulation, the unlawfulness of the processing carried out by ARSAC due to violation of arts. 5, 6, 13, 25, 35 and 88 of the Regulation as well as 113 of the Code, in the terms set out in the reasons; ORDERS to the Regional Company for the Development of Calabrian Agriculture, in the person of its legal representative pro-tempore, with registered office in Viale Trieste, 93/95 - 87100 Cosenza (CS), C.F. 03268540782, to pay the sum of €50,000.00 (fifty thousand/00) as an administrative fine for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed; ORDERS the aforementioned Regional Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €50,000.00 (fifty thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive actions pursuant to art. 27 of Law no. 689/1981; ORDER - pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; - pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority; - pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, March 13, 2025 THE PRESIDENT Stanzione THE REPORTER Scorza THE GENERAL SECRETARY Mattei SEE ALSO: NEWSLETTER OF MAY 8, 2025 [web doc. n. 10128005] Provision of March 13, 2025 Register of provisions n. 135 of March 13, 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN TODAY'S meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, Members and Council Member Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”); SEEN Legislative Decree no. 30 June 2003, n. 196 containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter the “Code”); CONSIDERING Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Data Protection Authority no. 1/2019”); Having seen the documentation in the files; Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. n. 1098801; Rapporteur: Attorney Guido Scorza; WHEREAS 1. Introduction. This provision concerns the complaint lodged by Mrs. XX on XX, as subsequently integrated on XX, and the report submitted, pending the investigation already started in response to the aforementioned complaint, on XX by the Department of Public Function of the Presidency of the Council of Ministers, both concerning the processing, by the Regional Agency for Development and Services in Agriculture (hereinafter also “ARSAC” or “Company”), of data relating to the geolocation of personnel who carry out their work activity in smart working mode. 1.1. The complaint In particular, with the aforementioned complaint, the interested party, an employee of the Company, complained of alleged violations in the field of personal data protection with reference to the performance of certain checks, carried out by the Company on XX and XX, to verify the compatibility of the geographical position from which the complainant was carrying out her work in agile mode with respect to what is indicated in the individual agreement on agile work signed between the complainant and the Company. More specifically, from the complaint and the documentation attached to it, it emerges, in particular, that: - in the context of the aforementioned checks, "the employee was asked, in order to carry out the check regarding the workstation for agile work, that she should have carried out: a stamping on the TIMERELAX platform both on exit and on entry, the employee carried out the following stampings: at 09.29 on exit and at 09.30 on return, subsequently she was asked to send an email with reference to the check carried out in agile work, to the institutional email address of the [employee responsible for carrying out the control]” (see the Company report entitled Smart Working Control Report no. XX of XX); - “from the control carried out, the geolocalization, even if at times the maps used are not completely updated, was found to be incompatible with what was declared and granted in the smart working contract stipulated with ARSAC. From the control stamping, the employee was found to be present in Piazzale […], while the closest location, required in the Agile Work contract, was found to be Via […], which is approximately 40-50 km from the georeferenced point. The same employee in the control phone call […] immediately mentioned the inconsistency of the position” (see the Company report called Agile Work Control Report no. XX of XX); - “another inconsistency detected, in the monitoring carried out by the [employee in charge of carrying out the control] on day XX in which the employee was again in agile work, concerns the entry stamping, carried out by the employee via smartphone, which is geolocalized [… at …], which is approximately 5 km from the closest location communicated in the contract, Via […]” (see the Company report called Agile Work Control Report no. XX of XX); - the complainant was charged with a disciplinary charge on the basis of the alleged “failure to comply with the times and methods of the procedures set out in the regulation relating to the performance of the work in agile mode” and the detected “discretion between the declared location and the geolocation ascertained by the Inspection Office in carrying out the checks” (see note contesting the disciplinary charge, of XX); - “ARSAC asks employees to report the performance of work activities in agile mode via PC or smartphone [… via the application] Time Relax [… which] requires the location service to be enabled at the time of access […], and once the location has been consented to, it waits for the GPS signal […], and then finally erroneously locates the position […] at the time of stamping. The above applies to both entry and exit stamping” (see note of XX); - “however, no information was provided to the employee on the processing of personal data that would be carried out by the employer” (see note of XX). 1.2. The report of the Department of Public Function of the Presidency of the Council of Ministers With report of XX, the Department of Public Function of the Presidency of the Council of Ministers reported to the Guarantor through the Inspectorate for Public Function, within the scope of its institutional duties and for the follow-ups of its competence (see art. 60, paragraph 6, of Legislative Decree 30 March 2001, no. 165), that it had “become aware of practices that could be in conflict with the legislation on the protection of personal data implemented at the Regional Agency for the Development of Calabrian Agriculture (ARSAC)”. In detail, the report shows that the aforementioned Department of Public Function had “having learned that the Procedures Control Unit-Inspectorate of the aforementioned Entity would carry out the localization of the devices (notebooks and smartphones) used by its employees on the days in which they perform their work activity in smart working mode pursuant to art. 18 of Law 81/2017” and that “with a note of XX [… had already] requested the Extraordinary Commissioner of ARSAC to provide detailed and timely elements regarding the lawfulness of the data processing carried out”. In light of the foregoing, the aforementioned Department of Public Function deemed it necessary to “provid[e] for the transmission of the documentation received for the assessments within the competence of [… the Guarantor], requesting that [… the] Inspectorate be kept informed”. 2. The investigative activity. Within the scope of the investigation, with a note of XX, ARSAC stated, in particular, that: “the monitoring of the actual performance of work in agile mode by the head of the Procedures Control Unit is based on criteria agreed with the management. [… This] is carried out only on the days and in the time slot granted to the employee (so-called contactability time slot), and with the tools and methods necessary for such verification, including the Time relax platform according to the provisions contained in the Regulation on agile work […] adopted by this Body and by the related individual employment contract”; "in particular, the Smart Working control is carried out through a direct call to the employee by the head of the Control-Inspection Organizational Unit, always respecting the contact time slot, with which the same employee is invited to make a double stamping using the Time relax application, one on entry and one on exit, with prior consent to geolocation, otherwise remote stamping would not be possible in the context of smart working; subsequently, the employee subjected to control is invited to send an email in reference to the object of the control carried out in smart working to the institutional email address of the Control Unit, so that the same worker can declare the exact place where he is at the time of carrying out the stampings subject to inspection control. In the next phase, the aforementioned manager proceeds to the reorganization of the information acquired, in order to verify the correspondence between the place or places of work indicated by the worker in the individual smart working contract with respect to that declared in the email and resulting in the Time relax application on the day and at the time subject to control inspection. The results of said inspection activity are included in the Visit/Inspection Report, which, in a sealed envelope, is delivered, via internal protocol to the Institution, to the General Director of A.R.S.A.C.”; “with the aforementioned individual agreement, the [… complainant] has expressed its consent to the processing of personal data by the Institution for the purpose of fulfilling the requirements necessary for carrying out the procedure for participation in the smart working method. This is indeed an informed consent also with reference to this specific aspect”; “the Time relax application is technically presented as a geolocation platform as far as the presence detection operations (clocking in) are concerned, the use of which was ratified upstream by means of an agreement with the trade union representatives, in full compliance with art. 4 of Law 300/1970 and subsequent amendments, according to the minutes of the XX delegation meeting […] in which the “Company regulation of agile work” was approved […] including the use of the geolocation function solely and exclusively for the purposes of clocking in. […] The use of the Time relax platform as a verification system for carrying out agile work was then included in the “Agile work of the PIAO period XX” section […]”; “the legal basis for the processing of personal data relating to the geographical location of workers in agile mode, which makes such processing lawful, is constituted, upstream, by the aforementioned trade union agreement of XX referred to in the A.R.S.A.C. protocol no. XX […] of ratification/approval of the “Company Regulation on agile work”” (see also supplementary minutes-agreement of XX)”; “to this end, the employee, for his own protection, on the days authorised for agile work, is required to register his presence on the “time relax” application including the request and use of any personal permits [… ] . This procedure, as already highlighted and documented, was also followed in relation to the request for smart working made by the [… complainant] in XX and reiterated for the year XX, according to the individual agreement attached, from which it is clearly evident that the same [… complainant] has expressed appropriate informed consent to the processing of data also with reference to geolocation”; “the [… complainant], as well as any other interested employee, was given adequate information, pursuant to art. 13 of the Regulation, also considering the provisions of art. 4, paragraph 3, of Law 20 May 1970, n. 300”; “the aforementioned choice is part of the exercise of the employer’s powers of work organization where the service is performed by the worker outside the company premises and, this with a view to ensuring first and foremost the protection of the worker’s safety and health in the workplace even in smart working mode, in accordance with the provisions of Law 81/2017 and subsequent amendments, and, at the same time, the protection of data confidentiality, which the public employee is required to comply with in light of Presidential Decree no. 62/2013 and subsequent amendments and the current A.R.S.A.C. Code of Conduct. In fact, said application does not allow the storage of geographic coordinates but only allows, at the time of stamping, upon entry/exit, to detect the location where the worker authorized to work smart working is located. It is specified that no other checks are carried out during working hours other than the aforementioned inspection check, which in any case — it is reiterated — is completely hypothetical and random, and is carried out by means of a telephone warning that precedes the verification stamping. Said check, due to its random nature, is in all respects comparable to that usually carried out by the inspection service on personnel in attendance"; "the "Time relax" application necessarily requires, after its installation on the computer device chosen by the worker, access protected by "USERNAME AND PASSWORD", which are communicated by the employee via email during registration to the system. Once logged in, the app presents the worker with a screen in which the name and surname that has been registered appears so that the worker is able to confirm his/her identity and informs him/her of any requests for justifications, requests for stampings, messages and information on deductible balances. At this point the worker can decide whether to carry out geolocalized stamping. When accessing the stamping function, the Time Relax App requires the employee’s consent to access the position. Once consent is given, only at that point does the app begin searching for the position. Once the position has been verified, the worker can decide when to stamp by selecting the direction (start or end of the activity). Only at this point does the App request the geographic coordinates of the position from the smartphone and transmit them to the stamping collection system together with the worker’s identification code, the direction of stamping and the date and time of stamping. […]. Within Time Relax, the data is available to employees who already carry out personnel management and administration activities, as well as to each employee’s hierarchical superiors. In particular, the subjects who have access to the data of smart working are: the Manager, the clocking station, the Company that owns the Time relax platform in the capacity of its Data Processing Manager […] and the person in charge of the inspection service […]”. With note of XX, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged during the investigation, notified ARSAC, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation. This is because the processing of the data relating to the geographical position of the generality of smart working employees and the subsequent use of the same to initiate disciplinary proceedings against the complainant were found to have occurred in violation of art. 5, paragraph 1, letters a), b) and c), 6, 13, 25, 35 and 88 of the Regulation and of articles 113 and 114 of the Code. With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (article 166, paragraphs 6 and 7, of the Code, as well as article 18, paragraph 1, of law no. 689 of 24 November 1981). With note dated XX, ARSAC, in expressing its willingness to be heard by the Authority pursuant to article 166, paragraph 6, of the Code and reserving the right to produce further defensive documentation, also including the elements referred to in article 83 of the Regulation, requested by the Authority with the aforementioned XX, stated that "on XX, the "geolocalization" function of the TIMERELAX "clocking" platform was deactivated, in self-protection". During the hearing, held on XX, ARSAC read the documentation defense then transmitted with note of XX, from which it appears, among other things, that: - "the disciplinary procedure (currently suspended) against the employee [...] began with a random check carried out on the basis of the guidelines of the ARSAC inspection service, on a percentage equal to 20% of employees in smart working [...]. The employee, at the time of the check, mentioned an inconsistency regarding the place where the smart working activity was carried out. The location was different from the three indicated in the signed contract”; “the data relating to geolocation was not assessed for the purposes of the entire procedure since the employee herself declared […] to be in a different place than those indicated in her smart working contract”; - “the contract signed by the employee envisaged the performance of the work in […] places […] that do not correspond to the one where the employee was at the time of the check […]”; “the employee declares that she performed her work in a “bed & breakfast […], communicating this difference to her manager only on XX”; - “the prohibition, pursuant to art.4, Stat. lav., of the use of equipment for the purpose of remote monitoring of workers' activity, was respected by ARSAC, since the control of geolocation was aimed at an organizational, production and workplace safety need (the employee was located tens of kilometers away from the point communicated in the authorization for smart working) and not for disciplinary purposes, so much so that the disciplinary procedure was activated not because of the viewing of the geolocalized position (as the employee claims in the complaint) but because the interested party said, on the phone, that she was not in the place she had originally communicated, and in any case this procedure was suspended and the interested party did not receive any sanction"; - "the processing of personal data [… in question concerned] a limited number of employees (about 100 out of 540)"; "the same geolocation function was deactivated at XX"; - "the processing of data through virtual stamping had to include geolocation on the legal basis of the general administrative act [ARSAC Resolution no. XX of XX] pursuant to art. 2-ter, paragraphs 1 and 1-bis, of Legislative Decree no. 196/2003 and subsequent amendments. [… as] shared with the internal Data Protection Officer appointed at the time. The use of geolocation […] allowed the employer to verify that the worker was carrying out his/her activity in the appropriate location […]. However, only the data relating to the workplace and that relating to entry and exit were retained. The use of the Time Relax APP with geolocation function was activated with the sole purpose of providing workers with greater guarantees in the context of smart working, in particular, the possibility of using permits for work (to carry out activities also at other Administrations or Bodies such as Courts, Revenue Agencies, Council Offices, etc.) or for personal reasons”; “everything was done with maximum transparency and having stipulated a specific agreement with the trade union representatives pursuant to art. 4, Stat. Lav.”; - the Company “in any case has interrupted the processing that is the subject of the proceedings and has undertaken a process to complete compliance with the legislation on the protection of personal data”. On XX, ARSAC has, lastly, provided further elements in relation to the facts under investigation. 3. The legislation on the protection of personal data in the workplace. With regard to the processing of personal data in the context of the employment relationship, it is highlighted in general that the employer can process the personal data of workers, including those relating to particular categories of data (see art. 9, par. 1, of the Regulation), when there is an appropriate legal basis, if the processing is necessary for the management of the employment relationship and to fulfill specific obligations or tasks deriving from the sector legislation as well as when the processing is “necessary for the performance of a task carried out in the public interest or in connection with the exercise of public powers vested in the data controller” (art. 6, par. 1, letter c) and e), 2 and 3; 9, par. 2, letter b), and 4; 88 of the Regulation; 2-ter of the Code). In this context, the processing of personal data carried out in the context of the execution of the employment contract in agile mode - regulated by a discipline aimed at encouraging the adoption of work organization methods based on spatial-temporal flexibility, evaluation by objectives and the conciliation of working life with private life (see articles 18 to 23 of law 22 May 2017, no. 81) - are subject to the same legal bases mentioned above that typically occur in the workplace. The employer must also comply with national rules, which "include appropriate and specific measures to safeguard the human dignity, legitimate interests and fundamental rights of the data subjects in particular with regard to transparency of processing [...] and monitoring systems in the workplace" (articles 6, par. 2, and 88, par. 2, of the Regulation). On this point, the Code, confirming the system prior to the amendments made by Legislative Decree no. 101 of 10 August 2018, makes express reference to the national sector provisions that protect the dignity of people in the workplace, with particular reference to possible controls by the employer (articles 113 "Data collection and relevance" and 114 "Guarantees regarding remote control"). As a result of this reference, and taking into account art. 88, paragraph 2, of the Regulation, compliance with arts. 4 and 8 of Law no. 300 of 20 May 1970, and art. 10 of Legislative Decree no. 276/2003 (in cases where the conditions are met) constitutes a condition for the lawfulness of the processing. It should also be noted that, even if the work is carried out in an agile manner, "the employer is required to guarantee the worker the respect for his personality and moral freedom” pursuant to art. 115 of the Code, expressly addressed to teleworking, agile working and domestic work. The employer, as data controller, is required in any case to comply with the principles of data protection (art. 5 of the Regulation). The employer is also required to comply with the principles of “data protection by design” and “data protection by default”, by virtue of which the employer must implement appropriate technical and organizational measures, “both when determining the means of processing and at the time of the processing itself”, in particular in order to “integrate the necessary safeguards into the processing in order to meet the requirements of the [Regulation] and protect the rights of data subjects” as well as “to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed”, also with reference to the profiles relating to the storage and quantity of data collected (art. 25 of the Regulation). 4. Outcome of the investigation. 4.1. The processing of data relating to the geographic location of staff performing smart working. From the investigation carried out on the basis of the elements acquired and the facts that emerged following the investigation, as well as the subsequent assessments of the Office, it is established that, by virtue of the adoption of resolution no. XX of XX and the attached regulation on smart working, which forms an integral part thereof, ARSAC made use - from XX, the month in which resolution no. XX and the attached regulation were adopted, until XX - of an application (Time Relax) through which, at the time of clocking in and out by each employee and with their prior consent to geolocalisation, it acquired the geographic coordinates of the smartphone or PC of the employee who had clocked in, together with their identification code, the date and time of clocking in, specifying whether it was clocking in or out. This was for the purpose of verifying that the geographic position from which the staff were performing their smart working was corresponding to one of those indicated in each individual agreement on smart working and, as a result, according to the Company's declaration, also for the benefit of declared organizational and production needs, protection of workers' health and safety as well as protection of personal data processed through work tools. More specifically, it has been ascertained that the data relating to the employee's geolocation in smart working mode was processed: a) both, in general, when the employee stamped in and out daily, at the start and end of work or, in any case, when using any leave the employee took advantage of within his availability band; in such cases, a check was carried out each time to ensure that the data relating to the geographical position detected corresponded to the employee's place of work as provided for in the smart working agreement; b) both, as occurred in the case in question, in the context of specific targeted control activities on specific employees carried out in application of the internal procedures previously in use at the Company, according to which: i. the employees to be subjected to checks were selected randomly; ii. the employee subjected to checks was contacted by telephone by the manager of the competent organizational unit, in compliance with the availability time slot, and was invited to make a double stamping using the Time Relax application, one on entry and one on exit; iii. immediately afterwards, the employee subjected to checks was invited to declare the exact location where he was at the time of the stampings subject to inspection by sending an email to the institutional email address of the aforementioned organizational unit; iv. in the next phase, the aforementioned manager proceeded to verify the correspondence between the place or places of work indicated by the worker in the individual smart working contract with respect to what was declared via email and what resulted from the Time Relax application on the day and at the time in which the inspection was carried out; v. the results of this activity of The inspections were then included in a report which, in a closed and sealed envelope, was delivered, via internal protocol, to the General Manager of the Company. From the documentation in the files it is clear that the use of the Time Relax application and, in particular, of its geolocation function in relation to the employee clocking-in activity had been the subject of negotiations between the Company and the trade union representatives (see minutes of the XX, with which, in particular, the “Company Regulations for agile working” had been approved). From the examination of the files it also appears that the Company, after having subjected the complainant to a specific check with the methods indicated above under letter b), initiated disciplinary proceedings against her on the basis of the detected “discrepancy between the declared location and the geolocation ascertained by the Inspection Office in carrying out the checks” (see note contesting the disciplinary charge, of the XX). In both of the cases mentioned above (letters a) and b)), the collection, through the aforementioned application, of the data relating to the employee's location appears to have been carried out for the purpose of verifying that the geographical position from which the staff carries out their work in agile mode corresponds to that indicated in each individual agreement on agile work. Given this, it must be considered that the processing in question, "inserting itself" - as stated by the Company itself - "within the exercise of the employer's powers of work organization" and thus giving rise to a "monitoring of the actual performance of work in agile mode" (see note of XX), was directly intended to verify compliance by the worker with the obligations arising from the agreement on agile work with regard to the location where the work activity is carried out. In its defense briefs, the Company specified that this processing also allowed it to pursue specific interests attributable to legitimate employer needs (see note of XX; see also note of XX). 4.2. Detection of the geographical location of the place where smart working is carried out. National legislation defines smart working as a “method of performing the subordinate employment relationship” whereby the work performance is carried out, in relation to the specificity of the tasks performed, “in phases, cycles and objectives, without precise constraints on time and place of work” (see articles 18 to 23 of Law 22 May 2017, no. 81). In this context, in fact, smart working, unlike carrying out the work activity at the employer’s premises, is typically characterised by a flexibility which, without prejudice to the possible operation of availability bands, pertains to both the place and time of its performance (art. 18, paragraph 1, of Law 22 May 2017, no. 81). For the above, any checks on the fulfillment of the work performance carried out in agile mode may consist, for example, in the drafting by the worker of periodic reports or summary documents regarding the activity carried out or in moments of comparison during the days of presence at the office on the objectives achieved in relation to those assigned (Directive of the Ministry of Public Education of the XX; but, see already the Guidelines containing rules relating to the organization of work aimed at promoting the conciliation of life and work times, contained in the Directive Pres. Council of Ministers n. 3 of 2017). Even if the service is performed in agile mode, the use of technological tools by the employer, which also provide the possibility of remotely monitoring the workers' activity, can only take place for the pursuit of the mandatory purposes provided for by law, i.e. "[...] for organizational and production needs, for safety at work and for the protection of company assets", in compliance with the procedural guarantees established therein (art. 4, paragraph 1, of Law 20 May 1970, no. 300). The law on agile work, in fact, expressly refers to the limits, conditions and guarantee procedures of art. 4 of Law 20 May 1970, no. 300 (see art. 21 of Law 22 May 2017, no. 81). In this context, also following the amendments made to Law 20 May 1970, no. 300, by art. 23 of Legislative Decree September 14, 2015, no. 151, the various needs for monitoring compliance with the duties of diligence of the worker - which also fall within the prerogatives of the employer if pursued personally by the employer or through its hierarchical organization (articles 2086 and 2104 of the Civil Code) - cannot be pursued with remote technological tools, which, by reducing the space of freedom and dignity of the person in a mechanical and inelastic way, entail direct monitoring of the worker's activity not permitted by the current legal system and the constitutional framework. These purposes do not, in fact, appear to be attributable to any of the specific purposes selected by the legislator and referred to above (“organizational and productive", "work safety" and "protection of company assets"), given that remote monitoring of work activity is permitted by law, in compliance with the guarantee conditions provided therein, only incidentally, that is, in the pursuit of such legitimate purposes, thus assuming a typically indirect and unintentional nature. This principle is also confirmed by the jurisprudence of the Court of Cassation (see Criminal Cassation, III section, no. 22148/2017, in the part in which it recalls the orientation, “fully valid also following the amendment of Legislative Decree 14 September 2015, no. 151, art. 23”, according to which “devices aimed at the mere remote monitoring of work performance [must be] absolutely prohibited […for] conflict with the principles of the Constitution”). This means that the pursuit of the aforementioned purpose of direct control is not admissible in the legal system even in the presence of a possible agreement with the unitary trade union representation or with the company trade union representatives, since this is a purpose that falls outside the framework of guarantees outlined by the sector provisions and, more radically, by the internal constitutional framework, as highlighted by the aforementioned case law. It follows that, in terms of personal data protection, the related processing lacks an appropriate legal basis, being in conflict with the principle of "lawfulness, fairness and transparency" and with the specific national provisions of greater protection safeguarded by the Regulation, in violation of Articles 5, paragraph 1, letter a), and 6, given that the aforementioned conduct falls outside the framework of lawfulness provided for by Article 114 of the Code (see Article 88 of the Regulation). In confirmation of the principles mentioned above, it is also important to point out that, with circular no. 4/2017, the National Labor Inspectorate, in providing interpretative clarifications regarding art. 4 of Law 20 May 1970, n. 300, although with reference to other instruments, specified that, in any case, "the installation and use of "[...] instruments from which also derives the possibility of remote control of the workers' activity", can be justified exclusively for the needs set out in art. 4 [... and], therefore, only in such cases can an "incidental" control on the worker's activity be legitimised, [...] avoiding prolonged, constant, indiscriminate and invasive controls", also specifying that "the fundamental "paradigm" of art. 4 [...] should not be overturned in such a way as to carry out a penetrating control on the performance of the workers, in order to guarantee adequate and more efficient organizational and production methods within the company" and concluding, therefore, that, in such cases, the instruments used "not only do not fall within the definition of a useful instrument to "... make the work performance..." but [...] those organizational and production needs that justify the issue of the authorization provision are not even identified part of the Labour Inspectorate” (see, specifically on the subject of geolocalisation of devices assigned to employees, also INL circular of XX, prot. no. XX). The Guarantor has also expressed itself in these terms with its own provisions (see, in particular, provisions of 1 December 2022, no. 409, web doc. no. 9833530; 28 October 2021, no. 384, web doc. no. 9722661; and 16 November 2017, no. 479, web doc. no. 7355533; see also, albeit with regard to the different context relating to the installation of video devices in proximity to presence detection systems, the opinion of the Guarantor on the draft decree of the President of the Council of Ministers concerning the implementation of the provision referred to in art. 2 of Law no. 56 of 19 June 2019, provision of no. 167 of 19 September 2019, spec. point 4.2, web doc. no. 9147290; see also the provision on video surveillance of 8 April 2010, par. 4.1, web doc. no. 1712680, which, although dating back to the previous legal framework on data protection, contains indications that can still be considered valid: "in surveillance activities, the prohibition of remote control of work activity must be respected, therefore the installation of equipment specifically intended for the aforementioned purpose is prohibited: therefore, filming must not be carried out in order to verify compliance with the duties of diligence established for compliance with working hours and correctness in the performance of the work, e.g. by directing the camera at the badge"). This orientation is also confirmed by the European and international legal framework (see European Data Protection Board, Guidelines 3/2019 on the processing of personal data through video devices, version 2.0, adopted on 29 January 2020, para. 37, where it is stated that “in most cases an employee in the workplace does not expect to be monitored by his or her employer”; see already Article 29 Working Party, Opinion 2/2017 on data processing at the workplace, adopted on 8 June 2017, WP 249; see also the Recommendation of the Council of Europe of 1 April 2015, CM/Rec (2015), para. 15.1, where it is stated that “it should not be permitted to introduce and use information systems and technologies whose direct and primary purpose is the monitoring of the activity and behaviour of employees”). It should be noted, in this regard, that even the same processing of personal data that can be lawfully carried out by the employer (i.e., precisely, those of an indirect or unintentional nature) cannot assume a massive and indiscriminate nature, having to be carried out rather according to a principle of graduality and progressiveness and, therefore, only after experimenting with measures that are less restrictive of workers' rights (see Hearing of the Guarantor on the Jobs Act at the Labour Commission of the Chamber of Deputies 9 July 2015, web doc. no. 4119045; as well as "Statement by Antonello Soro, President of the Guarantor for privacy, on the judgment of the Court of Strasbourg" - ECHR, judgment of 17 October 2019, López Ribalda and others v. Spain-, web doc. no. 9164334, "the essential requirement for checks on work […] to be legitimate therefore remains, for the Court, their rigorous proportionality and non-excessiveness: cornerstones of the protection discipline data whose "social function" is confirmed, also from this perspective, increasingly central because it is capable of combining dignity and economic initiative, freedom and technique, guarantees and duties”). In light of the above considerations, it must be specified that, in general, the regulatory intersection between the discipline on the protection of personal data and that on remote monitoring of work activity, although it is suitable to ensure enhanced protection of the worker, as a vulnerable interested party due to the asymmetry of the contractual relationship with the employer, highlights the complementarity between two bodies of legislation that remain, however, autonomous and distinct from each other. This therefore means that the employer, data controller, in addition to the applicable sector legislation, must always comply with the principles of personal data protection. The possible presence of an agreement with the union representatives regarding the use of a specific system that involves the processing of personal data of workers constitutes, in fact, a necessary condition, but not always sufficient, to ensure the overall lawfulness of the processing and compliance with the principles of protection of personal data. Nor can the processing in question be considered lawful on the basis that, based on the declarations made by the Company, the legal basis would in this case be represented by "the general administrative act composed of the ARSAC Resolution no. XX of XX, with the attached regulation on "Agile Work", an integral part of the resolution" (see note of XX). Aside from the correct qualification of the Company's resolution as a general administrative act pursuant to the current legislation, in fact, general administrative acts cannot contravene or modify the reference superordinate rules, having a mere integrative effect of the legislation. As highlighted in recent rulings by the Authority, the hierarchical criterion of the sources of law establishes, in fact, the prevalence of the higher-ranking source over the lower-level one, precluding the latter from derogating from it or from conflicting with the content of the higher-ranking source; therefore, the general administrative act does not contain the ability to introduce innovations or changes to the system in relation to the processing of personal data – such as, in fact, the processing of data relating to the geolocation of personnel who carry out their work activity in an agile manner –, as this act cannot fully absorb the current legislation, the essential characteristics of which must be and remain outlined by the provisions of higher rank than it (see, in particular, provision of 11 April 2024, no. 235, web doc. no. 10019523; see also provision of 6 July 2023, nos. 286 and 287, web doc. no. 9920145; provision of 13 April 2023, no. 125, web doc. no. 9907846; provision of 22 July 2021, no. 273, web doc. n. 9683814). The legal basis of the processing must, in fact, be “suitable” also in light of the structure of the sources of the “constitutional system” of the Member State (see recital 41 of the Regulation and see also Constitutional Court, judgment n. 271/2005, according to which the regulation of personal data protection falls within the exclusive competence of the State referred to the “civil system”) and it must satisfy specific requirements, both in terms of quality of the source, necessary contents and appropriate and specific measures to protect the rights and freedoms of the interested parties, and in terms of proportionality of the regulatory intervention with respect to the purposes that are intended to be pursued (art. 6, paragraphs 2 and 3, letter b), of the Regulation). Furthermore, as recently clarified by the Guarantor also with regard to different work environments, in the system of the Regulation and the Code, differentiated levels of protection of personal data are not permitted on a territorial basis or between different public work contexts and between these and private ones or, again, at the level of a single administration, as occurred in the case in question, where, moreover, a disparity of treatment was created to the detriment of only those employees who benefit from smart working. This is especially true when, as in the case at hand, the matter has already been the subject of balancing and regulation by the legislator with uniform provisions at national level that protect the dignity and moral personality of the worker regardless of the ways in which he or she carries out his or her work activity, in person or in smart working mode, in any work environment (articles 88 of the Regulation, 114 and 115 of the Code and 18, paragraph 1, and 21 of Law 22 May 2017, no. 81), also taking into account that, by choice of the legislator, the performance of smart working occurs "without precise constraints of […] place of work". Nor, again, can the circumstance invoked by the Company be considered relevant, according to which "the Time Relax App requires the employee's consent in order to access the position" (see note of XX), given that, as stated on many occasions by the Guarantor (see, among many, provision of 14 January 2021, no. 16, web doc. no. 9542071), the consent of employees does not constitute, in this context, a valid basis for the lawfulness of the processing of personal data, regardless of the public or private nature of the employer (recital no. 43; art. 4, point 11), and art. 7, paragraphs 3 and 4, of the Regulation; see the consolidated orientation at European level, Article 29 Working Party, Opinion 2/2017 on data processing in the workplace, WP 249, p. 7 and 26 and Guidelines on consent pursuant to EU Regulation 2016/679 - WP 259 - of 4 May 2020). This is without prejudice to the obligations set forth in the Code with regard to the processing of location data by providers of the publicly accessible electronic communications service and providers of the public communications network or the third party providing the value-added service (Articles 121, paragraph 1-bis, and 126 of the Code, implementing Directive 2002/58/EC). Moreover, given that the law allows remote monitoring of work activities through the use of technological equipment by the employer only to a merely incidental and unintentional extent, the processing of data aimed at directly monitoring the work activities of individual employees also highlights a conflict with the principle of "purpose limitation" pursuant to Article 5, paragraph 1, letter a). b), of the Regulation, to the extent that it pursues a non-"legitimate" purpose. In light of the foregoing considerations, it must be considered that the processing, by ARSAC via the Time Relax application, of the data relating to the geographical location of the staff who carry out their work activity in agile mode was carried out from XX - the month in which resolution no. XX and the attached regulation were adopted - to XX, in a manner that does not comply with the principles of "lawfulness, fairness and transparency" and "purpose limitation" as well as in the absence of a suitable basis for lawfulness, in violation of Articles 5, paragraph 1, letters a) and b), and 6, given that the aforementioned conduct falls outside the framework of lawfulness provided for by Article 114 of the Code (see Article 88 of the Regulation). 4.2.1. The collection of personal data relating to the employee's private life. Considering that, especially in the case of recourse to agile working methods, the boundary line between the work and professional sphere and the strictly private sphere cannot always be drawn clearly, the cancellation of any expectation of confidentiality of the interested party in the workplace cannot be envisaged, which is why the European Court of Human Rights has confirmed over time that the protection of private life (art. 8 European Convention on Human Rights) also extends to the workplace, where the personality and relationships of the person who works are expressed (see Judgments of the European Court of Human Rights Niemietz v. Germany, 16.12.1992 (rec. no. 13710/88), spec. para. 29; Copland v. UK, 03.04.2007 (rec. no. 62617/00), spec. para. 41; Bărbulescu v. Romania [GC], 5.9.2017 (rec. no. 61496/08), spec. paras. 70-73 and 80; Antović and Mirković v. Montenegro, 28.11. 2017 (rec. no. 70838/13), spec. paras. 41-42). Therefore, data processing carried out by means of information technology, in the context of the employment relationship, must comply with respect for fundamental rights and freedoms as well as the dignity of the data subject, for the protection of workers and third parties (see Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the employment context, spec. point 3). With regard to the specific case, according to what emerges from the documents and confirmed by the data controller, it appears that the original characteristics of the Time Relax application were not proportionate to the purpose pursued by the Company (see recital 49 and art. 6, par. 1, letter e) of the Regulation), giving rise to a systematic collection of information that was not necessary due to the peculiarities of carrying out the service in agile mode, also in conflict with the prohibition for the employer to collect irrelevant data provided for by art. 113 of the Code (with reference to art. 8 of law 20 May 1970, no. 300, and art. 10 of legislative decree 10 September 2003, no. 276) and, therefore, with the same principle of "lawfulness, fairness and transparency" referred to in art. 5, par. 1, letter a), of the Regulation. The need to ensure that the work performance of employees in smart working mode is actually performed at the locations indicated in the reference agreement cannot, in fact, justify any form of interference in private life - as occurred in the case in question, by collecting and processing information relating to the specific location where the interested party was temporarily located - giving rise to the processing of personal data that falls within the scope of application of art. 113 of the Code, in violation of art. 5, par. 1, letter a), 6 and 88 of the Regulation and 113 of the Code (with regard to the risks for the interested parties and the responsibilities for the owner in relation to the acquisition of information relating to the private sphere of employees, see provision of 15 April 2021 no. 137 currently being published; but also see, provision of 26 March 2020, no. 64 - “Distance learning: initial indications” -, web doc. no. 9300784, par. 5 and, already, Guidelines on electronic mail and the Internet, provision of 1 March 2007, no. 13, web doc. no. 1387522 in particular, point 5.2., letter a), whose principles can still be considered valid). In this regard, it should be added that the need to ensure the confidentiality and security of the data processed even in the case of smart working - also invoked in this case by the Company, which referred, in particular, to the risk of promiscuous environments during work calls and access to open wi-fi networks (see note of XX) - must be pursued first of all by giving specific instructions to authorized employees (articles 4, paragraph 10, 29, 32 paragraph 4, of the Regulation; see art. 2-quaterdecies of the Code), also in consideration of the technical and organizational measures adopted in general to protect the data, and not instead through the geolocation of the personnel who carry out their work activity in smart working mode. This is also in light of the principle established by art. 115 of the Code, according to which even in the context of smart working the employer is required to guarantee the worker respect for his personality and his moral freedom. In any case, the processing in question, giving rise to a collection of data that was neither limited nor pertinent to the purpose of managing the employment relationship in an agile manner, also conflicted with the principle of “data minimization”, in violation of art. 5, par. 1, letter c), of the Regulation. It should also be noted that the Company did not ensure, either when determining the means of processing or during the processing itself, that the protection of personal data was integrated into the processing from its design and by default, “incorporating into the processing appropriate measures and safeguards to ensure the effectiveness of the principles of data protection and the rights and freedoms of data subjects” and ensuring that “by default only the processing that is strictly necessary to achieve the specific and lawful purpose was carried out” (see “Guidelines 4/2019 on Article 25 - Data protection by design and by default”, adopted by the European Data Protection Board on 20 October 2020). It must therefore be concluded that the processing in question was also carried out in conflict with the principles of data protection “by design” and “by default”, in violation of art. 25 of the Regulation. 4.2.2. The inadequacy of the information regarding the processing. Although, moreover, some information elements relating to the processing operations of data relating to the geolocation of employees in agile mode can be found in the company documentation sent by the Company during the investigation, it should be noted that these documents do not contain all the essential information elements required by art. 13 of the Regulation. Such acts, such as, for example, the Company's "Regulation on agile working", were, in fact, drawn up to fulfil obligations other than those deriving from the data protection legislation and therefore cannot replace the information that the owner must provide to the interested parties, before starting the processing, regarding the essential characteristics of the same and for the purpose of allowing them to be fully aware of the type of processing operations that could also be carried out by drawing, within a lawful framework, on the data collected during the working activity (see in this regard, among the many, most recently, the provision of 11 April 2024, no. 234, web doc. no. 10013356, in relation to the use of video surveillance systems, as well as the provision of 13 May 2021, no. 190, web doc. no. 9669974; see also judgments of the European Court of Human Rights of 5 September 2020. 2017 - Application no. 61496/08 - Case Barbulescu v. Romania, spec. para. nos. 133 and 140 and judgment of 9 January 2018 - Application nos. 1874/13 and 8567/13 - Case López Ribalda and others v. Spain, spec. para. no. 115). This appears to have occurred, therefore, in violation of Articles 5, para. 1, letter a), and 13 of the Regulation. 4.2.3. Failure to carry out a data protection impact assessment. Given, moreover, that the documents do not show evidence of the performance of the impact assessment of the processing of data relating to the geolocation of employees in agile mode on the protection of personal data pursuant to Article 35 of the Regulation, the following is highlighted. Pursuant to Article 35 of the Regulation, “where a type of processing, in particular when it involves the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing on the protection of personal data”. In implementation of the principle of “accountability” (see art. 5, par. 2, and 24 of the Regulation), it is up to the controller to assess whether the processing that is intended to be carried out is likely to result in a high risk to the rights and freedoms of natural persons - by reason of the technologies used and considering the nature, scope, context and purposes pursued - which makes a prior assessment of the impact on the protection of personal data necessary (see recital 90 of the Regulation). With more specific reference to the processing of personal data carried out by the Company, the processing of data collected through the satellite localization system involves specific risks to the rights and freedoms of data subjects in the workplace (art. 35 of the Regulation). Both in consideration of the particular “vulnerability” of data subjects in the workplace context (see recital 75 and art. 88 of the Regulation and the “Guidelines on data protection impact assessment and the criteria for determining whether a processing operation is “likely to result in a high risk” pursuant to Regulation 2016/679”, WP 248 of 4 April 2017, which, among the categories of vulnerable data subjects, expressly mention “employees”), as well as the fact that in this context the use of systems that may also indirectly involve “systematic monitoring”, understood as “processing used to observe, monitor or control data subjects, including data collected via networks” (see criterion no. 3 indicated in the Guidelines, cit., but see also criteria 4 and 7), may present risks - as emerged in the case in question - in terms of monitoring the activity of employees (see arts. 35 and 88, par. 2, of the Regulation; see also provision 11 October 2018, no. 467, web doc. no. 9058979, annex no. 1, which expressly mentions the “processing carried out in the context of the employment relationship through technological systems […] from which the possibility of remotely monitoring the activity of employees arises”; see also, among others, provision no. 234 of 10 June 2021, web doc. no. 9675440). For these reasons, in pointing out the occurrence, in this case, of the conditions for carrying out an impact assessment on the protection of personal data, a circumstance that would have allowed the owner to be aware of the specific and high risks for the rights and freedoms of the data subjects involved, to mitigate them by directing their choices in this regard in a more conscious and, if necessary, different manner, it must be concluded that the Company has also acted in violation of art. 35 of the Regulation. *** For all the above reasons, it must therefore be considered that the processing, by the Company through the Time Relax application, of the data relating to the geographical location of the employee staff, being directly aimed at pursuing a purpose not permitted by the sector regulations and relating to the verification of a particular profile of the workers' activity, namely that concerning compliance with the agreement with reference to the location of the work performance in agile mode, was carried out, both in the cases referred to in letter a) and in those referred to in letter b) of paragraph 4.1 of this provision, in a manner not compliant with the principles of "lawfulness, fairness and transparency", "purpose limitation", "data minimization", "data protection by design" and "data protection by default", as well as in the absence of a suitable basis for lawfulness, in violation of Articles 5, paragraph 1, letter c) and d) of the GDPR. a), b) and c), 6, 13, 25, 35 and 88 of the Regulation and art. 113 of the Code. 4.3. The processing of data relating to the geolocation of the complainant for disciplinary purposes. With regard to the use of data relating to the geographical location of the complainant for disciplinary purposes, in acknowledging that, according to the Company's declaration, the disciplinary proceedings are currently "suspended", the following is noted. Starting from 2015, the current regulatory framework allows the data collected pursuant to art. 4, paragraphs 1 and 2, of Law no. 300 of 20 May 1970, to be used by the employer for further processing necessary for the management of the employment relationship, only if such data have been lawfully collected in pursuit of the purposes set out in paragraphs 1 and 2 of art. 4 of Law no. 300 of 20 May 1970, as well as in compliance with the conditions and limits established by this provision and the data protection regulations, providing employees with all information on further processing. In other words, the employer may use the personal data of workers for further purposes related to the management of the relationship (see the example contained in art. 88 of the Regulation) to the extent that the original collection was lawfully carried out, having regard to the main purpose, originally pursued, and in compliance with the general principles of data protection. This is also in light of the provisions of art. 2-decies of the Code, which provides in principle that personal data collected and processed in violation of the relevant legislation on the processing of personal data cannot be used (this principle has been confirmed in numerous provisions of the Authority and in general guidance documents; see, among many, FAQ no. 13 on the subject of oncological oblivion, web doc. no. 10044898, and FAQ no. 12 available at https://www.garanteprivacy.it/temi/coronavirus/faq#scuola). The data controller may, in fact, use only personal data lawfully collected, in the presence of an appropriate legal basis, having previously "satisfied all the requirements for the lawfulness of the original processing" (see recital no. 50 of the Regulation) and, therefore, to the extent that the original collection was carried out in an overall framework of lawfulness, also taking into account "the context in which the personal data were collected, in particular with regard to the relationship between the data subject and the data controller", "the possible consequences of the envisaged further processing for the data subjects" as well as "the existence of adequate guarantees" (see art. 6, par. 4, of the Regulation). These principles have been reaffirmed by the Guarantor in numerous provisions, albeit with regard to the use of different technologies in the workplace (see provision of 11 April 2024, no. 234, web doc. no. 10013356, on video surveillance; provision of 13 May 2021, no. 190, web doc. no. 9669974, on the collection of employee internet browsing data; provision of 28 October 2021, no. 384, web doc. no. 9722661, on the collection of call center operators' data). As for the specific case, although the Company has finally declared that the data acquired through the Time Relax application was not used to assert specific disciplinary responsibilities of the complainant (see note of XX), it should be noted that, instead, both the report drawn up by the organizational unit responsible for carrying out the control and the subsequent disciplinary dispute note give account of the aforementioned use for disciplinary purposes (see Agile Work Control Report no. XX of XX and note of dispute of the disciplinary charge, of XX). Although, in fact, during the targeted control of the complainant in XX, the latter, contacted by telephone, had declared "that she was not in the place she had originally communicated" (see note of XX), the competent office nevertheless asked the employee to clock in and out once so that the Time Relax application would record the information relating to her geographical location. Such personal data were, therefore, acquired in the records of the Administration and used as a basis for the initiation of the disciplinary procedure, given that in the note contesting the charge, of XX, it was expressly contested, among other things, the "discrepancy between the declared location and the geolocation ascertained by the Inspection Office in carrying out the checks". For these reasons, the circumstance on the basis of which the disciplinary procedure was subsequently suspended cannot be considered sufficient to exclude the liability of the data controller. Given the above, considering that the data relating to the geographical location of the complainant were acquired by the Company, via the Time Relax application, to carry out direct checks on the geographical position in which the complainant was carrying out the service in agile mode - processing not permitted by the legal system, which conflicts with both the legislation on the protection of personal data and the specific legislation on agile work (see previous paragraphs of this provision) -, it must be concluded that the further use of the aforementioned data for disciplinary purposes occurred in a manner that did not comply with the principles of "lawfulness, fairness and transparency" and "purpose limitation" as well as in the absence of a suitable basis for lawfulness, in violation of Articles 5, paragraph 1, letters a) and b), and 6 of the Regulation, given that the aforementioned conduct falls outside the framework of lawfulness provided for by Article 114 of the Code (see Article 88 of the Regulation). 5. Conclusions. In light of the above assessments, it is noted that the statements made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act of initiation of the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing, by ARSAC via the Time Relax application, of the data relating to the geographical location of the generality of employees in smart working and the subsequent use of the same to initiate disciplinary proceedings against the complainant is found to have occurred in violation of art. 5, par. 1, lett. a), b) and c), 6, 13, 25, 35 and 88 of the Regulation and art. 113 of the Code. Taking into account that the violation of the aforementioned provisions occurred as a result of a single conduct (same treatment or treatments linked to each other), art. 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violations, relating to arts. 5, 6, 13, 25, 35 and 88 of the Regulation, as well as 113 of the Code, are subject to the sanction provided for by art. 83, paragraph 5, of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000. In this context, considering, in any case, that the conduct has exhausted its effects - given that the Company appears to have taken, in self-defense, the decision to deactivate the geolocation function of the Time Relax application and ordered the suspension of the disciplinary proceedings against the complainant - the conditions for the adoption of further corrective measures pursuant to art. 58, paragraph 2, of the Regulation do not exist. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (art. 58, paragraph 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, paragraph 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount by taking into due account the elements provided for in art. 83, par. 2, of the Regulation. Taking into account that: the processing concerned approximately one hundred employees who carried out their work activities in smart working mode for a significant period of time (art. 83, par. 2, letter a), of the Regulation); although the Company had mistakenly believed that it could carry out the aforementioned processing also by virtue of its own general administrative act and an agreement with the trade union representatives, it nevertheless implemented monitoring aimed at controlling the worker's activity which was not permitted by the applicable sector legislation (art. 83, par. 2, letter b), of the Regulation); the processing, even if it did not concern data belonging to the special categories referred to in art. 9 of the Regulation, concerned very sensitive information, concerning the geographical location of smart working workers, including the complainant herself, also leading to interference in their private sphere (see art. 83, par. 2, letter g), of the Regulation); it is believed that, in this case, the level of severity of the violation committed by the data controller is high (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into consideration: the owner offered sufficient cooperation with the Authority during the investigation, having, moreover, taken, in self-defense, the decision to deactivate the geolocation function of the Time Relax application and ordered the suspension of the disciplinary proceedings against the complainant (Article 83, paragraph 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by ARSAC (Article 83, paragraph 2, letter e), of the Regulation); in this case, the choice to use the Time Relax application was initially undertaken after sharing it with the Company's Data Protection Officer (Article 83, paragraph 2, letter k), of the Regulation). In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of €50,000.00 (fifty thousand/00) for the violation of Articles 5, 6, 13, 25, 35 and 88 of the Regulation, as well as 113 of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, to be effective, proportionate and dissuasive. It is also deemed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the fact that the data processing in question, which involved a significant number of data subjects, was carried out, for a considerable period of time, giving rise to a form of monitoring of the work activity carried out in agile mode not permitted by the applicable sector regulations; this even through specific targeted control procedures on an individual basis aimed at ascertaining the exact geographical position of the worker, with consequent interference in the private sphere. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. GIVEN ALL THE ABOVE, THE GUARANTOR declares, pursuant to art. 57, par. 1, letter f), of the Regulation, the unlawfulness of the processing carried out by ARSAC due to violation of arts. 5, 6, 13, 25, 35 and 88 of the Regulation as well as 113 of the Code, in the terms set out in the reasons; ORDER to the Regional Company for the Development of Calabrian Agriculture, in the person of its legal representative pro-tempore, with registered office in Viale Trieste, 93/95 - 87100 Cosenza (CS), C.F. 03268540782, to pay the sum of €50,000.00 (fifty thousand/00) as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed; ORDERS to the aforementioned Regional Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 50,000.00 (fifty thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS - pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; - pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority; - pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 13 March 2025 THE PRESIDENT Stanzione THE REPORTER Scorza THE GENERAL SECRETARY Mattei
