Garante per la protezione dei dati personali (Italy) - 9542071

From GDPRhub
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9542071
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 14.01.2021
Fine: 30000 EUR
Parties: n/a
National Case Number/Name: 9542071
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: Davide C.

The Italian DPA (Garante per la protezione dei dati personali) imposed a fine of € 30.000 on a local public health body for using an attendance detection system based on biometric data of employees.

English Summary

Facts

Following some news in 2019 about the adoption of a system based on biometric data to detect employees' attendance, the Garante started an investigation upon the Provincial Health Department (ASP) in Enna. According to the ASP:

(a) the collection of biometrics did not consist of personal data processing, since it begins (in an automated manner) if and when (and only when) the employee initiates the process himself by carrying out two material operations that are under his personal and exclusive control (placing the badge on the reader and placing of the fingertip on the scanner);

(b) ASP informed employees of the adoption of this measure to detect attendance and the relevant collection of biometric data;

(c) the processing was based on employees' consent and following the prescriptions of Law n. 56/2019 aimed at preventing absenteeism on the workplace.

Dispute

Holding

The Italian DPA rejected the arguments of APS upholding that:

(a) ASP - even though it did not store the biometric data of the data subjects on a centralised database, but only on portable devices with adequate cryptographic capabilities (badges with smart card functions), entrusted to the direct and exclusive availability of each data subject - nevertheless carried out the processing of biometric data which (as confirmed by ASP itself) are collected - albeit for a very short amount of time - within the system used to record attendance. This applies both in the enrollment stage (with the acquisition of the fingerprints), and the recognition phase (when detecting employees' attendance);

(b) employees were not duly informed according to the essential details required by art. 13 GDPR;

(c) the processing did not rely on adequate legal basis, as consent is not valid in the employment context because of the imbalance in the relationship between employee and employer.

Following the findings of the DPA, ASP has stopped the collection of employees' biometric data. However, there is no evidence of the fact that fingerprint already stored as a biometric template in the badges issued to staff have been deleted. Therefore, the Garante has ordered the deletion of such data and issued a fine of € 30,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

THE GARANTE FOR THE PROTECTION OF PERSONAL DATA

At today's meeting, attended by Prof. Pasquale Stanzione, chairman, Prof. Ginevra Cerrina Feroni, vice-chairman, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;VFFFF

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, "Regulation");F

HAVING REGARD TO Legislative Decree No 196 of 30 June 2003 on the "Personal Data Protection Code, laying down provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, the "Code")

HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante for the protection of personal data, approved by resolution No. 98 of 4/4/2019, published in G.U. No. 106 of 8/5/2019 and in www.gpdp.it, web doc. No. 9107633 (hereinafter "Garante Regulation No. 1/2019");

Having regard to the documentation on file;

Having regard to the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Garante no. 1/2000 on the organisation and functioning of the office of the Garante for the protection of personal data, web doc. no. 1098801;

Rapporteur: Mr Guido Scorza, lawyer;

WHEREAS

1. Preamble.

With reference to press articles published in November 2019 reporting that the Enna Provincial Health Authority ("the Authority") had adopted, in its premises, a system allowing the processing of biometric data of employees for the detection of attendance, in order to ensure "greater technical reliability in verifying the identity of each employee" and "discourage[ing] absenteeism phenomena [...]", the Office launched a preliminary investigation against the Authority.

2. The preliminary investigation.

In response to the Office's specific requests (see note of XX, prot. no. XX in the file), the Company, in a note of XX, stated that:

- it "provides its services in 21 municipalities belonging to the province of Enna and [...] of Messina. The company's employees [...] number more than 2000 and work in four hospitals [...] as well as in the outpatient clinics and territorial centres in 22 municipalities';

- the administration has introduced "the biometric identity verification system" because "the existence of decentralised garrisons [...] and the type of activity performed (several operators work two and/or three shifts over 24 hours, sometimes also in hospital and territorial garrisons) entails considerable complexity in the management of employees" and therefore the system was activated "in light of the provisions of Law no. 56/2019";

- the system uses "a software capable of acquiring the data of the same employee and storing them in encrypted form on a secure device (badge) given in the exclusive availability of the person concerned";

- 'the software deletes the data immediately after they have been recorded in encrypted form';

- 'all employees have been provided with the information pursuant to Article 13 of the Regulation';

- the data registration procedure involves the 'collection of the biometric fingerprint which is transformed into an encrypted string, stored in turn in the badge'.

- the reading of the data, at the time of detection of the presence, takes place through the simultaneous use of the badge (which must be approached to the detector of the presence) and by placing the finger on the device: "the system compares locally and only for the time necessary for verification, the string stored in the badge with the string calculated momentarily by the attendance detector" and, if the comparison is coincident, "the string calculated momentarily is automatically deleted [...] no biometric data is stored", but "only the employee's serial number, the time and date of attendance";

- no video surveillance system has been installed at the various company entrances'; and for all these reasons the company maintains that 'there are no critical issues or violations of regulations'. These considerations are also contained in a document called "impact assessment".

By note dated XX (prot. no. XX), the Office, on the basis of the elements acquired, notified the Company, pursuant to Article 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation, inviting the above-mentioned data controller to produce to the Guarantor defensive writings or documents or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. 689 of 24/11/1981).

In the aforementioned note, the Office found that the Company processed, in the manner described above, biometric data of employees for the purpose of recording attendance in violation of the principle of "lawfulness, fairness and transparency", art. 5, par. 1, letter a), of the Regulation and in the absence of an appropriate assumption of lawfulness, in violation of art. 6, par. 1, letter c) and 9, par. 2, letter b), and par. 4, of the Regulation.

In a note dated XX, the Company submitted its defence, stating, inter alia, that:

- there would be no processing of personal data by the administration, since "the processing of personal data belonging to the data subject [would be] carried out by the latter" and "must be considered in itself lawful and legitimate under national and Community law, without the conditions and possible limitations set out in Articles 5, 6 and 9 of the Regulation having to (or being able to) be applied to it". 6 and 9 of the Regulation", similarly to what happens to "the processing of one's own fingerprint stored on a specific device, as a means of access to the same (be it the computer or the smartphone of the person in question) [which] is outside any application of national and Community law" (see pp. 4 and 5);

- "in the present case, all the conditions certainly exist for concluding that, at the time when the employee's identity is checked at the access points, there is indeed processing of biometric personal data [but that the same is] not subject to the rules of the Regulation and the Code" and is "consequently outside the competence of the Supervisory Authority;

- This is because "the processing is carried out directly and personally by the data subject [...] the entire mechanism is specially designed to prevent a person other than the data subject from carrying out the processing of the data subject's biometric data [...] the processing of the biometric data begins (in an automated manner) if and when (and only when) the employee initiates the procedure himself by carrying out two material operations that are under his personal and exclusive control: a. The placing of the badge on the reader and b. The placing of the fingertip on the scanner. After the completion of these operations, the process of data collection and comparison begins" (pp. 7 ff.)

- "such simple gestures have an unambiguous meaning expressive of a precise will of the employee to initiate and therefore, in a certain sense, to consent to the processing of the data";

- 'during the comparison between the stored biometric data and the data detected by the scanner, the reader does not communicate with other systems or machines and there is therefore no possibility that the biometric data that are in that moment (albeit for a very short time) inside the machine are acquired, stored, altered, or processed in any way by third parties. In order to do this, it would be necessary to physically access the machine in the same short period of time in which the comparison of the data takes place - a period of time in which, however, the person concerned is in direct physical contact with the machine itself, which is, therefore, under his direct control";

- 'the entire process of processing biometric data never takes place and can never take place under the direct or indirect control of the administration because it takes place under the direct and exclusive control of the employee and is, indeed, expressly designed to prevent any person other than the data subject from having any access to the personal and biometric data of the same' (p. 9);

- in any event - should it be held that the processing falls within the scope of the Regulation - 'the purpose pursued by the adoption of biometric systems for recording attendance meets an extremely topical need aimed at preventing crimes against the public administration and, in general, improper conduct by employees, which in itself is likely to considerably reduce the efficiency of the Public Administration. Where, as in the case in point, the public administration concerned operates in the field of health care, two distinct interests are therefore at the forefront of both the national (Art. 32 and Art. 97 of the Constitution of the Republic) and Community (Art. 35 and Art. 41 of the Charter of Fundamental Rights of the European Union) order: the right to health and the principle of good administration" (p.11);

- "in recent years, several public administrations have made the same choice of adopting a biometric attendance verification system without encountering, as far as the deductive company is aware, any objection from the aforementioned Authority [...] to lead to the general conviction of the lawfulness of the behaviour [...] "the Privacy Guarantor, in its provision of 15 September 2016 no. 357, expressed a positive opinion with regard to the adoption of a system of biometric verification of attendance. 357, expressed a positive opinion with reference to the preliminary request [of a hospital company ...] for the installation of the system of reading biometric data (fingerprints) for the detection of the presence on duty of employees [...with] modes of operation [similar to those in use] at the ASP of Enna" (p. 16);

- "the existence of a legal obligation dating back to Law 56/2019 [...albeit the subject] of numerous critical remarks regarding the compatibility of that national rule with the Community regulatory context [...] leads to the exclusion that in the present case a breach of Article 6 can be imputed to the ASP of Enna";

- the administration concerned, therefore, has no choice but to comply with what (the Garante Authority itself) considers to be an obligation imposed by law in the face of the existence of mere doubts as to the compatibility of that obligation with some of the criteria laid down in the Regulation (doubts which, moreover, the Administration does not consider that it can share except in so far as they relate to methods of detection other than those examined here). The system for recording attendance adopted has in fact been fully adapted to the operating methods suggested in the aforementioned opinion';

- the actual presence of civil servants on duty and the consequent effective performance of the tasks assigned to them constitute an essential condition for the pursuit of the objective of sound administration. Consequently, it is clear that the criterion laid down in Article 6(e) of the Regulation has been met and that the processing of biomedical data in question is therefore lawful [also in the light of] Article 6(f) of the Regulation" (p. 21)

- as regards the infringement of Article 9(2)(b) of the Regulation "it is clear that the biometric attendance verification system has been adopted by the ASP of Enna because it is expressly provided for as an obligation of the public employer placed on him by Law No. 56 /2019 [...]" and "the treatment in question is also necessary for the exercise of specific rights of the owner of the treatment in the field of labor law" so much so also because of the cases of "absenteeism occurred in the Hospital Chiello of Piazza Armerina, Presidio Hospital falling within the competence of the ASP of Enna";

- the processing would also find its legal basis in Article 9(2)(g) and Article 2(6)(u) of the Code: 'tasks of the national health service and of those working in the health sector, as well as tasks relating to hygiene and safety in the workplace and the safety and health of the population, civil protection, protection of life and physical safety', which are the main tasks of a local health authority such as the ASP of Enna" (p. 26);- in any event - should it be held that the processing falls within the scope of the Regulation - 'the purpose pursued by the adoption of biometric systems for recording attendance meets an extremely topical need aimed at preventing crimes against the public administration and, in general, improper conduct by employees, which in itself is likely to considerably reduce the efficiency of the Public Administration. Where, as in the case in point, the public administration concerned operates in the field of health care, two distinct interests are therefore at the forefront of both the national (Art. 32 and Art. 97 of the Constitution of the Republic) and Community (Art. 35 and Art. 41 of the Charter of Fundamental Rights of the European Union) order: the right to health and the principle of good administration" (p.11);

- "in recent years, several public administrations have made the same choice of adopting a biometric attendance verification system without encountering, as far as the deductive company is aware, any objection from the aforementioned Authority [...] to lead to the general conviction of the lawfulness of the behaviour [...] "the Privacy Guarantor, in its provision of 15 September 2016 no. 357, expressed a positive opinion with regard to the adoption of a system of biometric verification of attendance. 357, expressed a positive opinion with reference to the preliminary request [of a hospital company ...] for the installation of the system of reading biometric data (fingerprints) for the detection of the presence on duty of employees [...with] modes of operation [similar to those in use] at the ASP of Enna" (p. 16);

- "the existence of a legal obligation dating back to Law 56/2019 [...albeit the subject] of numerous critical remarks regarding the compatibility of that national rule with the Community regulatory context [...] leads to the exclusion that in the present case a breach of Article 6 can be imputed to the ASP of Enna";

- the administration concerned, therefore, has no choice but to comply with what (the Garante Authority itself) considers to be an obligation imposed by law in the face of the existence of mere doubts as to the compatibility of that obligation with some of the criteria laid down in the Regulation (doubts which, moreover, the Administration does not consider that it can share except in so far as they relate to methods of detection other than those examined here). The system for recording attendance adopted has in fact been fully adapted to the operating methods suggested in the aforementioned opinion';

- the actual presence of civil servants on duty and the consequent effective performance of the tasks assigned to them constitute an essential condition for the pursuit of the objective of sound administration. Consequently, it is clear that the criterion laid down in Article 6(e) of the Regulation has been met and that the processing of biomedical data in question is therefore lawful [also in the light of] Article 6(f) of the Regulation" (p. 21)

- as regards the infringement of Article 9(2)(b) of the Regulation "it is clear that the biometric attendance verification system has been adopted by the ASP of Enna because it is expressly provided for as an obligation of the public employer placed on him by Law No. 56 /2019 [...]" and "the treatment in question is also necessary for the exercise of specific rights of the owner of the treatment in the field of labor law" so much so also because of the cases of "absenteeism occurred in the Hospital Chiello of Piazza Armerina, Presidio Hospital falling within the competence of the ASP of Enna";

- the processing would also find its legal basis in Article 9(2)(g) and Article 2(6)(u) of the Code: 'tasks of the national health service and of those working in the health sector, as well as tasks relating to hygiene and safety in the workplace and the safety and health of the population, civil protection, protection of life and physical safety', which are the main tasks of a local health authority such as the ASP of Enna" (p. 26);

- In preparing the system that would allow the biometric survey at the entrance gates, as required by current legislation, the Company has decided to comply with the procedures resulting from the previous indications of this Authority, first of all not preparing any contextual audiovisual survey system at the gates. This Company, understands and shares the concerns that this Guarantor Authority has expressed in its opinion on the scheme of implementation of the regulation. 56/2019" but "does not share the consideration expressed therein, according to which the incompatibility of the provisions of Article 2 of Law No. 56 would not be remedied by the adoption of special implementing procedures of the obligation enshrined therein, because it would lie 'in the an before the quomodo of treatment'";

- Against the right of freedom constituted by the protection of personal data (and in particular of biometric data) guaranteed by national and Community legislation there are multiple public interests which are not subordinate but are equally ordered with respect to it. The assessment of these public interests and the decision to protect them by imposing a generalised obligation is a matter for the ordinary national legislator, also because the Regulation itself expresses it in these terms. The assessment of the proportionality of the treatment, therefore, must move precisely on the content and modalities of the treatment itself, without, moreover, forgetting that the same Article 2 of Law 56/2019 recalls this principle as a guiding criterion for the application of the legal obligation" (pp. 30 and 31);

- it is however considered that the exemption of the excusable error that the jurisprudence recognises in application of art. 3 of law 689/1981 [...] should apply to the conduct of this Company, since "on the one hand the legislator who introduced the generalised obligation to record attendance by means of biometric data. On the other hand, the conduct of the same Guarantor Authority which: before the introduction of the GDPR expressly allowed public bodies performing the same functions as this company and for purposes similar to those pursued by it to introduce a generalised system for recording attendance by means of verification of biometric data, after the introduction of the GDPR has not - as far as it appears - ordered sanctions or prohibitions against these same bodies for the same reasons now being challenged [...]";

- "the administration has requested and obtained from the legal representative of the contracting company (doc.1) before proceeding with the installation of the system in question and that he attests, under the criminal and personal responsibility of the declarant, the conformity of the system itself to the law and to the opinion of this Authority";

- it was also clarified that "the operation of the system is currently suspended as a result of the objections of the Guarantor".

3. Outcome of the preliminary investigation activity.

The discipline of protection of the personal data provides that the employer can process the personal data, also relative to particular categories of data (see Art. 9, para 1 of the Regulation), of the employees if the processing is necessary, in general, for the management of the employment relationship and to fulfil specific obligations or tasks provided for by law, by the Community legislation, by regulations or by collective agreements (Art. 6, para 1, letter c), 9, para 2, letter b), and 4, and 88 of the Regulation).

Moreover, processing is lawful when it is "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" or, when "necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject" (Art. 6(1)(e), (2) and (3), as well as 9(2)(g) of the Regulation and 2-ter and 2-sexies of the Code).

The national legislator has defined as "relevant" the public interest for the processing "carried out by persons performing tasks of public interest or connected with the exercise of public authority" in the matters indicated, albeit in a non-exhaustive manner, by art. 2-sexies of the Code, establishing that the relative treatments "are admitted if they are provided for [...] by legal provisions or, in the cases provided for by the law, by regulations specifying the types of data that can be treated, the operations that can be carried out and the reason of relevant public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the interested party".