Garante per la protezione dei dati personali (Italy) - 9777996

From GDPRhub
Garante per la protezione dei dati personali - 9777996
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 28 GDPR
Article 37 GDPR
Article 57(1)(a) GDPR
Article 2-ter Codice Privacy
Type: Investigation
Outcome: Violation Found
Started:
Decided: 28.04.2022
Published:
Fine: 200.000 EUR
Parties: Amiu s.p.a.
National Case Number/Name: 9777996
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: Elsje Gold

The Italian DPA fined a public waste collection company (processor) €200,000 for installing video surveillance systems without prior authorisation of the Municipality of Taranto (controller) and for posting videos on Facebook with identifiable persons without a legal basis.

English Summary

Facts

The controller is the Municipality of Taranto. The processor is Amiu s.p.a., a public entity facilitating waste collection services for the Municipality of Taranto. A report from the DPA revealed that the processor installed video surveillance systems to detect and sanction illegal activities. Some of these videos showing identifiable persons were posted on its Facebook page. On 14 January 2020, the processor contacted the supplier of the video surveillance system (ITS) without notifying the controller.

Holding

The DPA held that the processor violated Article 28(2), as it did not notify the controller prior to contacting ITS about the video surveillance system.

The DPA noted that public entities can lawfully process personal data for the fulfilment of a legal obligation or for the performance of a task in the public interest pursuant to Article 6(1)(c) and (e) GDPR. The DPA followed that even if the processing is lawful, it must also be in accordance with the principles laid down in Article 5. Since no indication of a legal basis for the placement of the videos on its Facebook page was found (Article 6 and Article 2-ter of Code Privacy), the DPA held that the processor violated the principles of "lawfulness, correctness and transparency" (Article 5(1)(a) GDPR).

The DPA further held that the controller violated the principle of "purpose limitation" (Article 5(1)(b)). The DPA found no indication of any compatibility with the purposes for which the personal data was previously collected (detection of illegal activities) for further processing (publication on Facebook).

Lastly, the DPA held that the processor violated Article 28, as it found that the processor had not appointed a data protection officer pursuant to Article 37.

The DPA fined Amiu s.p.a. €200.000 for the aforementioned violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.