Garante per la protezione dei dati personali (Italy) - 9777996
|Garante per la protezione dei dati personali - 9777996|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
Article 28 GDPR
Article 37 GDPR
Article 57(1)(a) GDPR
Article 2-ter Codice Privacy
|National Case Number/Name:||9777996|
|European Case Law Identifier:||n/a|
|Original Source:||GPDP (in IT)|
|Initial Contributor:||Elsje Gold|
The Italian DPA fined a public waste collection company (processor) €200,000 for installing video surveillance systems without prior authorisation of the Municipality of Taranto (controller) and for posting videos on Facebook with identifiable persons without a legal basis.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is the Municipality of Taranto. The processor is Amiu s.p.a., a public entity facilitating waste collection services for the Municipality of Taranto. A report from the DPA revealed that the processor installed video surveillance systems to detect and sanction illegal activities. Some of these videos showing identifiable persons were posted on its Facebook page. On 14 January 2020, the processor contacted the supplier of the video surveillance system (ITS) without notifying the controller.
Holding[edit | edit source]
The DPA held that the processor violated Article 28(2), as it did not notify the controller prior to contacting ITS about the video surveillance system.
The DPA noted that public entities can lawfully process personal data for the fulfilment of a legal obligation or for the performance of a task in the public interest pursuant to Article 6(1)(c) and (e) GDPR. The DPA followed that even if the processing is lawful, it must also be in accordance with the principles laid down in Article 5. Since no indication of a legal basis for the placement of the videos on its Facebook page was found (Article 6 and Article 2-ter of Code Privacy), the DPA held that the processor violated the principles of "lawfulness, correctness and transparency" (Article 5(1)(a) GDPR).
The DPA further held that the controller violated the principle of "purpose limitation" (Article 5(1)(b)). The DPA found no indication of any compatibility with the purposes for which the personal data was previously collected (detection of illegal activities) for further processing (publication on Facebook).
The DPA fined Amiu s.p.a. €200.000 for the aforementioned violations.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.