Garante per la protezione dei dati personali (Italy) - 9832838
|Garante per la protezione dei dati personali - 9832838|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 9(2)(b) GDPR
Article 13 GDPR
Article 30(1)(c) GDPR
Article 157 of the Codice in Materia di Protezione dei Dati Personali
|Parties:||Sportitalia (the controller)|
|National Case Number/Name:||9832838|
|European Case Law Identifier:||n/a|
|Original Source:||il Garante per la Protezione dei Dati Personali (in IT)|
The Italian DPA fined a sports club €20,000 for the illegal use of a fingerprint system to register the attendance of its employees at work.
English Summary[edit | edit source]
Facts[edit | edit source]
Sportitalia, an amateur sports club (the controller) manages several fitness clubs in Milan. The controller installed a system that collected biometric data (fingerprints) of its employees (the data subjects) to record their attendance at the sports clubs, and make it easier for them to record the entry and exit times from work as well as to adopt a simple and faster system than the badge-based system previously in use. This biometric system was installed in the registered office of the controller and its seven clubs with a total of 132 data subjects concerned.
In October 2018, a trade union organisation lodged a complaint with the Italian DPA against the controller claiming that the system was illegal. The DPA initiated an investigation followed by a sanctioning procedure.
During the procedure, the controller submitted that the processing of the data subjects' data was based on free and express consent. The controller emphasised that the data subjects could refuse to the use of the biometric system in favour of the badge, although no data subject requested the use of this alternative method. In its defence, the controller stated that this system had the sole purpose of detecting the attendance of employees in order to facilitate the registration of entry and exit times. The controller also argued to have acted in good faith and transparency with the data subjects by informing them that they could refuse to grant consent to the use of this biometric system or that they could withdraw their consent anytime. The controller indicated that, as of 2 May 2022, it would discontinue using the biometric system and erase all acquired data, returning to the traditional badge registration system. For this reason, the controller instructed its processor to erase the biometric data collected and processed during the use of the fingerprint scanning device.
Holding[edit | edit source]
The Italian DPA noted that biometric data constitute sensitive data under Article 9(1) GDPR. Additionally, any processing of personal data must have a legal basis in accordance with the principle of lawfulness (Article 5(1)(a) GDPR). In this regard, the DPA observed that, contrary to the statements made during the preliminary investigation, the controller did not offer data subjects a genuine possibility to revoke consent and switch to a traditional badge-based system. Hence, there was no free and explicit consent to process personal data (Article 9(2)(a) GDPR). Although the purposes of monitoring employee attendance and verifying compliance with working hours may be lawful under Article 9(2)(b) GDPR, the processing of biometric data would only be lawful to the extent that it is authorised by national law or EU law and that it safeguards the rights and freedoms of data subjects. The processing must be in line with the principles under Article 5 GDPR and respect data subject rights, such as the right to information.
The DPA noted, in addition to the claims made in the complaint, that the only information provided to the data subjects concerning the processing of biometric data was contained in a short paragraph in the privacy notice concerning the general nature of the processing carried out in the context of the employment relationship. The DPA held that the controller did not clearly inform the data subjects about the processing of their biometric data. The DPA declared that in the context of the employment relationship, the obligation to inform the employee is also an expression of the principle of fairness (Article 5(1)(a) GDPR). Thus by not providing sufficient information, the controller breached Article 5(1)(a) GDPR and Article 13 GDPR. Additionally, the controller's record of processing activities failed to list biometric data among the categories of data processed and failed to provide a description of such processing, which led the Italian DPA to find a violation of Article 30(1)(c) GDPR.
Since the controller did not safeguard the rights of the data subjects, it also did not meet the requirements of Article 9(2)(b) GDPR, meaning there was no valid legal basis for the processing of biometric data.
Considering, among others, the nature of the infringement (violation of general data processing principles), seriousness and duration of the infringement (just under four years) as well as the controller's cooperation with the DPA, and the absence of any previous relevant violations by the controller, the Italian DPA imposed a fine upon the controller of €20,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.