Garante per la protezione dei dati personali (Italy) - 9995680: Difference between revisions
From GDPRhub
m (→Facts) |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 95: | Line 95: | ||
Moreover, the fact that the manufacturer and supplier of the facial recognition devices declared them complaint with the provisions of GDPR does not exclude the controller from the liability, given that the controller, in light of [[Article 5 GDPR#2|Article 5(2) GDPR]] is responsible for the processing of personal data and its compliance with the GDPR provisions. They must also be able to demonstrate such compliance with regard to the obligations incumbent on them as per [[Article 24 GDPR|Article 24 GDPR]]. | Moreover, the fact that the manufacturer and supplier of the facial recognition devices declared them complaint with the provisions of GDPR does not exclude the controller from the liability, given that the controller, in light of [[Article 5 GDPR#2|Article 5(2) GDPR]] is responsible for the processing of personal data and its compliance with the GDPR provisions. They must also be able to demonstrate such compliance with regard to the obligations incumbent on them as per [[Article 24 GDPR|Article 24 GDPR]]. | ||
It also emerged that the list of employees to be subjected to verification of their presence, by means of the biometric detection system, was, until its suspension, the same for the three companies operating at the Ardea site. L'Igiene Urbana Evolution s.r.l. was found to process data relating to the presence of the employees of all the other companies on the site. This processing lack any applicable conditions found in Article 9(2) and was found in breach of [[Article 5 GDPR#2|Article 5(2) GDPR]]. | It also emerged that the list of employees to be subjected to verification of their presence, by means of the biometric detection system, was, until its suspension, the same for the three companies operating at the Ardea site. L'Igiene Urbana Evolution s.r.l. was found to process data relating to the presence of the employees of all the other companies on the site. This processing lack any applicable conditions found in [[Article 9 GDPR#2|Article 9(2) GDPR]] and was found in breach of [[Article 5 GDPR#2|Article 5(2) GDPR]]. | ||
Additionally, the Garante reiterated that the controller is obliged communicate to its employees essential characteristics of the data processing carried out during the employment relationship as well as the instruments through which the processing is carried out, in accordance with what is specifically indicated in [[Article 13 GDPR]]. In the present case, on the other hand, it emerged that the Company failed to provide any information on the characteristics of the processing of biometric data by means of facial recognition. For that reason violation of Articles 5(1)(a) and 13 was established. | Additionally, the Garante reiterated that the controller is obliged communicate to its employees essential characteristics of the data processing carried out during the employment relationship as well as the instruments through which the processing is carried out, in accordance with what is specifically indicated in [[Article 13 GDPR]]. In the present case, on the other hand, it emerged that the Company failed to provide any information on the characteristics of the processing of biometric data by means of facial recognition. For that reason violation of Articles 5(1)(a) and 13 was established. | ||
Furthermore, several infringements were found of the obligations of controller based on Article 28 GDPR. The DPA found that, despite using the services provided by DM Technology s.r.l., the controller failed to designate said company as the data processor, as required by [[Article 28 GDPR]]. | Furthermore, several infringements were found of the obligations of controller based on [[Article 28 GDPR]]. The DPA found that, despite using the services provided by DM Technology s.r.l., the controller failed to designate said company as the data processor, as required by [[Article 28 GDPR]]. | ||
The DPA also established that the controller failed to carry out a data protection impact assessment prior to the beginning of the processing operations themselves, thus violating [[Article 35 GDPR#1|Article 35(1) GDPR]]. This was mandatory especially in the case of using biometric identification which can result in the high risk to the data subjects’ rights. | The DPA also established that the controller failed to carry out a data protection impact assessment prior to the beginning of the processing operations themselves, thus violating [[Article 35 GDPR#1|Article 35(1) GDPR]]. This was mandatory especially in the case of using biometric identification which can result in the high risk to the data subjects’ rights. | ||
| Line 108: | Line 108: | ||
== Comment == | == Comment == | ||
' | The DPA ruled in cases concerning the processing of employee's data using facial recognition systems by [https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9995701 Airone società consortile a r.l. (€5,000)] and [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9995741 Blue Work s.r.l. (€6,000)] in separate procedures. | ||
== Further Resources == | == Further Resources == | ||
Latest revision as of 11:58, 11 April 2024
| Garante per la protezione dei dati personali - 9995680 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 9 GDPR Article 9(2) GDPR Article 13 GDPR Article 24 GDPR Article 28 GDPR Article 30 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 70,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 9995680 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante (in IT) |
| Initial Contributor: | im |
The DPA imposed a fine of €70,000 on a controller using facial recognition systems for checking attendance of its employees in the workplace.
English Summary
Facts
On 24 October 2022, some employees with the Italian DPA (‘Garante’). They raised concerns that since February 2022, a biometric facial recognition system, specifically identified as the 'Face Deep 3 - Smart Face Recognition System' produced by Anviz Global, was being utilized for accessing the worksite in Ardea where they conducted their work tasks and for monitoring their attendance. This system was also employed for employees of L'Igiene Urbana Evolution s.r.l., Blue Work s.r.l., Unica s.r.l., and DM Technology s.r.l. The case at hand focused on the alleged data processing violations by L'Igiene Urbana Evolution s.r.l., ('the controller').
The complaint included photographic documentation indicating concerns regarding the handling of sensitive biometric data, as well as the potential for unauthorized access or misuse of this data, which could compromise the privacy and personal information of the employees involved.
L'Igiene Urbana Evolution s.r.l. used the services provided by DM Technology s.r.l. It was noted by the controller that the manufacturer and supplier of the facial recognition devices had issued a "declaration and certification of conformity" for the biometric device, asserting its full compliance with GDPR regulations.
Based on the complaints and defence statement by the companies concerned, the DPA initiated its own investigation.
Holding
The Garante found that there were two rounds of processing. First, a processing of biometric data in the registration phase to learn the biometric features of the employees and, second, processing in the biometric recognition phase, at the time of attendance on the site.
Although in the employment context the purposes of recording employee attendance and verifying compliance with working time may fall within the scope of Article 9(2)(b) GDPR the processing of biometric data is permitted only 'in so far as it is authorised by Union or Member State law [...] subject to appropriate safeguards for the fundamental rights and interests of the data subject’. Currently, Italian national law does not provide processing of employees biometric data for the purpose of recording presence on duty. For that reason, the DPA held that the controller’s justification to use biometric identification system in the context of the ordinary management of the employment cannot be applied. The DPA also considered that less invasive measures could have been adopted, such as automatic controls by means of badges, direct checks, etc.
Moreover, the fact that the manufacturer and supplier of the facial recognition devices declared them complaint with the provisions of GDPR does not exclude the controller from the liability, given that the controller, in light of Article 5(2) GDPR is responsible for the processing of personal data and its compliance with the GDPR provisions. They must also be able to demonstrate such compliance with regard to the obligations incumbent on them as per Article 24 GDPR.
It also emerged that the list of employees to be subjected to verification of their presence, by means of the biometric detection system, was, until its suspension, the same for the three companies operating at the Ardea site. L'Igiene Urbana Evolution s.r.l. was found to process data relating to the presence of the employees of all the other companies on the site. This processing lack any applicable conditions found in Article 9(2) GDPR and was found in breach of Article 5(2) GDPR.
Additionally, the Garante reiterated that the controller is obliged communicate to its employees essential characteristics of the data processing carried out during the employment relationship as well as the instruments through which the processing is carried out, in accordance with what is specifically indicated in Article 13 GDPR. In the present case, on the other hand, it emerged that the Company failed to provide any information on the characteristics of the processing of biometric data by means of facial recognition. For that reason violation of Articles 5(1)(a) and 13 was established.
Furthermore, several infringements were found of the obligations of controller based on Article 28 GDPR. The DPA found that, despite using the services provided by DM Technology s.r.l., the controller failed to designate said company as the data processor, as required by Article 28 GDPR.
The DPA also established that the controller failed to carry out a data protection impact assessment prior to the beginning of the processing operations themselves, thus violating Article 35(1) GDPR. This was mandatory especially in the case of using biometric identification which can result in the high risk to the data subjects’ rights.
Lastly, the DPA found an infringement of Article 30(1)(c) GDPR for not indicating biometric data among the types of data processed by the data controller.
In light of the abovementioned, the Garante imposed a fine amounting to €70,000.
Comment
The DPA ruled in cases concerning the processing of employee's data using facial recognition systems by Airone società consortile a r.l. (€5,000) and Blue Work s.r.l. (€6,000) in separate procedures.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Newsletter of March 28, 2024
[doc. web no. 9995680]
Provision of 22 February 2024
Register of measures
n. 105 of 22 February 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);
GIVEN the complaints presented pursuant to art. 77 of the Regulation towards L'Igiene Urbana Evolution s.r.l.;
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER the lawyer. Guido Scorza;
PREMISE
1. Complaints against the Company.
On 24 October 2022, some employees of L'Igiene Urbana Evolution s.r.l. (hereinafter, the Company), have presented a complaint to the Authority complaining that, starting from February 2022, in order to access the construction site located in Ardea, where the employees' work activities take place, and to ascertain the presence of them in the workplace, it was necessary to use a biometric detector, based on facial recognition.
According to the documentation, including photographs, attached to the complaints, the processing was carried out using the “Face Deep 3 – Smart Face Recognition System” device, produced by Anviz Global.
According to what was complained about, the processing of biometric personal data would be "illegitimate", also taking into account that the purpose thereof "could equally be achieved with less invasive means of the worker's personal sphere".
2. The preliminary investigation activity.
The Authority has delegated the Special Privacy and Technological Fraud Unit of the Financial Police to carry out inspections pursuant to articles. 157 (Request for information and production of documents) and 158 (Inspections) of the Code.
On 19 January 2023, the Unit, together with Authority personnel, went to the construction site located in Ardea, where they recorded the following declarations:
"the following companies operate within the industrial storage site: L'Igiene Urbana Evolution s.r.l., Airone consortium company a r.l., Blue Work s.r.l., which operate as a joint venture for the waste management of the Municipality of Ardea" (inspection report 19/ 1/2023, p. 2);
"inside a room adjacent to the vehicle fleet there is an employee recognition device based on facial biometrics [...]. The system is used to record attendance by approximately 63 employees of the companies [working on the construction site] plus any seasonal workers or temporary substitutes" (minutes cited, p. 3);
"the employee registration phase, carried out over a period of a few months, was carried out by entering the employee code (ID) associated with the name, based on a list provided by the company itself. Once this ID was entered, the employee's face was recognized [...] and the system validated the registration" (minutes cit., p. 3);
"in the room where the device is present there are always signature sheets which are used as an alternative to facial recognition, in the event of a malfunction of the device" (minutes cited, p. 3);
during the investigation, the inspectors verified that "the device is functional and connected to the network [...]. By logging in with the Admin credentials, as reported in the user manual and not modified during the installation, the data relating to clocking in and user details were exported and the internal database was backed up" (minutes cit. , p. 3);
the JuniorWeb application was also accessed "through which employee attendance is managed, as recorded via the facial recognition device. The data were exported, including the dismissed employees, and it was verified that the system shows the indication of 3 additional companies (DMT, IGNEVO, UNICA srl) and 17 additional cost centers" (report cit., p. 3);
"the companies that manage the system are the three previously indicated, part of the ATI and [...] the system was installed by Igiene Urbana Evolution" (minutes cited, p. 4).
On 26 January 2023, during the inspection carried out at the administrative headquarters of L'agricoltura Urbana Evolution s.r.l., the Company declared that:
“the Temporary Business Association (ATI) was established in January 2020 […]. Currently the ATI is made up of the companies: Igiene Urbana Evolution and Blu Work. […] In March 2021, for the sole purpose of operational management of the order, the companies L'Igiene Urbana Evolution and Blu Work established the Airone consortium company a r.l.” (inspection report 26/1/2023, p. 3);
“The biometric attendance detection device in Ardea was installed by the parent company also in light of numerous disciplinary proceedings […] relating to delays, absences, interruptions and abandonments of the service […] as well as by virtue of the numerous related disputes and convictions to claims for overtime compensation, taking into account that the waste collection and transport service is an essential public service [...]. The system was also deemed necessary as all the employees of the Ardea shipyard were [...] hired [...] by virtue of a social clause" (minutes cit., p. 3);
the biometric system was activated "in December 2021 (first stamping on 27 December 2021) and the number of interested parties, employees of the [Company] is currently 37 units" (minutes cited, p. 3);
"other employees of Blu Work and Airone are present on the site" (minutes cit., p. 3);
in addition to the biometric device installed at the Ardea construction site, the Company has installed other "9 biometric devices, reserving the right to produce a specific statement" (minutes cited, p. 4);
"the company, on the basis of the declaration and certification of conformity of the biometric device provided by the manufacturer «Anviz Global Inc.», attached to the product supplied by the service company UNICA srls, in which it was declared that the device was fully compliant with the GDPR, believed he could use the same pursuant to art. 9 c.2, par. b. of the Regulation” (minutes cited, p. 4);
"in March 2021, the company formalized, with the company Unica srls, the purchase of the attendance detection devices, which were physically installed by DM Technology srl by virtue of a previous service and maintenance contract" ( report cit., p. 4);
in relation to the processing of biometric data, the Company did not designate data controllers, did not carry out an impact assessment nor provided "specific information on the processing of biometric data" (minutes cited, p. 5 );
the processing of biometric data was not recorded in the processing register (minutes cited, p. 5; the register dated 12/29/2021 is in Attachment 5).
On 27 January 2023, inspection activities continued at the administrative headquarters of L'Igiene Urbana Evolution s.r.l. On this occasion the Company further represented that:
“UNICA srls is the company that provides administrative, organizational and technical consultancy activities” for the Company (inspection report 27/1/2023, p. 2);
“the biometric devices reported in the invoices […] are the totality of the devices purchased from the aforementioned service provider (13 devices in total). Following the purchase, UNICA srls, pursuant to the «Agreement for construction site consultancy/professional assistance» [...] gave [the Company] the opportunity to benefit from n. 10 devices mentioned in yesterday's report. The aforementioned devices were then installed [...] by the DM Technology company” (minutes cited, p. 2);
the Company provided "the statement regarding the different installation locations of the devices (Annex 3)" (minutes cited, p. 2);
“all biometric devices […] have been deactivated as a precaution” (minutes cited, p. 2);
"the functioning of the presence detection at the 9 sites indicated [...] is identical" to that envisaged for the Ardea construction site (minutes cited, p. 2);
“the devices are installed in order to carry out attendance detection through one-to-many comparison of the biometric fingerprint of the employees' faces and [...] Unica srls has provided the user manual for the same. Subsequently, the DM Technology technician trained the site manager on the use of the device" (minutes cit., p. 2);
during access to the Junior Web system, with Admin profile, the clocking statement for the month of December 2022 was displayed, including the employees of different sites (indicated as CDC, cost centers). […] of all the cost centers displayed only 10 refer to the company. The remaining CDCs refer to other companies, for which DM Technology provides assistance on biometric detection devices" (minutes cited, p. 3);
"the biometric data of the interested parties reside exclusively in the device and are not accessible remotely, nor locally, except for deletion, which can only be carried out directly on the device" (minutes cited, p. 3);
“the accounts to access Junior Web are provided and managed by DM Technology, which also manages the device access accounts” (minutes cit., p. 3);
“Probably the default password, present on the device located in Ardea, has been maintained on many installed devices. For this type of credential there is no expiration of validity, which is instead foreseen for Junior Web accounts" (minutes cit., p. 3);
“the devices located at the Igiene Urbana Evolution sites are connected to a server located at the company headquarters [...], for sending the data relating to clocking in. Devices located on the sites of other companies connect to respective and different servers. The data is then integrated by DM Technology, for viewing with the Admin profile” (minutes cit., p. 4);
“the device is equipped with a special “Bionano” algorithm to encrypt biometric data in a non-reversible way” (minutes cit., p. 4);
a copy of the declaration of compliance with data protection regulations by the supplier of the devices was provided (minutes cited, p. 4).
On 30 May 2023, in light of the declarations issued during the previous inspections, inspections were also carried out at the registered office of DM Technology s.r.l.
The latter stated that:
"of the three users assigned [by the device supplier], one user, used by DM, had an Admin profile, with the possibility of operating completely on the application and having visibility of the data of the 3 companies" (inspection report 30 May 2023, p. 3 );
"once the use of the FD3 devices was fully operational, the DM provided assistance on Junior Web for Unica, Urban Igiene and DM itself [...] through [the user provided by the supplier] it was possible to see the clocking data of the centers of costs belonging to Unica, Igiene Urbana Evolution and DM" (minutes cited, p. 3).
3. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.
On 13 September 2023, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 5, par. 1, letter. a), 9, par. 2, 13, 28, 30, 32 and 35 of the Regulation.
With defense briefs sent on 13 October 2023, the Company declared that:
to. the Company found "during 2021 a heavy worsening of the phenomenon of absenteeism, notably accompanied by fraudulent clockings which attested to the presence on duty of employees who, in reality, did not regularly perform their services: this is an issue that has given a considerable burden, due to the social clause, substantiated by the art. 6 of the National Collective Labor Agreement for Environmental Hygiene”;
b. “the matter has been the subject of a heated labor dispute […]. These appeals concerned the request for recognition of salary differences for alleged hours of overtime worked [...] but which, in truth, the undersigned did not believe had ever actually been carried out. Furthermore, the proceedings had negative outcomes precisely by virtue of the circumstance whereby the undersigned was unable to verify with certainty the actual working hours worked by the appellants (as paper time sheets were used)";
c. “The ordinary law enforcement tools adopted for this purpose have proven to be completely ineffective. It is in this context that, in the exercise of the physiological prerogatives of organization and control over the regular performance of services for defensive purposes, it was decided to adopt measures which, in full respect of workers' rights, would allow a distortive phenomenon to be nipped at its root" ;
d. “the adoption of an attendance detection system using facial recognition was achieved by contacting the [device supplier company], which markets a system implemented by a leading company on the market (Anviz Global), whose application (Face Deep 3 – Smart Face Recognition System) was presented as a tool fully consistent with the constraints deriving from compliance with the legislation protecting the protection of workers' personal data";
And. “It should also be specified that, in the report dated 01.19.2023, in relation to the content of the back-up of the DB internal to the device acquired by the inspectors, the indication “stampings and user records” must, indeed, be understood as referring to a mere numerical code (corresponding to each worker) related to the stamping date and time. […] the encrypted biometric templates, purchased during the enrollment phase […], were associated with the aforementioned numerical codes, without any storage in the device of the name and surname of the interested parties”;
f. “the biometric data resides exclusively in the device and cannot be accessed remotely or locally, […]”;
g. "the system is set up in such a way as to limit access to the encrypted data only to personnel in possession of specific authorization credentials [...] The observation remains, certainly well founded, on the lack of strength of the password for accessing the application of the device";
h. "in any case, staff have always been guaranteed the possibility of not using the facial recognition application, replacing it with attendance sheets [...], as in the case, for example, of malfunction or non-activation of the devices";
the. "immediately after the verification, the processing was suspended [...], a privacy consultant was appointed, the procedure for the disposal of said biometric devices was identified, consisting of: dismantling, storage in protected premises, awaiting conclusion of this proceeding [...] and, at the end of the proceeding, deletion of the data present on the devices; return to the supplier company; closure of the Junior Web account, software necessary to use the devices";
j. “while considering the principle referred to in art. 24 of the GDPR and the related obligations in terms of accountability, it does not appear that the circumstance that the company turned to a market-leading supplier company, which had given full guarantees in terms of general information on the conformity of the product, valorising in particular the element of data encryption and its non-reversibility";
k. “Finally, as regards the number of interested parties involved, it should be noted that, as regards the Ardea site, there were approximately 37 employees (belonging to the three different companies forming part of the ATI) and that on each site the same with only the workers employed at the 9 sites involved, and they add up to 218 units in total (the figure cited in the dispute, of 288 units, is the result of an incorrect count which also takes into account duplicate positions, as we have tried to explain and document during the inspection)”;
L. “in the period between 2021 and 2022, the Company incurred significant expenses due to the impact of the Covid-19 Pandemic specifically connected to the huge costs for managing personnel and sanitizing work environments; [...] the imposition of burdensome financial sanctions could have significant economic and financial impacts on company activities, with inevitable negative repercussions also on the already burdensome complex management of personnel in the difficult and complex working context in which the undersigned operates".
During the hearing requested by the Company, held on 4 December 2023, it finally argued, among other things, that:
to. "with respect to the requests made by the workers in the complaints presented to the Authority, following the inspection the Company immediately ordered the precautionary suspension of the processing carried out up to that point via the facial recognition system";
b. “the facial recognition system had been used because the legal basis had been interpreted, even erroneously”;
c. “although the Company has not fulfilled all the obligations imposed by data protection legislation, it has taken into account the security of the data, adopting the maximum security measures required”;
d. “Urban Hygiene and DM Technology did not proceed with the deletion of the data while awaiting the definition of the procedure and in view of further checks by the Authority. However, a procedure has already been established for the deletion of data collected with the facial recognition system which will be activated as soon as the procedure before the Authority is concluded".
4.1. Violation of the art. 5, par. 1, letter. a) and 9 of the Regulation in relation to the processing of data of its employees.
Upon examination of the declarations made to the Authority during the proceedings as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, relating to the complainants, which are not compliant with the relevant regulations of protection of personal data. In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".
On the merits, following the outcome of the preliminary investigation, it was ascertained that the Company has used a biometric system, based on facial recognition, starting from December 2021 (the date on which the system was activated, according to what was declared by the Company ; however, it did not clarify on which date the employee registration activities with consequent data processing began) and until January 2023, the date on which the system was deactivated "as a precaution" following the start of the assessment activity by the Authority.
The use of the biometric system, aimed at detecting the presence of employees on duty, was determined, according to what was declared, by the multiplication of "absenteeism" phenomena and disputes initiated against the Company itself by workers relating to " to claims for overtime compensation". Furthermore, the adoption of the biometric system, according to what was declared by the Company, would also have been necessary due to the fact that "all the employees of the Ardea shipyard have [...] been hired [...] pursuant to a social clause", with consequent impossibility for the employer to choose the contractors of the employment contract.
The processing involved a significant number of interested parties, considering that, during the investigations, it emerged that the Company used the same type of biometric detector, not only at the Ardea construction site, but also at a further 9 sites, where carries out its activity (see minutes 27/1/2023, p. 2).
In particular, based on the examination of the "table regarding the different installation locations of the devices" provided by the Company, including the number of its employees employed at each location, it emerges that the processing involved a total of 288 workers (see minutes cit., Annex 3).
Even subtracting the 12 workers on the site at the Municipality of Ravello, whose device would have been "assembled [but] never put into operation", as indicated in the prospectus (without however specifying whether or not data collection was carried out, which is in any case a processing operation), there would be a total of 276 employees, i.e. a significant number of interested parties involved in the processing of biometric data.
Furthermore, contrary to what is claimed in the defense briefs, during the proceedings the Company did not indicate or document the existence of deemed "duplicate positions", considering which the total number of people affected by the biometric detection would instead amount to 218 employees, and in in any case this number also appears significant.
Preliminarily, it is noted that, as clarified by the Authority, there is processing of biometric data both in the registration phase (so-called enrollment), consisting in the acquisition of the biometric characteristics of the interested party (facial characteristics, in this case; see points 6.1 and 6.2 of Annex A to the provision of the Guarantor of 12 November 2014, no. 513, in www.garanteprivacy.it, web doc. no. 3556992), both in the biometric recognition phase, at the time of recording attendance (see also point 6.3 of Annex A to the aforementioned provision).
Therefore, even in the case of extraction of the so-called template, there is processing of biometric data, with consequent application of the specific regulations provided for by the law.
In this regard, based on the legislation on the protection of personal data, the processing of biometric data (generally prohibited pursuant to art. 9, par. 1 of the Regulation) is permitted only if one of the conditions indicated by the art. 9, par. 2 of the Regulation and, with regard to processing carried out in the workplace, only when the processing is "necessary to fulfill the obligations and exercise the specific rights of the data controller or the interested party in matters of labor law and social security and protection social, to the extent authorized by Union or Member State law or by a collective agreement pursuant to Member State law, in the presence of appropriate guarantees for the fundamental rights and interests of the interested party" (art. 9 , paragraph 2, letter b), of the Regulation; v. also: art. 88, par. 1 and cons. 51-53 of the Regulation).
Furthermore, the employer is required to apply the general principles of processing, in particular those of lawfulness, correctness and transparency, minimization, integrity and confidentiality of data (art. 5, par. 1, letter a), c) and f) of the Regulation).
In application of these provisions, although in the working context the purposes of recording employee attendance and verifying compliance with working hours may fall within the scope of application of the art. 9, par. 2, letter. b) of the Regulation, however the processing of biometric data is permitted only "to the extent authorized by Union or Member State law [...] in the presence of appropriate guarantees for the fundamental rights and interests of the interested party" ( art. 9, par. 2, letter b), and cons. no. 51-53 of the Regulation).
Also taking into account the provisions of the art. 2-septies of the Code (Guarantee measures for the processing of genetic, biometric and health-related data), according to which the aforementioned treatments can be carried out in accordance with the guarantee measures established by the Guarantor (pursuant to art. 9, par. 4 of the Regulation), currently the current legislation does not allow the processing of biometric data of employees for the purpose of detecting their presence on duty.
This was reiterated by the Guarantor with provisions no. 369, of 10 November 2022 (web doc. n. 9832838) and n. 16, of 14 January 2021 (web doc. no. 9542071).
The use of biometric data in the context of the ordinary management of the employment relationship (such as the attendance recording activity), for the declared purpose of dealing with disciplinary offences, disputes linked to the payment of compensation for overtime work as well as due to the presence of personnel at the construction site where the assessment activity was carried out, hired through the application of the so-called social clause (although this last reason is not conferring, also taking into account that the reasons under which the biometric system was also adopted at a further 9 sites managed by the Company were not disclosed), it is therefore not compliant with the principles of minimization and proportionality of the processing (art. 5, par. 1, letter c) of the Regulation).
Given, in this regard, that the Company did not illustrate (or document during the proceedings) which "ordinary enforcement tools" had actually been adopted and had proven to be "completely ineffective", in order to be able to account for the actual hours of work performed and to ascertain the presence of workers in the workplace, measures could have been adopted that were useful for this purpose but less invasive for the rights of the interested parties (e.g. automatic checks using badges, direct checks, etc.).
The proportionality assessment of the processing of biometric data consisting of facial recognition should also have taken into account the risks for the rights and freedoms of the interested parties connected to the use of this particular biometric technology as has been recognized both by national law and in the European context (see legislative decree 10/5/2023, n. 51, converted into law 3/7/2023, n. 87, which with art. 8-ter extended the suspension of the installation to 31 December 2025 and use of video surveillance systems with facial recognition systems "in public places or places open to the public, by public authorities or private entities", this in order to "regulate in accordance with the eligibility requirements, conditions and guarantees relating to 'use of facial recognition systems in compliance with the principle of proportionality provided for in Article 52 of the Charter of Fundamental Rights of the European Union"; see also: European data Protection Board, Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement, adopted on 7/26/2023, spec. points 17, 34 and 35 on the risks of facial recognition; Guidelines 3/2019 on the processing of personal data through video devices, adopted on 29 January 2020, spec. points 4 and 73; see also the Prov. of 10 February 2022, n. 50, doc. web no. 9751362, adopted, albeit in a different context, regarding facial recognition).
Finally, the circumstance that the manufacturer and supplier of facial recognition devices (subjects who in any case must take into account the right to data protection: see recital 78 of the Regulation) had produced a "declaration and certification of conformity of the biometric device [...], in which it was declared that the device was fully compliant with the GDPR" (see inspection report 26/1/2023, p. 4), cannot eliminate the Company's liability, considering that the owner of the processing, in light of the provisions of the art. 5, par. 2, of the Regulation, based on the so-called principle of accountability, "is competent for compliance [with the general principles of processing] and able to prove it", with regard to the obligations weighing on the same (art. 24 of the Regulation).
This also taking into account that, in the specific case, the Authority, even recently (as mentioned above), has expressed its opinion on the legitimation criteria and the principles applicable to the processing of biometric data in the context of the employment relationship, publishing on its website institutional the decisions adopted on the matter.
Therefore, the data controller, before proceeding with the use of devices made by third parties, should have verified the compliance of the relevant treatments with the applicable principles.
Lastly, it is noted that the possibility of using the signature sheets was not an alternative, as deduced by the Company, to the use of the facial recognition device, given that the employees could only use it, based on what emerges from the documentation in the documents in case of malfunction of the biometric devices.
However, even if a non-biometric detection system had been made available to workers as an alternative to the biometric one, the data processing carried out would not have complied with the provisions on the protection of personal data in the terms set out above, and in concrete terms they would have results that are not necessary with respect to the declared aim of overcoming the problems linked to the use of signature sheets to certify presence in the workplace.
Based on the above reasons, the processing of biometric data of its employees carried out by the Company appears to have been carried out in the absence of an appropriate legal basis, in violation of the articles. 5, par. 1, letter. a) and 9 of the Regulation.
4.2. Violation of articles 5, par. 1, letter. a) and 9 of the Regulation in relation to the processing of data of employees of other companies.
As a result of access to the system and examination of the documentation acquired in the documents, it also emerged that the list of employees to be subjected to presence verification, via the biometric detection system, was, until its suspension, unique for the three companies operating at the Ardea construction site (in addition to the Company, also Airone consortium company a r.l. and Blue Work s.r.l.), which provided the list of their respective employees to be verified.
In fact, both the paper signature sheet and the attendance log extracted from the JuniorWeb application, as well as the data exported from the Anviz device, acquired in documents, present a list shared between the three companies where the company to which they belong is indicated next to each name ( see inspection report 19/1/2023, Annex 1 [Attendance Journal January 2023 - report generated by Junior Web and signature sheets dated 19/1/2023], 2 [tables with export of data extracted from the device] and 3 [access screenshot to data contained in the device]).
From the documentation acquired during the inspection, it also emerged that the overall processing carried out by the system also concerned the employees of Unica s.r.l.s. and DM Technology s.r.l. (see inspection report 27/1/2023, Attachment 6, "Total employee export table", containing the list of stampings carried out as of 27/1/2023 relating to the employees of L'Igiene Urbana Evolution s.r.l., Airone consortium company in r.l., Blue Work s.r.l., Unica s.r.l.s. and DM technology).
Therefore, the Company also processed the data relating to the presence in service of the employees of Airone consortium company a r.l., Blue Work s.r.l., of Unica s.r.l.s. and DM Technology s.r.l., taken from the biometric attendance recording system, likewise in the absence of any of the applicable conditions, among those provided for by the art. 9, paragraph 2 of the Regulation.
The described treatments therefore occurred in violation of the articles. 5, par. 1, letter. a) and 9 of the Regulation.
4.3. Violation of articles 5, par. 1, letter. a) and 13 of the Regulation.
The Guarantor has repeatedly reiterated that the employer, in application of the principle of transparency, has the obligation to indicate to its employees and collaborators, in any case, what the essential characteristics of the data processing carried out during the employment relationship are. work as well as the tools through which the processing is carried out, in accordance with what is specifically indicated in the art. 13 of the Regulation.
This is also considering that, in the context of the employment relationship, the obligation to inform the employee is also an expression of the duty of correctness (art. 5, par. 1, letter a) of the Regulation).
In the present case, it emerged that the Company failed to provide any information on the characteristics of the processing of biometric data through facial recognition (see minutes 26/1/2023, p. 5, where the Company declared that it had not provided “no specific information on the processing of biometric data”).
This resulted in the violation of the articles. 5, par. 1, letter. a) and 13 of the Regulation.
4.4. Violation of the art. 28 of the Regulation.
Based on what is established by the Regulation, the data controller, in the context of the preparation of the technical and organizational measures that are responsible for him, also from a security point of view (articles 24 and 32 of the Regulation), may make use of a person responsible for the carrying out some processing activities, to which it gives specific instructions (see paragraph 81 of the Regulation).
In this case, the owner "uses only data controllers who present sufficient guarantees to implement adequate [the aforementioned measures] in such a way that the processing meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties" (art. 28 , par. 1, of the Regulation).
Pursuant to the aforementioned art. 28 of the Regulation, the owner can also entrust processing to external parties, however adequately regulating the relationship with a contract (or another legal act) and giving instructions regarding the main characteristics of the processing.
The data controller is, therefore, entitled to process the data of the interested parties "only upon documented instructions from the owner" (art. 28, par. 3, letter a), of the Regulation) and within the specific limits defined by the data controller .
The Company, while making use of the services provided by DM Technology s.r.l. in relation to the management of the Junior Web application, carried out in ways that allowed it access to employee data relating to attendance recording and related processing (see inspection report 5/30/2023 at DM Technology s.r.l., p. 3 ; see Maintenance Agreement dated 10/28/2020, signed by DM Technology and L'Igiene Urbana, Annex 2, inspection report 1/27/2023), did not designate the aforementioned company as data controller, as provided for by the art. 28 of the Regulation (see minutes 26/1/2023, p. 5).
Furthermore, it emerged that the Company made use of the "consultancy, assistance and compliance with labor law" services provided by Unica s.r.l.s. on the basis of an agreement, stipulated between the parties (see "Consultancy agreement on employment/professional assistance", dated 12/28/2020), which expressly provides for activities such as the preparation of sickness and maternity settlement statements , holidays and the processing of printouts for union withholdings which necessarily involve the processing of personal data of the owner's employees.
Also in relation to this activity, the Company has not taken steps to designate the service provider company as data controller, as instead provided for by the art. 28 of the Regulation.
It is noted that the Company, during the proceedings, produced a copy of the designation of DM Technology s.r.l. and Unica s.r.l.s., as responsible for the processing of personal data carried out in execution of the agreement stipulated between the parties, adopted on 1/6/2023 (see defense briefs 13/10/2023, Annexes 5 and 6).
For the above reasons, in the terms set out above, the Company has therefore violated the art. 28 of the Regulation.
4.5. Violation of the art. 35 of the Regulation.
Based on the art. 35 of the Regulation, in relation to processing which involves "the use of new technologies, considering the nature, object, context and purposes of the processing, [such as] to present a high risk for the rights and freedoms of persons physical”, the owner is required to carry out an impact assessment on the protection of personal data before starting the planned processing.
In this regard, Guidelines WP 248rev.01 of 4.4.2017 ("Guidelines on data protection impact assessment and determination of the possibility that the processing "may present a high risk" for the purposes of the Regulation (EU) 2016/679") identify, among the criteria in the presence of which the data controller is required to carry out an impact assessment, relevant in the specific case, the processing of "sensitive data", which includes biometric data ( see chapter III, B, n. 4), the processing carried out towards "vulnerable" interested parties (e.g. as parties to an employment relationship; see chapter III, B, n. 7) as well as treatments that make an "innovative use or [the] application of new technological or organizational solutions" (see chapter III, B, n. 8).
Further indications were provided in this regard with the provision of the Guarantor of 11 October 2018, n. 467 (“List of the types of processing subject to the requirement of an impact assessment on data protection pursuant to art. 35, paragraph 4, of Regulation (EU) no. 2016/679”, in Official Journal, S. G. no. 269 of 11.19.2018, spec. n. 6 and 7), although referring to cross-border treatments.
Despite having adopted a biometric authentication system for the purpose of detecting the presence of its employees at all the sites where they operate, the Company did not carry out an impact assessment before the start of the processing itself, in violation therefore, in the terms set out above, of the art. 35, par. 1 of the Regulation.
4.6. Violation of articles 30 and 32 of the Regulation.
Based on the provisions of the art. 30 of the Regulation, within the register of processing activities carried out by the owner, the latter, under his own responsibility, is required to indicate the categories of personal data being processed (art. 30, par. 1, letter c) of the Regulation).
As clarified by the Authority, the register constitutes one of the main elements of accountability of the owner, as it is a suitable tool for providing an updated picture of the processing operations taking place within its organisation, essential for any risk assessment or analysis activity and therefore preliminary to these activities.
The register must be in written form, including electronic form, and must be shown upon request to the Guarantor (see in this regard the FAQs on the register of processing activities, made available by the Guarantor on its institutional website in October 2018, web doc. no. .9047529).
In the concrete case, it emerged that the register of processing operations dated 29/12/2021 does not indicate biometric data among the types of data processed by the owner (see minutes 26/1/2023, Annex 5).
This is in violation of the provisions of the art. 30 of the Regulation.
Furthermore, when accessing the Anviz terminal during the inspection activity, used for stamping after facial recognition, it emerged that the authentication credentials with the Admin profile were the same as those reported in the user manual (userID, so-called default ID , “0”, password “12345”) and had never been modified over time, therefore starting from the installation date in December 2021.
According to what was declared by the Company, other devices, in addition to the one installed at the Ardea construction site, had also maintained the same standard credentials required for first access (see inspection reports 19/1/2023, p. 3 and 27/ 1/2023, p. 3).
This made it possible to access the information stored in the terminal on the basis of simple consultation of the device's user manual, which can also be easily found on the Internet, and in any case on the basis of typing the first five cardinal numbers placed in ascending order (see Attachment. 2, inspection report 19/1/2023, containing the photographic documentation of the accesses carried out, spec. IMG_20230119_103040943.jpg).
This conduct does not comply with the provisions of the art. 32 of the Regulation, according to which the data controller is required to prepare "adequate technical and organizational measures to guarantee a level of security appropriate to the risk", ensuring "on a permanent basis the confidentiality" of the personal data processed, in light of "the state of the art and implementation costs, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons".
The Company has therefore also violated art. 32 of the Regulation.
5. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.
For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller, during the investigation, do not allow the findings notified by the Office to be overcome with the act initiating the procedure and that are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
The processing of personal data carried out by the Company and in particular the processing of biometric data (facial recognition) referring to its own employees and those of other companies, for the purpose of recording attendance, is in fact illicit, in the terms set out above, in relation to the articles. 5, par. 1, letter. a), 9, 13, 28, 30, 32 and 35 of the Regulation.
The violation, ascertained within the terms set out in the motivation, cannot be considered "minor", taking into account the nature of the violation which concerned the general principles and conditions of lawfulness of the processing of particular data as well as the seriousness of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
However, the Authority acknowledges that, according to what was declared under its own responsibility, the Company has taken steps to suspend biometric data processing operations after the start of the inspection activity and has identified a "procedure for the disposal of biometric devices" which provides, among other things, that at the end of the proceedings initiated by the Guarantor, the data stored on the devices will be deleted (see defense briefs 10/13/2023).
Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the procedure is defined with the sole application of a pecuniary administrative sanction, pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).
6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings, it appears that L'Igiene Urbana Evolution s.r.l. has violated the articles. 5, par. 1, letter. a), 9, 13, 28, 30, 32 and 35 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, letter. a) and par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).
Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:
a) in relation to the nature, seriousness and duration of the violation, the nature of the violation was considered, to the detriment of the Company, which concerned the general principles and conditions of lawfulness of the processing and the processing of particular biometric data using the technology of Facial recognition;
b) the duration of the violation which lasted for more than a year and the significant number of interested parties involved were also considered to the detriment of the Company;
c) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the regulations on data protection in relation to a plurality of provisions;
d) in favor of the Company, the cooperation with the Supervisory Authority and the decision to suspend the processing activities after the start of the inspection activities were taken into account.
It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022. Lastly, the extent of the sanctions imposed in similar cases is taken into account.
In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply towards L'Igiene Urbana Evolution s.r.l. the administrative sanction of payment of a sum equal to 70,000 (seventy thousand) euros.
In this framework, it is also believed, in consideration of the type of violations ascertained which concerned the general principles and conditions of lawfulness of the processing, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.
It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THE WHEREAS, THE GUARANTOR
notes the illicit nature of the processing carried out by L'Igiene Urbana Evolution s.r.l., in the person of its legal representative, with registered office in Via Roberto Lepetit, 8/10 Milan (MI), C.F. 11277540966, pursuant to art. 143 of the Code, for the violation of articles. 5, par. 1, letter. a), 9, 13, 28, 30 and 32 of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i) of the Regulation to L'Igiene Urbana Evolution s.r.l., to pay the sum of 70,000 (seventy thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;
ORDERS
therefore to the same Company to pay the aforementioned sum of 70,000 (seventy thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.
Request L'Igiene Urbana Evolution s.r.l. to communicate what initiatives have been undertaken in order to delete the biometric data stored on the devices, and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by the art. 83, par. 5, letter. e) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 22 February 2024
PRESIDENT
Stantion
THE SPEAKER
Zest
THE GENERAL SECRETARY
Mattei
SEE ALSO Newsletter of March 28, 2024
[doc. web no. 9995680]
Provision of 22 February 2024
Register of measures
n. 105 of 22 February 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);
GIVEN the complaints presented pursuant to art. 77 of the Regulation towards L'Igiene Urbana Evolution s.r.l.;
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER the lawyer. Guido Scorza;
PREMISE
1. Complaints against the Company.
On 24 October 2022, some employees of L'Igiene Urbana Evolution s.r.l. (hereinafter, the Company), have presented a complaint to the Authority complaining that, starting from February 2022, in order to access the construction site located in Ardea, where the employees' work activities take place, and to ascertain the presence of them in the workplace, it was necessary to use a biometric detector, based on facial recognition.
According to the documentation, including photographs, attached to the complaints, the processing was carried out using the “Face Deep 3 – Smart Face Recognition System” device, produced by Anviz Global.
According to what was complained about, the processing of biometric personal data would be "illegitimate", also taking into account that the purpose thereof "could equally be achieved with less invasive means of the worker's personal sphere".
2. The preliminary investigation activity.
The Authority has delegated the Special Privacy and Technological Fraud Unit of the Financial Police to carry out inspections pursuant to articles. 157 (Request for information and production of documents) and 158 (Inspections) of the Code.
On 19 January 2023, the Unit, together with Authority personnel, went to the construction site located in Ardea, where they recorded the following declarations:
"the following companies operate within the industrial storage site: L'Igiene Urbana Evolution s.r.l., Airone consortium company a r.l., Blue Work s.r.l., which operate as a joint venture for the waste management of the Municipality of Ardea" (inspection report 19/ 1/2023, p. 2);
"inside a room adjacent to the vehicle fleet there is an employee recognition device based on facial biometrics [...]. The system is used to record attendance by approximately 63 employees of the companies [working on the construction site] plus any seasonal workers or temporary substitutes" (minutes cited, p. 3);
"the employee registration phase, carried out over a period of a few months, was carried out by entering the employee code (ID) associated with the name, based on a list provided by the company itself. Once this ID was entered, the employee's face was recognized [...] and the system validated the registration" (minutes cit., p. 3);
"in the room where the device is present there are always signature sheets which are used as an alternative to facial recognition, in the event of a malfunction of the device" (minutes cited, p. 3);
during the investigation, the inspectors verified that "the device is functional and connected to the network [...]. By logging in with the Admin credentials, as reported in the user manual and not modified during the installation, the data relating to clocking in and user details were exported and the internal database was backed up" (minutes cit. , p. 3);
the JuniorWeb application was also accessed "through which employee attendance is managed, as recorded via the facial recognition device. The data were exported, including the dismissed employees, and it was verified that the system shows the indication of 3 additional companies (DMT, IGNEVO, UNICA srl) and 17 additional cost centers" (report cit., p. 3);
"the companies that manage the system are the three previously indicated, part of the ATI and [...] the system was installed by Igiene Urbana Evolution" (minutes cited, p. 4).
On 26 January 2023, during the inspection carried out at the administrative headquarters of L'agricoltura Urbana Evolution s.r.l., the Company declared that:
“the Temporary Business Association (ATI) was established in January 2020 […]. Currently the ATI is made up of the companies: Igiene Urbana Evolution and Blu Work. […] In March 2021, for the sole purpose of operational management of the order, the companies L'Igiene Urbana Evolution and Blu Work established the Airone consortium company a r.l.” (inspection report 26/1/2023, p. 3);
“The biometric attendance detection device in Ardea was installed by the parent company also in light of numerous disciplinary proceedings […] relating to delays, absences, interruptions and abandonments of the service […] as well as by virtue of the numerous related disputes and convictions to claims for overtime compensation, taking into account that the waste collection and transport service is an essential public service [...]. The system was also deemed necessary as all the employees of the Ardea shipyard were [...] hired [...] by virtue of a social clause" (minutes cit., p. 3);
the biometric system was activated "in December 2021 (first stamping on 27 December 2021) and the number of interested parties, employees of the [Company] is currently 37 units" (minutes cited, p. 3);
"other employees of Blu Work and Airone are present on the site" (minutes cit., p. 3);
in addition to the biometric device installed at the Ardea construction site, the Company has installed other "9 biometric devices, reserving the right to produce a specific statement" (minutes cited, p. 4);
"the company, on the basis of the declaration and certification of conformity of the biometric device provided by the manufacturer «Anviz Global Inc.», attached to the product supplied by the service company UNICA srls, in which it was declared that the device was fully compliant with the GDPR, believed he could use the same pursuant to art. 9 c.2, par. b. of the Regulation” (minutes cited, p. 4);
"in March 2021, the company formalized, with the company Unica srls, the purchase of the attendance detection devices, which were physically installed by DM Technology srl by virtue of a previous service and maintenance contract" ( report cit., p. 4);
in relation to the processing of biometric data, the Company did not designate data controllers, did not carry out an impact assessment nor provided "specific information on the processing of biometric data" (minutes cited, p. 5 );
the processing of biometric data was not recorded in the processing register (minutes cited, p. 5; the register dated 12/29/2021 is in Attachment 5).
On 27 January 2023, inspection activities continued at the administrative headquarters of L'Igiene Urbana Evolution s.r.l. On this occasion the Company further represented that:
“UNICA srls is the company that provides administrative, organizational and technical consultancy activities” for the Company (inspection report 27/1/2023, p. 2);
“the biometric devices reported in the invoices […] are the totality of the devices purchased from the aforementioned service provider (13 devices in total). Following the purchase, UNICA srls, pursuant to the «Agreement for construction site consultancy/professional assistance» [...] gave [the Company] the opportunity to benefit from n. 10 devices mentioned in yesterday's report. The aforementioned devices were then installed [...] by the DM Technology company” (minutes cited, p. 2);
the Company provided "the statement regarding the different installation locations of the devices (Annex 3)" (minutes cited, p. 2);
“all biometric devices […] have been deactivated as a precaution” (minutes cited, p. 2);
"the functioning of the presence detection at the 9 sites indicated [...] is identical" to that envisaged for the Ardea construction site (minutes cited, p. 2);
“the devices are installed in order to carry out attendance detection through one-to-many comparison of the biometric fingerprint of the employees' faces and [...] Unica srls has provided the user manual for the same. Subsequently, the DM Technology technician trained the site manager on the use of the device" (minutes cit., p. 2);
during access to the Junior Web system, with Admin profile, the clocking statement for the month of December 2022 was displayed, including the employees of different sites (indicated as CDC, cost centers). […] of all the cost centers displayed only 10 refer to the company. The remaining CDCs refer to other companies, for which DM Technology provides assistance on biometric detection devices" (minutes cited, p. 3);
"the biometric data of the interested parties reside exclusively in the device and are not accessible remotely, nor locally, except for deletion, which can only be carried out directly on the device" (minutes cited, p. 3);
“the accounts to access Junior Web are provided and managed by DM Technology, which also manages the device access accounts” (minutes cit., p. 3);
“probably the default password, present on the device located in Ardea, has been maintained on many installed devices. For this type of credential there is no expiration of validity, which is instead foreseen for Junior Web accounts" (minutes cit., p. 3);
“the devices located at the Igiene Urbana Evolution sites are connected to a server located at the company headquarters [...], for sending the data relating to clocking in. Devices located on the sites of other companies connect to respective and different servers. The data is then integrated by DM Technology, for viewing with the Admin profile” (minutes cit., p. 4);
“the device is equipped with a special “Bionano” algorithm to encrypt biometric data in a non-reversible way” (minutes cit., p. 4);
a copy of the declaration of compliance with data protection regulations by the supplier of the devices was provided (minutes cited, p. 4).
On 30 May 2023, in light of the declarations issued during the previous inspections, inspections were also carried out at the registered office of DM Technology s.r.l.
The latter stated that:
"of the three users assigned [by the device supplier], one user, used by DM, had an Admin profile, with the possibility of operating completely on the application and having visibility of the data of the 3 companies" (inspection report 30 May 2023, p. 3 );
"once the use of the FD3 devices was fully operational, the DM provided assistance on Junior Web for Unica, Urban Igiene and DM itself [...] through [the user provided by the supplier] it was possible to see the clocking data of the centers of costs belonging to Unica, Igiene Urbana Evolution and DM" (minutes cited, p. 3).
3. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.
On 13 September 2023, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 5, par. 1, letter. a), 9, par. 2, 13, 28, 30, 32 and 35 of the Regulation.
With defense briefs sent on 13 October 2023, the Company declared that:
to. the Company found "during 2021 a heavy worsening of the phenomenon of absenteeism, notably accompanied by fraudulent clockings which attested to the presence on duty of employees who, in reality, did not regularly perform their services: this is an issue that has given a considerable burden, due to the social clause, substantiated by the art. 6 of the National Collective Labor Agreement for Environmental Hygiene”;
b. “the matter has been the subject of a heated labor dispute […]. These appeals concerned the request for recognition of salary differences for alleged hours of overtime worked [...] but which, in truth, the undersigned did not believe had ever actually been carried out. Furthermore, the proceedings had negative outcomes precisely by virtue of the circumstance whereby the undersigned was unable to verify with certainty the actual working hours worked by the appellants (as paper time sheets were used)";
c. “The ordinary law enforcement tools adopted for this purpose have proven to be completely ineffective. It is in this context that, in the exercise of the physiological prerogatives of organization and control over the regular performance of services for defensive purposes, it was decided to adopt measures which, in full respect of workers' rights, would allow a distortive phenomenon to be nipped at its root" ;
d. “the adoption of an attendance detection system using facial recognition was achieved by contacting the [device supplier company], which markets a system implemented by a leading company on the market (Anviz Global), whose application (Face Deep 3 – Smart Face Recognition System) was presented as a tool fully consistent with the constraints deriving from compliance with the legislation protecting the protection of workers' personal data";
And. “It should also be specified that, in the report dated 01.19.2023, in relation to the content of the back-up of the DB internal to the device acquired by the inspectors, the indication “stampings and user records” must, indeed, be understood as referring to a mere numerical code (corresponding to each worker) related to the stamping date and time. […] the encrypted biometric templates, purchased during the enrollment phase […], were associated with the aforementioned numerical codes, without any storage in the device of the name and surname of the interested parties”;
f. “the biometric data resides exclusively in the device and cannot be accessed remotely or locally, […]”;
g. "the system is set up in such a way as to limit access to the encrypted data only to personnel in possession of specific authorization credentials [...] The observation remains, certainly well founded, on the lack of strength of the password for accessing the application of the device";
h. "in any case, staff have always been guaranteed the possibility of not using the facial recognition application, replacing it with attendance sheets [...], as in the case, for example, of malfunction or non-activation of the devices";
the. "immediately after the verification, the processing was suspended [...], a privacy consultant was appointed, the procedure for the disposal of said biometric devices was identified, consisting of: dismantling, storage in protected premises, awaiting conclusion of this proceeding [...] and, at the end of the proceeding, deletion of the data present on the devices; return to the supplier company; closure of the Junior Web account, software necessary to use the devices";
j. “while considering the principle referred to in art. 24 of the GDPR and the related obligations in terms of accountability, it does not appear that the circumstance that the company turned to a market-leading supplier company, which had given full guarantees in terms of general information on the conformity of the product, valorising in particular the element of data encryption and its non-reversibility";
k. “Finally, as regards the number of interested parties involved, it should be noted that, as regards the Ardea site, there were approximately 37 employees (belonging to the three different companies forming part of the ATI) and that on each site the same with only the workers employed at the 9 sites involved, and they add up to 218 units in total (the figure cited in the dispute, of 288 units, is the result of an incorrect count which also takes into account duplicate positions, as we have tried to explain and document during the inspection)”;
L. “in the period between 2021 and 2022, the Company incurred significant expenses due to the impact of the Covid-19 Pandemic specifically connected to the huge costs for managing personnel and sanitizing work environments; [...] the imposition of burdensome financial sanctions could have significant economic and financial impacts on company activities, with inevitable negative repercussions also on the already burdensome complex management of personnel in the difficult and complex working context in which the undersigned operates".
During the hearing requested by the Company, held on 4 December 2023, it finally argued, among other things, that:
to. "with respect to the requests made by the workers in the complaints presented to the Authority, following the inspection the Company immediately ordered the precautionary suspension of the processing carried out up to that point via the facial recognition system";
b. “the facial recognition system had been used because the legal basis had been interpreted, even erroneously”;
c. “although the Company has not fulfilled all the obligations imposed by data protection legislation, it has taken into account the security of the data, adopting the maximum security measures required”;
d. “Urban Hygiene and DM Technology did not delete the data while awaiting the definition of the procedure and in view of further checks by the Authority. However, a procedure has already been established for the deletion of data collected with the facial recognition system which will be activated as soon as the procedure before the Authority is concluded".
4.1. Violation of the art. 5, par. 1, letter. a) and 9 of the Regulation in relation to the processing of data of its employees.
Upon examination of the declarations made to the Authority during the proceedings as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, relating to the complainants, which are not compliant with the relevant regulations of protection of personal data. In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".
On the merits, following the outcome of the preliminary investigation, it was ascertained that the Company has used a biometric system, based on facial recognition, starting from December 2021 (the date on which the system was activated, according to what was declared by the Company ; however, it did not clarify on which date the employee registration activities with consequent data processing began) and until January 2023, the date on which the system was deactivated "as a precaution" following the start of the assessment activity by the Authority.
The use of the biometric system, aimed at detecting the presence of employees on duty, was determined, according to what was declared, by the multiplication of "absenteeism" phenomena and disputes initiated against the Company itself by workers relating to " to claims for overtime compensation". Furthermore, the adoption of the biometric system, according to what was declared by the Company, would also have been necessary due to the fact that "all the employees of the Ardea shipyard have [...] been hired [...] pursuant to a social clause", with consequent impossibility for the employer to choose the contractors of the employment contract.
The processing involved a significant number of interested parties, considering that, during the investigations, it emerged that the Company used the same type of biometric detector, not only at the Ardea construction site, but also at a further 9 sites, where carries out its activity (see minutes 27/1/2023, p. 2).
In particular, based on the examination of the "table regarding the different installation locations of the devices" provided by the Company, including the number of its employees employed at each location, it emerges that the processing involved a total of 288 workers (see minutes cit., Annex 3).
Even subtracting the 12 workers on the site at the Municipality of Ravello, whose device would have been "assembled [but] never put into operation", as indicated in the prospectus (without however specifying whether or not data collection was carried out, which is in any case a processing operation), there would be a total of 276 employees, i.e. a significant number of interested parties involved in the processing of biometric data.
Furthermore, contrary to what is claimed in the defense briefs, during the proceedings the Company did not indicate or document the existence of deemed "duplicate positions", considering which the total number of people affected by the biometric detection would instead amount to 218 employees, and in in any case this number also appears significant.
Preliminarily, it is noted that, as clarified by the Authority, there is processing of biometric data both in the registration phase (so-called enrollment), consisting in the acquisition of the biometric characteristics of the interested party (facial characteristics, in this case; see points 6.1 and 6.2 of Annex A to the provision of the Guarantor of 12 November 2014, no. 513, in www.garanteprivacy.it, web doc. no. 3556992), both in the biometric recognition phase, at the time of recording attendance (see also point 6.3 of Annex A to the aforementioned provision).
Therefore, even in the case of extraction of the so-called template, there is processing of biometric data, with consequent application of the specific regulations provided for by the law.
In this regard, based on the legislation on the protection of personal data, the processing of biometric data (generally prohibited pursuant to art. 9, par. 1 of the Regulation) is permitted only if one of the conditions indicated by the art. 9, par. 2 of the Regulation and, with regard to processing carried out in the workplace, only when the processing is "necessary to fulfill the obligations and exercise the specific rights of the data controller or the interested party in matters of labor law and social security and protection social, to the extent authorized by Union or Member State law or by a collective agreement pursuant to Member State law, in the presence of appropriate guarantees for the fundamental rights and interests of the interested party" (art. 9 , paragraph 2, letter b), of the Regulation; v. also: art. 88, par. 1 and cons. 51-53 of the Regulation).
Furthermore, the employer is required to apply the general principles of processing, in particular those of lawfulness, correctness and transparency, minimization, integrity and confidentiality of data (art. 5, par. 1, letter a), c) and f) of the Regulation).
In application of these provisions, although in the working context the purposes of recording employee attendance and verifying compliance with working hours may fall within the scope of application of the art. 9, par. 2, letter. b) of the Regulation, however the processing of biometric data is permitted only "to the extent authorized by Union or Member State law [...] in the presence of appropriate guarantees for the fundamental rights and interests of the interested party" ( art. 9, par. 2, letter b), and cons. no. 51-53 of the Regulation).
Also taking into account the provisions of the art. 2-septies of the Code (Guarantee measures for the processing of genetic, biometric and health-related data), according to which the aforementioned treatments can be carried out in accordance with the guarantee measures established by the Guarantor (pursuant to art. 9, par. 4 of the Regulation), currently the current legislation does not allow the processing of biometric data of employees for the purpose of detecting their presence on duty.
This was reiterated by the Guarantor with provisions no. 369, of 10 November 2022 (web doc. n. 9832838) and n. 16, of 14 January 2021 (web doc. no. 9542071).
The use of biometric data in the context of the ordinary management of the employment relationship (such as the attendance recording activity), for the declared purpose of dealing with disciplinary offences, disputes linked to the payment of compensation for overtime work as well as due to the presence of personnel at the construction site where the assessment activity was carried out, hired through the application of the so-called social clause (although this last reason is not conferring, also taking into account that the reasons under which the biometric system was also adopted at a further 9 sites managed by the Company were not disclosed), it is therefore not compliant with the principles of minimization and proportionality of the processing (art. 5, par. 1, letter c) of the Regulation).
Given, in this regard, that the Company did not illustrate (or document during the proceedings) which "ordinary enforcement tools" had actually been adopted and had proven to be "completely ineffective", in order to be able to account for the actual hours of work performed and to ascertain the presence of workers in the workplace, measures could have been adopted that were useful for this purpose but less invasive for the rights of the interested parties (e.g. automatic checks using badges, direct checks, etc.).
The proportionality assessment of the processing of biometric data consisting of facial recognition should also have taken into account the risks for the rights and freedoms of the interested parties connected to the use of this particular biometric technology as has been recognized both by national law and in the European context (see legislative decree 10/5/2023, n. 51, converted into law 3/7/2023, n. 87, which with art. 8-ter extended the suspension of the installation to 31 December 2025 and use of video surveillance systems with facial recognition systems "in public places or places open to the public, by public authorities or private entities", this in order to "regulate in accordance with the eligibility requirements, conditions and guarantees relating to 'use of facial recognition systems in compliance with the principle of proportionality provided for in Article 52 of the Charter of Fundamental Rights of the European Union"; see also: European data Protection Board, Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement, adopted on 7/26/2023, spec. points 17, 34 and 35 on the risks of facial recognition; Guidelines 3/2019 on the processing of personal data through video devices, adopted on 29 January 2020, spec. points 4 and 73; see also the Prov. of 10 February 2022, n. 50, doc. web no. 9751362, adopted, albeit in a different context, regarding facial recognition).
Finally, the circumstance that the manufacturer and supplier of facial recognition devices (subjects who in any case must take into account the right to data protection: see recital 78 of the Regulation) had produced a "declaration and certification of conformity of the biometric device [...], in which it was declared that the device was fully compliant with the GDPR" (see inspection report 26/1/2023, p. 4), cannot eliminate the Company's liability, considering that the owner of the processing, in light of the provisions of the art. 5, par. 2, of the Regulation, based on the so-called principle of accountability, "is competent for compliance [with the general principles of processing] and able to prove it", with regard to the obligations weighing on the same (art. 24 of the Regulation).
This also taking into account that, in the concrete case, the Authority, even recently (as mentioned above), has expressed its opinion on the legitimation criteria and the principles applicable to the processing of biometric data in the context of the employment relationship, publishing on its website institutional the decisions adopted on the matter.
Therefore, the data controller, before proceeding with the use of devices made by third parties, should have verified the compliance of the relevant treatments with the applicable principles.
Finally, it is noted that the possibility of using the signature sheets was not an alternative, as deduced by the Company, to the use of the facial recognition device, given that the employees could only use it, based on what emerges from the documentation in the documents in case of malfunction of the biometric devices.
However, even if a non-biometric detection system had been made available to workers as an alternative to the biometric one, the data processing carried out would not have complied with the provisions on the protection of personal data in the terms set out above, and in concrete terms they would have results that are not necessary with respect to the declared aim of overcoming the problems linked to the use of signature sheets to certify presence in the workplace.
Based on the above reasons, the processing of biometric data of its employees carried out by the Company appears to have been carried out in the absence of an appropriate legal basis, in violation of the articles. 5, par. 1, letter. a) and 9 of the Regulation.
4.2. Violation of articles 5, par. 1, letter. a) and 9 of the Regulation in relation to the processing of data of employees of other companies.
As a result of access to the system and examination of the documentation acquired in the documents, it also emerged that the list of employees to be subjected to presence verification, via the biometric detection system, was, until its suspension, unique for the three companies operating at the Ardea construction site (in addition to the Company, also Airone consortium company a r.l. and Blue Work s.r.l.), which provided the list of their respective employees to be verified.
In fact, both the paper signature sheet and the attendance log extracted from the JuniorWeb application, as well as the data exported from the Anviz device, acquired in documents, present a list shared between the three companies where the company to which they belong is indicated next to each name ( see inspection report 19/1/2023, Annex 1 [Attendance Journal January 2023 - report generated by Junior Web and signature sheets dated 19/1/2023], 2 [tables with export of data extracted from the device] and 3 [access screenshot to data contained in the device]).
From the documentation acquired during the inspection, it also emerged that the overall processing carried out by the system also concerned the employees of Unica s.r.l.s. and DM Technology s.r.l. (see inspection report 27/1/2023, Attachment 6, "Total employee export table", containing the list of stampings carried out as of 27/1/2023 relating to the employees of L'Igiene Urbana Evolution s.r.l., Airone consortium company in r.l., Blue Work s.r.l., Unica s.r.l.s. and DM technology).
Therefore, the Company also processed the data relating to the presence in service of the employees of Airone consortium company a r.l., Blue Work s.r.l., of Unica s.r.l.s. and DM Technology s.r.l., taken from the biometric attendance recording system, likewise in the absence of any of the applicable conditions, among those provided for by the art. 9, paragraph 2 of the Regulation.
The described treatments therefore occurred in violation of the articles. 5, par. 1, letter. a) and 9 of the Regulation.
4.3. Violation of articles 5, par. 1, letter. a) and 13 of the Regulation.
The Guarantor has repeatedly reiterated that the employer, in application of the principle of transparency, has the obligation to indicate to its employees and collaborators, in any case, what the essential characteristics of the data processing carried out during the employment relationship are. work as well as the tools through which the processing is carried out, in accordance with what is specifically indicated in the art. 13 of the Regulation.
This is also considering that, in the context of the employment relationship, the obligation to inform the employee is also an expression of the duty of correctness (art. 5, par. 1, letter a) of the Regulation).
In the present case, it emerged that the Company failed to provide any information on the characteristics of the processing of biometric data through facial recognition (see minutes 26/1/2023, p. 5, where the Company declared that it had not provided “no specific information on the processing of biometric data”).
This resulted in the violation of the articles. 5, par. 1, letter. a) and 13 of the Regulation.
4.4. Violation of the art. 28 of the Regulation.
Based on what is established by the Regulation, the data controller, in the context of the preparation of the technical and organizational measures that are responsible for him, also from a security point of view (articles 24 and 32 of the Regulation), may make use of a person responsible for the carrying out some processing activities, to which it gives specific instructions (see paragraph 81 of the Regulation).
In this case, the owner "uses only data controllers who present sufficient guarantees to implement adequate [the aforementioned measures] in such a way that the processing meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties" (art. 28 , par. 1, of the Regulation).
Pursuant to the aforementioned art. 28 of the Regulation, the owner can also entrust processing to external parties, however adequately regulating the relationship with a contract (or another legal act) and giving instructions regarding the main characteristics of the processing.
The data controller is, therefore, entitled to process the data of the interested parties "only upon documented instructions from the owner" (art. 28, par. 3, letter a), of the Regulation) and within the specific limits defined by the data controller .
The Company, while making use of the services provided by DM Technology s.r.l. in relation to the management of the Junior Web application, carried out in ways that allowed it access to employee data relating to attendance recording and related processing (see inspection report 5/30/2023 at DM Technology s.r.l., p. 3 ; see Maintenance Agreement dated 10/28/2020, signed by DM Technology and L'Igiene Urbana, Annex 2, inspection report 1/27/2023), did not designate the aforementioned company as data controller, as provided for by the art. 28 of the Regulation (see minutes 26/1/2023, p. 5).
Furthermore, it emerged that the Company made use of the "consultancy, assistance and compliance with labor law" services provided by Unica s.r.l.s. on the basis of an agreement, stipulated between the parties (see "Consultancy agreement on employment/professional assistance", dated 12/28/2020), which expressly provides for activities such as the preparation of sickness and maternity settlement statements , holidays and the processing of printouts for union withholdings which necessarily involve the processing of personal data of the owner's employees.
Also in relation to this activity, the Company has not taken steps to designate the service provider company as data controller, as instead provided for by the art. 28 of the Regulation.
It is noted that the Company, during the proceedings, produced a copy of the designation of DM Technology s.r.l. and Unica s.r.l.s., as responsible for the processing of personal data carried out in execution of the agreement stipulated between the parties, adopted on 1/6/2023 (see defense briefs 13/10/2023, Annexes 5 and 6).
For the above reasons, in the terms set out above, the Company has therefore violated the art. 28 of the Regulation.
4.5. Violation of the art. 35 of the Regulation.
Based on the art. 35 of the Regulation, in relation to processing which involves "the use of new technologies, considering the nature, object, context and purposes of the processing, [such as] to present a high risk for the rights and freedoms of persons physical”, the owner is required to carry out an impact assessment on the protection of personal data before starting the planned processing.
In this regard, Guidelines WP 248rev.01 of 4.4.2017 ("Guidelines on data protection impact assessment and determination of the possibility that the processing "may present a high risk" for the purposes of the Regulation (EU) 2016/679") identify, among the criteria in the presence of which the data controller is required to carry out an impact assessment, relevant in the specific case, the processing of "sensitive data", which includes biometric data ( see chapter III, B, n. 4), the processing carried out towards "vulnerable" interested parties (e.g. as parties to an employment relationship; see chapter III, B, n. 7) as well as treatments that make an "innovative use or [the] application of new technological or organizational solutions" (see chapter III, B, n. 8).
Further indications were provided in this regard with the provision of the Guarantor of 11 October 2018, n. 467 (“List of the types of processing subject to the requirement of an impact assessment on data protection pursuant to art. 35, paragraph 4, of Regulation (EU) no. 2016/679”, in Official Journal, S. G. no. 269 of 11.19.2018, spec. n. 6 and 7), although referring to cross-border treatments.
Despite having adopted a biometric authentication system for the purpose of detecting the presence of its employees at all the sites where they operate, the Company did not carry out an impact assessment before the start of the processing itself, in violation therefore, in the terms set out above, of the art. 35, par. 1 of the Regulation.
4.6. Violation of articles 30 and 32 of the Regulation.
Based on the provisions of the art. 30 of the Regulation, within the register of processing activities carried out by the owner, the latter, under his own responsibility, is required to indicate the categories of personal data being processed (art. 30, par. 1, letter c) of the Regulation).
As clarified by the Authority, the register constitutes one of the main elements of accountability of the owner, as it is a suitable tool for providing an updated picture of the processing operations taking place within its organisation, essential for any risk assessment or analysis activity and therefore preliminary to these activities.
The register must be in written form, including electronic form, and must be shown upon request to the Guarantor (see in this regard the FAQs on the register of processing activities, made available by the Guarantor on its institutional website in October 2018, web doc. no. .9047529).
In the concrete case, it emerged that the register of processing operations dated 29/12/2021 does not indicate biometric data among the types of data processed by the owner (see minutes 26/1/2023, Annex 5).
This is in violation of the provisions of the art. 30 of the Regulation.
Furthermore, when accessing the Anviz terminal during the inspection activity, used for stamping after facial recognition, it emerged that the authentication credentials with the Admin profile were the same as those reported in the user manual (userID, so-called default ID , “0”, password “12345”) and had never been modified over time, therefore starting from the installation date in December 2021.
According to what was declared by the Company, other devices, in addition to the one installed at the Ardea construction site, had also maintained the same standard credentials required for first access (see inspection reports 19/1/2023, p. 3 and 27/ 1/2023, p. 3).
This made it possible to access the information stored in the terminal on the basis of simple consultation of the device's user manual, which can also be easily found on the Internet, and in any case on the basis of typing the first five cardinal numbers placed in ascending order (see Attachment. 2, inspection report 19/1/2023, containing the photographic documentation of the accesses carried out, spec. IMG_20230119_103040943.jpg).
This conduct does not comply with the provisions of the art. 32 of the Regulation, according to which the data controller is required to prepare "adequate technical and organizational measures to guarantee a level of security appropriate to the risk", ensuring "on a permanent basis the confidentiality" of the personal data processed, in light of "the state of the art and implementation costs, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons".
The Company has therefore also violated art. 32 of the Regulation.
5. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.
For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller, during the investigation, do not allow the findings notified by the Office to be overcome with the act initiating the procedure and that are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
The processing of personal data carried out by the Company and in particular the processing of biometric data (facial recognition) referring to its own employees and those of other companies, for the purpose of recording attendance, is in fact illicit, in the terms set out above, in relation to the articles. 5, par. 1, letter. a), 9, 13, 28, 30, 32 and 35 of the Regulation.
The violation, ascertained within the terms set out in the motivation, cannot be considered "minor", taking into account the nature of the violation which concerned the general principles and conditions of lawfulness of the processing of particular data as well as the seriousness of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
However, the Authority acknowledges that, according to what was declared under its own responsibility, the Company has taken steps to suspend biometric data processing operations after the start of the inspection activity and has identified a "procedure for the disposal of biometric devices" which provides, among other things, that at the end of the proceedings initiated by the Guarantor, the data stored on the devices will be deleted (see defense briefs 10/13/2023).
Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the procedure is defined with the sole application of a pecuniary administrative sanction, pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).
6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings, it appears that L'Igiene Urbana Evolution s.r.l. has violated the articles. 5, par. 1, letter. a), 9, 13, 28, 30, 32 and 35 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, letter. a) and par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, l. 11.24.1981, n. 689).
Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in each individual case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:
a) in relation to the nature, seriousness and duration of the violation, the nature of the violation was considered, to the detriment of the Company, which concerned the general principles and conditions of lawfulness of the processing and the processing of particular biometric data using the technology of Facial recognition;
b) the duration of the violation which lasted for more than a year and the significant number of interested parties involved were also considered to the detriment of the Company;
c) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the regulations on data protection in relation to a plurality of provisions;
d) in favor of the Company, the cooperation with the Supervisory Authority and the decision to suspend the processing activities after the start of the inspection activities were taken into account.
It is also believed that they assume relevance in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022. Lastly, the extent of the sanctions imposed in similar cases is taken into account.
In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply towards L'Igiene Urbana Evolution s.r.l. the administrative sanction of payment of a sum equal to 70,000 (seventy thousand) euros.
In this framework, it is also believed, in consideration of the type of violations ascertained which concerned the general principles and conditions of lawfulness of the processing, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.
It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THE WHEREAS, THE GUARANTOR
notes the illicit nature of the processing carried out by L'Igiene Urbana Evolution s.r.l., in the person of its legal representative, with registered office in Via Roberto Lepetit, 8/10 Milan (MI), C.F. 11277540966, pursuant to art. 143 of the Code, for the violation of articles. 5, par. 1, letter. a), 9, 13, 28, 30 and 32 of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i) of the Regulation to L'Igiene Urbana Evolution s.r.l., to pay the sum of 70,000 (seventy thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;
ORDERS
therefore to the same Company to pay the aforementioned sum of 70,000 (seventy thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.
Request L'Igiene Urbana Evolution s.r.l. to communicate what initiatives have been undertaken in order to delete the biometric data stored on the devices, and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by the art. 83, par. 5, letter. e) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 22 February 2024
PRESIDENT
Stanzione
THE SPEAKER
Zest
THE GENERAL SECRETARY
Mattei
