Garante per la protezione dei dati personali (Italy) - 9861249

From GDPRhub
Garante per la protezione dei dati personali - no. 9861249
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 13 GDPR
Article 28 GDPR
Article 35 GDPR
Type: Complaint
Outcome: Upheld
Started: 16.02.2021
Decided: 15.12.2022
Published:
Fine: 50,000 EUR
Parties: Giessegi Industria Mobili S.p.A.
National Case Number/Name: no. 9861249
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (Italy) (in IT)
Initial Contributor: mg

The Italian DPA fined a controller €50,000 for several violations concerning a geolocation device installed in the car of a third company´s employee.

English Summary

Facts

The controller (Giessegi Industria Mobili S.p.A.) was in a contractual relationship with a processor (Verizon Connect Italy S.p.A.) providing geolocation devices. The controller installed geolocation devices to track vehicles delivering goods on its behalf. These vehicles were not directly owned by the controller, but rather by a third company to which the controller outsourced certain services. The data subject was a driver employed by this third company and had no direct contractual relationship with the controller.

After the termination of the agreement with the processor, the controller phased out the devices. However, the controller forgot to remove one of them, which was subsequently found by the data subject in the engine of their car. It must be stressed that when the data subject found the device the contract between Giessegi and the data subject´s company was no longer in place either.

Giessegi claimed that the geolocation devices were associated with car plates and not with individuals. As the controller did not know who the driver was, geolocation data could not be considered personal data under the GDPR. The Italian DPA started an investigation concerning potential violations of Articles 5(1)(a), 6, 13, 28(1) and 35 GDPR.

Holding

The Italian DPA rejected the controller´s argument and clarified that “personal data” refers not only to an identified person, but also to an identifiable one, like in the case at issue. Giessegi was the controller, as it determined purposes and means of the processing. The Italian DPA then identified a number of violations.

In the first place, Giessegi violated Articles 5(1)(a) and 13 GDPR, as it did not provide the data subject with a proper privacy policy.

Article 28 GDPR was also infringed, as no controller-processor agreement existed between Giessegi and Verizon.

With regard to the time after the end of the agreement between Giessegi and the company employing the data subject, there was also a violation of Article 6 GDPR. Geolocation devices were installed to monitor the performance of the contract between Giessegi and the data subject´s delivery company. However, the controller could no longer rely on Article 6(1)(b) after the termination of such an agreement. Therefore, it processed personal data without any legal basis.

Finally, the DPA identified a violation of Article 35 GDPR. As a matter of fact, no DPIA was in place. Referring to the Article 29 WP guidelines, the DPA claimed that location data are “highly personal” and that employees are vulnerable data subjects. As a consequence, the controller should have applied Article 35 GDPR.

In light of the above, the Italian DPA used its corrective powers under Article 58(2)(c) and 83 GDPR and fined the controller €50.000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9861249]

Injunction against Giessegi Industria Mobili S.p.A. - December 15, 2023

Register of measures
no. of 15 December 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

CONSIDERING the complaint presented pursuant to art. 77 of the Regulation dated 16 February 2021 by Mr. XX against Giessegi Industria Mobili S.p.A.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint dated February 16, 2021, Mr. XX complained that Giessegi Industria Mobili S.p.A. (hereinafter, the Company) would have carried out processing of personal data referring to him in violation of the Regulation, by installing a device suitable for detecting the geographical position inside the vehicle by means of which the complainant carried out delivery of goods on behalf of the Company.

In particular, the complainant represented that he had "found a locator device marked Visirun no. serial number 30006717" which was active "at least on 12/09/2020". The aforementioned device would have been installed in the absence of information and a "valid expression of consent", in the context of the employment relationship with the Company up to the date of 13 May 2019.

The Company, in responding to the Authority's request for information dated November 30, 2021, with a note dated December 29, 2021 (and related attachments), stated that:

to. "during 2016 [...] Giessegi took care to make available to the transport companies with which it collaborated, including that of the [complainant], geolocation devices capable of providing a better understanding of the mileage contributed by the latter, given essential for verifying the adequacy of the fees due to the carrier" (note 12/29/2021, p. 1);

b. "by virtue of this objective [the company] stipulated a supply contract with Visirun spa [...] on 02/03/2016. The contract envisaged the sending of the devices to Giessegi, which then took care of delivering them to the individual carriers, and the provision of a personal web user for viewing the data relating to them" (note cit., p. 1 );

c. "the device, taken over by the transport companies, was then installed by them in the manner and timing most congenial to them" (note cit., p. 1);

d. "in November 2020 the [company] interrupted its commercial relations with Visirun" (cited note, p. 1);

And. the company “was required to return the devices received from Visirun or to redeem them. The correspondence found shows that the device connected to the complainant's vehicle was not found" (note cit., p. 2);

f. with reference to the conditions of lawfulness of the processing "it is believed that in the present case the hypotheses referred to in lett. c) and f) [of art. 6 of the Regulation], since the collection of information relating to the mileage traveled on the vehicles on which the devices in question were installed was functional to the exact determination of the kilometers traveled by the subcontractor companies in execution of the transport contract, and therefore of the punctual fulfillment of the same by the client, with consequent legitimate interest of both Giessegi and the [complainant] in the processing and treatment of the aforesaid data [...], taking into account the fact that the hauliers were paid per «km travelled»" (cited note, p . 2);

g. "the collection of detailed information on the mileage made by the vehicles [...] were proportionate with the purposes represented by the company, since it was limited and functional information for the exact fulfillment of the collaboration contract with the subcontractors" (cited note, p. 2 -3);

h. "there was the possibility for the transport company to access the same data held by Giessegi, exclusively referable to the devices installed in its vehicles, through the activation of an electronic user" (note cit., p. 3);

the. "the indicated device, although granted on free loan to the claimant, was never installed directly by Giessegi but by the claimant himself or by one of his representatives" (note cit., p. 3);
j. "considering the freedom granted to the complainant [...] we are unable to communicate the actual date of installation of the device" (cited note, p. 4);

k. “subjects appointed to determine the purposes and means of data processing were Giessegi as a whole as well as the transport company exclusively for the devices connected to it. The data were accessed by the shipping offices and a manager of the data processing group, as can be seen from the supplier privacy information made available by the company on its website" (note cit., p. 4);

L. the complainant was not provided with information "because the tool was not aimed at acquiring personal data, but only as a tool for calculating the km traveled by the vehicle for accounting purposes" (note cit., p. 5);

m. through a web application connected to the device it was possible to access the kilometers traveled with the possibility of extracting reports; "the collected data remained present but at the end of the relationship the company no longer had access to the portal" (note cit., p. 5);

no. "the security measures have not been adopted in the processing of the data provided by this device [...], except for the normal indications of corporate confidentiality by the persons in charge of acquiring the data of the total km traveled by the complainant's vehicle" (note cit. , p. 5);

or. as part of the impact assessment carried out on 23 May 2018 pursuant to art. 35 of the Regulation, it was decided to "exclude any critical issues regarding the processing of such data" (note cit., p. 6).

With a subsequent note dated 26 May 2022, sent in response to a request for further information formulated by the Office (on 6/5/2022), the Company also declared that:

to. "considering the time of the facts and the interruption of any commercial relationship with the [...] complainant, which occurred in May 2019, it was not possible to trace the paper and/or digital documentation relating to the delivery of the device" (note 26/5 /2022, p. 1);

b. "between the parties there was no employment contract as the complainant provided his transport services as an independent legal entity" (note cit., p. 1).

At the same time, the Authority initiated proceedings against Verizon Connect Italy S.p.A. (formerly Visirun S.p.A.), as supplier of the device found in the complainant's vehicle and of the connected location service.

The device and service supplier responded to the Authority's requests for information with notes dated 14 January and 25 May 2022.

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 13 July 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a), 6, 13, 28, para. 1 and 35 of the Regulation.

During the hearing held on 9 November 2022 at the request of the Company, the latter stated that:

"the geolocation device [...] is necessary [...] both to count the kilometers traveled and to indicate to the driver the optimal route to follow to make the delivery";

"the company started using geolocation devices in 2016, before the application of EU Regulation 2016/679";

the Company "in 2018 proceeded to send Visirun, supplier of the localization service, the designation of data controller, as already represented to the Guarantor during the proceeding, however the supplier did not [...] send any feedback";

"with reference to the dispute referring to the persistent functioning of the device positioned on the complainant's vehicle even after the interruption of the employment relationship, it should be noted that in 2019 the company had decided to abandon the gps in use at that time for the will to switch to a new system that allows the check of the delivered packages. For this purpose, he had therefore begun to collect geolocation devices. In this phase, the employee in charge of the collection was unable to find the serial linked to the plate of the complainant, who, therefore, had not returned the device";

“GPS devices were linked to the vehicle license plate and not to the individual driver. Therefore, in most cases, the company does not know who is driving the vehicle and, in fact, the transport service on behalf of the company is carried out by "small owners" who alternate driving with several drivers";

"The company is carrying out an activity of adaptation to the GDPR and in this perspective it is available to modify both the information and the DPIA";

“The company will install gps devices using a different supplier exclusively on its own vehicles in order to fulfill legal obligations. For this purpose it is preparing adequate information and DPIA”;

"at the time of the fact that was the subject of the complaint, it was possible to deactivate the gps installed inside the engine compartment of the vehicles by disconnecting the power cables";

“the company is heavily penalized by the increase in the cost of electricity which heavily affects production costs”.

3 The outcome of the investigation.

3.1 The processing of data relating to the geographical location carried out by the company.

As a result of the examination of the statements made to the Authority during the proceeding as well as of the documentation acquired, it appears that the Company has stipulated with Visirun S.p.A. (now Verizon Connect Italy S.p.A., hereinafter: Verizon) a contract for the supply of geolocation services (in particular the "Light" service), subject to the installation of devices complete with geolocation functions on the vehicles responsible for carrying out the transport of goods for account, this for the declared purpose − in itself lawful − of being able to determine, with the help of a technological tool, the "exact determination of the kilometers traveled [...] in execution of the transport contract, and therefore of the punctual fulfillment of the same" as well as in order to "show the driver the optimal route to follow to make the delivery".

Based on the examination of the documentation acquired in the deeds, it emerges that the Company placed, during 2016, some orders to Visirun S.p.A. relating to the provision of localization services (respectively on 22/1, 8/2, 3/3, 5 and 9/5, 15/6 of 2016, "for the rental of a total of 76 geolocation devices [...] and related connected services. The last replacement order for a defective item took place on June 15, 2016": see Verizon note 1/14/2022 and Annexes 6, 10 and 11).

The relationship with the location service provider was interrupted at the end of 2020 (in this regard, to be precise, the Company stated that the interruption occurred in November 2020; while Verizon specified that the contract was terminated on December 31st 2020: see Verizon note dated 14/1/2022, point 2, letter c).

The geolocation service makes it possible to acquire data relating to the circulation of the vehicle used by the carrier, collected by the device installed on board - inside the engine compartment - which can be consulted via a web application, in particular the kilometers travelled, with the possibility of extracting reports ( whose characteristics have not been specified by the Company).

It also emerged that the deactivation of the device (for example outside working hours) could only take place after opening the engine compartment and manually disconnecting the cables.

The company providing the service, during the proceeding initiated against it by the Authority, indicated the standard features of the "Light" service covered by the contract (in particular: localization using the GPS system, map control of the distance traveled by each vehicle, calculation of kilometres, travel time and average driving speed, with data retention, in relation to the specific case, for 12 months).

Verizon also specified that it was not “able to provide any specific information on the characteristics set by Giessegi, since these characteristics were associated with the device hardware. Once disabled, Verizon has no access to this data. In its standard setting, the Light subscription plan (i.e. the plan activated by Giessegi in relation to the Device) collects location data at regular intervals (not in real time), but the customer may have set these intervals to different values" (see Verizon note dated 1/14/2022).

According to what was stated, each device was associated with the vehicle's license plate and not with the name of the individual driver, therefore the Company "in most cases, does not know who is driving the vehicle and, in fact, the transport service [ …] is carried out by “owners” who alternate driving with several drivers”.

Contrary to what the Company believes, given the definition of "personal data" ("any information relating to an identified or identifiable natural person ("interested"); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity ": art. 4, n 1 of the Regulation), the association of the device to the vehicle's license plate number, even in the event that the driving of the same is actually entrusted to different drivers who take turns (a circumstance which in any case does not necessarily occur given that the holders of sole proprietorships often carry out the transport themselves), allows the driver of the vehicle to be identified through the association one with other information (e.g. documents relating to duty rosters; on the possibility of identifying the driver of the geolocated vehicle, see also, in general terms, provision 4 October 2011, no. 370, doc. web no. 1850581; see, in relation to specific cases, the provisions ti 28 June 2018, n. 396, doc. web no. 9023246 and 24 May 2017, no. 247, doc. web no. 6495708; v. also: Article 29 Data Protection Working Party, Opinion no. 5/2005 on the use of location data in order to provide value-added services, WP 115, p. 10 and Opinion no. 4/2007 on the concept of personal data, WP 136, p. 11).

Having also seen the definition of "processing" ("any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction": art. 4, n. 2, of the Regulation), it therefore emerges that, through the device installed on the vehicle used by the complainant (in ways that it was not possible to ascertain during the proceeding) to render the service consisting in transport of goods, the Company has processed, at least, data relating to the location and kilometers traveled during the execution of the self-employment contract, relating to a p identified or identifiable natural person, for the declared purpose of being able to verify "the exact fulfillment of the collaboration contract with the third parties" (including the complainant).

The qualification of the Company as data controller (see the definition pursuant to art. 4, n. 7 of the Regulation) therefore derives from an examination of the characteristics of the concrete case, in particular from the circumstance that it is the Company that has stipulated the contract with the service provider, determining purposes and means of processing, and to have had access, through a web application, to the data collected and subsequently processed ("The data were accessed by the shipping offices and a manager of the data processing group": see note from the Company 12/29/2021).

Upon examination of the feedback received from the service provider (Verizon), it therefore emerges that the latter sent the Company, in execution of orders signed in 2016, no. 76 geolocation devices, including the device with the serial number found by the complainant (Visirun device n. 30006717).

This device, according to the documentation provided by Verizon, was shipped to the Company in execution of an order dated February 8, 2016 (see Verizon transport document dated 02/09/2016, n. 672) "and the 23 November 2020 following the exchanges between Visirun and Giessegi of 24 September 2020" (see Verizon note of 14/1/2022 and Annex 10).

Therefore, the Company has processed the data collected with the Visirun device n. 30006717, complete with geolocation functionality, until 23 November 2020, even after the termination of the employment relationship with the complainant (given the possibility of accessing the data collected through the web portal up to the date of termination of the provision of the service).

The Company also declared that it was unable to produce any document relating to the delivery of the device to the complainant, due to the time elapsed since the termination of the relationship with the same. Nor, in any case, was produced − at least − a copy of similar documents relating to the delivery to the other hauliers of the devices ordered in significant numbers from the service provider. There is therefore no evidence in the records that the device subject to the complaint was physically delivered to the complainant and that, on the occasion, the Company indicated the characteristics of the device to the interested party.

3.2 Violation of articles 5, par. 1, lit. a) and 13 of the Regulation.

The data controller must process the data "lawfully, correctly and transparently" (Article 5, paragraph 1, letter a) of the Regulation), adopting "appropriate measures to provide the interested party with all the information referred to in the articles 13 and 14 [...]” (art. 12 of the Regulation).

In the present case, however, it does not appear that the Company has informed the complainant about the characteristics of the device supplied by Visirun S.p.A., the type of data collected, the purposes and methods of processing, including the possibility also for interested parties, as declared by the Company itself, to access the data collected through a web application and the specific methods (neither simple nor intuitive) necessary to deactivate the geolocation activity.

In this regard, the Company first of all claimed that it was not required to provide the information, believing that the device and system provided by Visirun "was not aimed at acquiring personal data".

Otherwise, for the reasons set out above, the data collected by the devices was attributable to identifiable persons through association with other information.

In addition, the Company, during the proceeding, has in any case produced a copy of a Information note for the personal data collected from the interested party (where it is specified that the document is addressed to "Mobile transport service providers", in relation to the geolocation of the vehicle of transport), signed by the legal representative of the company on 26 May 2022 (see Annex 2, note 26/5/2022).

However, this information model does not comply with the provisions of the Regulation, as the meager information contained therein is, in some passages, extremely generic (e.g. in relation to the indication of the treatment, where reference is made to the "Identification of the path of the vehicle" without mentioning the geolocation or other data if necessary processed), in other contradictions (e.g. on the indication of the legal basis, where the "Legitimate interest of the data controller" is indicated, specifying immediately afterwards that "the processing is necessary for the execution of a contract of which the interested party is a part or to the execution of pre-contractual measures adopted at the request of the same", therefore indicating a separate legal basis and alternative to legitimate interest).

The Company has therefore failed to inform the complainant about the specific method of treatment actually carried out through the use of the geolocation device and the service provided through this by Visirun S.p.A., in violation of the provisions of art. 13 of the Regulation.

Considering that between the Company and the complainant, according to what emerges from the elements available in the deeds, there was an independent employment relationship, in the present case the obligation to inform the worker is also an expression of the general principle of correctness of the treatments (art. 5, paragraph 1, letter a) of the Regulation).

The Company, for the above reasons, has therefore violated the articles 5, par. 1, lit. a) and 13 of the Regulation, from the date of installation and commissioning of the device (not before February 2016), as shown in the documents, to 23 November 2020.

3.3 Violation of articles 5, par. 1, lit. a), 6 and 28 of the Regulation.

It also emerged that the Company, as owner, carried out personal data processing activities relating to the complainant (and to the other carriers for whom the order of the devices was made), for the declared purpose of being able to calculate the kilometers traveled within the scope of the performance of the same and thus be able to verify "the exact fulfillment of the collaboration contract with the subcontractors", making use of the geolocation services, at the time provided by Visirun S.p.A..

The processing was carried out over a period of time between February 2016 and the end of December 2020, without however the relationship with the aforementioned service provider having been regulated, pursuant to art. 28 of the Regulation ("Data Processor"), applicable to the specific case considering that, as part of the provision of the aforementioned service, personal data processing activities have been carried out, through the system that processes and stores the information collected from the devices .

In fact, according to the provisions of the Regulation, the data controller, in the context of preparing the technical and organizational measures that are his responsibility, also in terms of security (articles 24 and 32 of the Regulation), can make use of a manager for carrying out of some processing activities, to which it gives specific instructions (see cons. 81 of the Regulation).

In this case, the controller "recourses only to data processors who present sufficient guarantees to implement [the aforementioned measures] adequate in such a way that the treatment meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties" (art. 28 , paragraph 1 of the Regulation).

Pursuant to art. 28 of the Regulation, the owner can also entrust a treatment to external subjects, however adequately regulating the relationship with a contract (or another legal act) and issuing instructions regarding the main characteristics of the treatment.
The data controller is therefore entitled to process the data of the interested parties "only upon documented instruction from the data controller" (Article 28, paragraph 3, letter a), of the Regulation) and within the specific limits defined by the data controller .

In this regard, it should be noted that the discipline defined by the Regulation is also fully applicable to the facts subject to complaint, based on the "tempus regit actum" principle, taking into account that the treatments, which began in 2016, continued until the end of 2020, with consequent applicability of the aforementioned art. 28 of the Regulation in force at the time of cessation of the conduct.

In any case, even prior to the application of the Regulation in our legal system, the art. 29 of Legislative Decree no. 196 of 2003 provided that data processing on behalf of the owner could be lawfully carried out only in case of assignment of the relative assignment on the basis of specific instructions from the owner (see, in the corresponding sense, the provision 21/7/2022 , n. 270, web doc. n. 9811732; the same conclusions were reached by the Court of Cassation, Section I Civil, order n. 21234 of 23 July 2021).

In the present case, the Company, the data controller, has not proceeded to designate Visirun S.p.A. as manager, nor to issue the due instructions, despite being required, in the terms set out above, to comply with the obligations deriving from the legislation on the protection of personal data and although, in the Terms and Conditions of the stipulated contract, the service provider itself had clarified his qualification in terms of manager and the need to proceed with the designation (see note of 14/1/2022 by Verizon, Annexes 7 and 8, spec. point 18).

On the other hand, the same contract conditions did not provide anything regarding the specific indications of the processing operations to be carried out on behalf of the company and the instructions relating to the concrete methods with which to carry out the data processing.

Finally, it is believed that, in the assessment of compliance with art. 28 of the Regulation of the treatments carried out by the Company, the document, attached to the note of 26/5/2022, called "Data treatment sheet - As established by art. 28 of EU Reg. No. 679/2016", formally dated 23/5/2018 and signed by the Company alone (and not by the supplier), with digital signature of the legal representative, dated 26/5/2022.

In fact, this document not only does not contain the elements indicated by art. 28, par. 3 of the Regulation, but moreover it is completely devoid of elements capable of proving with certainty the date of effective adoption of the document.

Failure to comply with the provisions of art. 28 of the Regulation also entailed, by the Company, a communication to third parties (see art. 4, no. 10, of the Regulation), in the absence of a suitable prerequisite of lawfulness, given that, based on the documentation in the deeds, none of the conditions of lawfulness of the treatments actually carried out by the service provider were found, in violation of the articles 5, par. 1, lit. a) and 6 of the Regulation.

3.4  Violation of articles 5, par. 1, lit. a) and 6 of the Regulation.

It also emerged that the Company carried out, until the end of 2020, processing of personal data of the complainant through the geolocation system, provided by Visirun S.p.A. - who used the device installed on the interested party's vehicle -, despite the fact that the employment relationship with the latter had ceased in May 2019.

Considering that the purpose of the processing, according to what was declared, consisted in accounting for the kilometers traveled by the carrier, in view of the assessment of the correct fulfillment of the obligations under the contract, the processing of the complainant's data, after the termination of the employment relationship with the Company, occurred in the absence of a suitable prerequisite of lawfulness, in violation of articles 5, par. 1, lit. a) and 6 of the Regulation.

Nor in this regard can the objection of the Company be accepted according to which the persistent treatment would be due to the omitted return of the device by the complainant and because, as already noted, there is no evidence in the deeds of the delivery to the latter of the device itself and because, in any case, after the termination of the employment relationship, the Company should have communicated to the supplier the interruption of the localization service relating to the device associated with the complainant and, if necessary, the impossibility of proceeding with the simultaneous return of the same.

3.5 Violation of the art. 35 of the Regulation.

Based on the art. 35 of the Regulation, in relation to treatments that involve "the use of new technologies, considering the nature, object, context and purposes of the treatment, [such as] to present a high risk for the rights and freedoms of individuals physical”, the owner is required to carry out an assessment of the impact on the protection of personal data before the start of the envisaged treatments.

In this regard, the Guidelines WP 248rev.01 of 4.4.2017 ("Guidelines on the impact assessment on data protection and determination of the possibility that the treatment "may present a high risk" for the purposes of regulation (EU) 2016 /679"), among the criteria in the presence of which the data controller is required to carry out an impact assessment, they identify the processing of "data of a highly personal nature", including data relating to the location (see, chap. III, B, n. 4), the treatment carried out in relation to "vulnerable" interested parties (e.g. as parties to an employment relationship; see chap. III, B, n. 7) as well as the treatments which carry out a "use innovation or [the] application of new technological or organizational solutions” (see, chap. III, B, n. 8).

Further indications were provided with the provision of the Guarantor of 11 October 2018, n. 467 (“List of types of processing subject to the requirement of an impact assessment on data protection pursuant to article 35, paragraph 4, of Regulation (EU) n. 2016/679”, in the Official Gazette, S. G. n. 269 of 11.19.2018), although referring to cross-border processing.

As already highlighted, the Company has carried out - as owner and at least towards the complainant - processing of data relating to the location provided by Visirun S.p.A. through the "Light" model geolocation service whose standard features include: location using the GPS system, map control of the distance traveled by each vehicle, calculation of kilometres, travel time and average driving speed, with data retention, in relation to the present case, for 12 months. The treatment lasted until November/December 2020.

The characteristics of the treatments carried out by the Company, as they allow the detection of the geographical position and further processing suitable for also representing detailed aspects of the driving activity, therefore integrate the aforementioned criteria relating to the existence of the obligation to carry out an assessment of impact on data protection.

It does not emerge that the Company has complied with the provisions of the aforementioned art. 35, given, in the first place, that the document "Data protection impact assessment and prior consultation" does not contain all the elements indicated in art. 35, paragraph 7.

In particular, in relation to the "systematic description of the treatments" only the activity of "identification of the path of the vehicle" is indicated without reference to the other, albeit relevant, functions of the system; faced with the identification of a "residual risk" (consisting in the collection of data through the device even in the event of use of the vehicle beyond the transport activity on behalf of the owner) the Company has indicated, as a measure adopted to mitigate the risk, only the preparation of information relating to the possibility of deactivating the device, information which, however, was not produced to the Authority; the security measures pursuant to art. 32 of the Regulation are indicated in an extremely general way (information to carriers and "instructions to internal personnel in charge of the confidentiality and adequacy of the processing of travel route data", which in any case have not been produced in documents) and cannot be considered however suitable, in relation to the treatments carried out, to "ensure on a permanent basis the confidentiality, integrity, availability and resilience of the treatment systems and services" (Article 32, paragraph 1, letter b) of the Regulation ; the inadequacy of the measures adopted emerges, in the present case, also from the fact that the treatment continued for a significant period of time - more than a year and a half - after the termination of the relationship.

Moreover, also with reference to the impact assessment, there are no elements suitable to prove, with certainty, the date of adoption of the document: in fact, it is dated and signed, with handwritten signature, on 5/23/2018 by the legal representative and by a person who works at the Ced, but is also signed, with digital signature, by the legal representative on 5/26/2022.

The treatment carried out by the Company therefore took place in violation of the art. 35 of the Regulation.

4 Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the preliminary investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are therefore unsuitable for allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company and in particular the processing of data relating to the geographical position of the interested party is in fact unlawful, in the terms set out above, in relation to articles 5, par. 1, lit. a), 6, 13, 28 and 35 of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

Also considering that, although the processing carried out through the geolocation service provided at the time by Visirun S.p.A. was interrupted at the end of 2020, the Company, according to what has been declared, is in the process of adopting a service with similar characteristics, "using a different supplier exclusively on its own vehicles", Giessegi Industria Mobili S.p.A. is invited. (pursuant to article 57, paragraph 1, letter d) of the Regulation) to comply with the indications contained in this provision and to verify the applicability of the sector regulations of a labor nature (see article 114 of the Code and art. 88 of the Regulation).

5 Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding, it appears that Giessegi Industria Mobili S.p.A. has violated, in various respects, the articles 5, par. 1, lit. a), 6, 13, 28 and 35 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 4, lit. a) and par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, law 11.24.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation, for the purpose of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature and seriousness of the violation, the nature of the violation was considered relevant, which concerned the general principles and obligations of the data controller; in relation to the duration of the violation, it was considered that it lasted for more than four years, over a period between 22 January 2016 and the end of December 2020; it was also considered that the treatments carried out in violation of the Regulation concerned, in addition to the complainant, also the other interested parties attributable to the vehicles subject to geolocation through the devices delivered by Visirun S.p.A.;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the regulations on data protection, in relation to a plurality of provisions also concerning the general principles of processing (lawfulness);

c) in favor of the Company, the cooperation with the Supervisory Authority and the absence of previous relevant violations were taken into account.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the company with reference to the financial statements for the year 2021. The economic context in which the Company currently operates was also taken into account and, lastly, the amount of sanctions imposed in similar cases.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply the administrative sanction of payment of a sum equal to 50,000 (fifty thousand) euros against Giessegi Industria Mobili S.p.A..

In this context, it is also believed, in consideration of the type of violations ascertained that concerned the general principles of treatment, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by Giessegi Industria Mobili S.p.A., in the person of its legal representative, with registered office in Via Bramante, 39, Appignano (MC), C.F. 00642760433, pursuant to art. 143 of the Code, for the violation of the articles 5, par. 1, lit. a), 6, 13, 28 and 35 of the Regulation;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulation to Giessegi Industria Mobili S.p.A., to pay the sum of 50,000 (fifty thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to the same Company to pay the aforementioned sum of 50,000 (fifty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions pursuant to art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 15 December 2022

PRESIDENT
Station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew

[doc. web no. 9861249]

Injunction against Giessegi Industria Mobili S.p.A. - December 15, 2023

Register of measures
no. of 15 December 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

CONSIDERING the complaint presented pursuant to art. 77 of the Regulation dated 16 February 2021 by Mr. XX against Giessegi Industria Mobili S.p.A.;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint dated February 16, 2021, Mr. XX complained that Giessegi Industria Mobili S.p.A. (hereinafter, the Company) would have carried out processing of personal data referring to him in violation of the Regulation, by installing a device suitable for detecting the geographical position inside the vehicle by means of which the complainant carried out delivery of goods on behalf of the Company.

In particular, the complainant represented that he had "found a locator device marked Visirun no. serial number 30006717" which was active "at least on 12/09/2020". The aforementioned device would have been installed in the absence of information and a "valid expression of consent", in the context of the employment relationship with the Company up to the date of 13 May 2019.

The Company, in responding to the Authority's request for information dated November 30, 2021, with a note dated December 29, 2021 (and related attachments), stated that:

to. "during 2016 [...] Giessegi took care to make available to the transport companies with which it collaborated, including that of the [complainant], geolocation devices capable of providing a better understanding of the mileage contributed by the latter, given essential for verifying the adequacy of the fees due to the carrier" (note 12/29/2021, p. 1);

b. "by virtue of this objective [the company] stipulated a supply contract with Visirun spa [...] on 02/03/2016. The contract envisaged the sending of the devices to Giessegi, which then took care of delivering them to the individual carriers, and the provision of a personal web user for viewing the data relating to them" (note cit., p. 1 );

c. "the device, taken over by the transport companies, was then installed by them in the manner and timing most congenial to them" (note cit., p. 1);

d. "in November 2020 the [company] interrupted its commercial relations with Visirun" (cited note, p. 1);

And. the company “was required to return the devices received from Visirun or to redeem them. The correspondence found shows that the device connected to the complainant's vehicle was not found" (note cit., p. 2);

f. with reference to the conditions of lawfulness of the processing "it is believed that in the present case the hypotheses referred to in lett. c) and f) [of art. 6 of the Regulation], since the collection of information relating to the mileage traveled on the vehicles on which the devices in question were installed was functional to the exact determination of the kilometers traveled by the subcontractor companies in execution of the transport contract, and therefore of the punctual fulfillment of the same by the client, with consequent legitimate interest of both Giessegi and the [complainant] in the processing and treatment of the aforesaid data [...], taking into account the fact that the hauliers were paid per «km travelled»" (cited note, p . 2);

g. "the collection of detailed information on the mileage made by the vehicles [...] were proportionate with the purposes represented by the company, since it was limited and functional information for the exact fulfillment of the collaboration contract with the subcontractors" (cited note, p. 2 -3);

h. "there was the possibility for the transport company to access the same data held by Giessegi, exclusively referable to the devices installed in its vehicles, through the activation of an electronic user" (note cit., p. 3);

the. "the indicated device, although granted on free loan to the claimant, was never installed directly by Giessegi but by the claimant himself or by one of his representatives" (note cit., p. 3);
j. "considering the freedom granted to the complainant [...] we are unable to communicate the actual date of installation of the device" (cited note, p. 4);

k. “subjects appointed to determine the purposes and means of data processing were Giessegi as a whole as well as the transport company exclusively for the devices connected to it. The data were accessed by the shipping offices and a manager of the data processing group, as can be seen from the supplier privacy information made available by the company on its website" (note cit., p. 4);

L. the complainant was not provided with information "because the tool was not aimed at acquiring personal data, but only as a tool for calculating the km traveled by the vehicle for accounting purposes" (note cit., p. 5);

m. through a web application connected to the device it was possible to access the kilometers traveled with the possibility of extracting reports; "the collected data remained present but at the end of the relationship the company no longer had access to the portal" (note cit., p. 5);

no. "the security measures have not been adopted in the processing of the data provided by this device [...], except for the normal indications of corporate confidentiality by the persons in charge of acquiring the data of the total km traveled by the complainant's vehicle" (note cit. , p. 5);

or. as part of the impact assessment carried out on 23 May 2018 pursuant to art. 35 of the Regulation, it was decided to "exclude any critical issues regarding the processing of such data" (note cit., p. 6).

With a subsequent note dated 26 May 2022, sent in response to a request for further information formulated by the Office (on 6/5/2022), the Company also declared that:

to. "considering the time of the facts and the interruption of any commercial relationship with the [...] complainant, which occurred in May 2019, it was not possible to trace the paper and/or digital documentation relating to the delivery of the device" (note 26/5 /2022, p. 1);

b. "between the parties there was no employment contract as the complainant provided his transport services as an independent legal entity" (note cit., p. 1).

At the same time, the Authority initiated proceedings against Verizon Connect Italy S.p.A. (formerly Visirun S.p.A.), as supplier of the device found in the complainant's vehicle and of the connected location service.

The device and service supplier responded to the Authority's requests for information with notes dated 14 January and 25 May 2022.

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 13 July 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a), 6, 13, 28, para. 1 and 35 of the Regulation.

During the hearing held on 9 November 2022 at the request of the Company, the latter stated that:

"the geolocation device [...] is necessary [...] both to count the kilometers traveled and to indicate to the driver the optimal route to follow to make the delivery";

"the company started using geolocation devices in 2016, before the application of EU Regulation 2016/679";

the Company "in 2018 proceeded to send Visirun, supplier of the localization service, the designation of data controller, as already represented to the Guarantor during the proceeding, however the supplier did not [...] send any feedback";

"with reference to the dispute referring to the persistent functioning of the device positioned on the complainant's vehicle even after the interruption of the employment relationship, it should be noted that in 2019 the company had decided to abandon the gps in use at that time for the will to switch to a new system that allows the check of the delivered packages. For this purpose, he had therefore begun to collect geolocation devices. In this phase, the employee in charge of the collection was unable to find the serial linked to the plate of the complainant, who, therefore, had not returned the device";

“GPS devices were linked to the vehicle license plate and not to the individual driver. Therefore, in most cases, the company does not know who is driving the vehicle and, in fact, the transport service on behalf of the company is carried out by "small owners" who alternate driving with several drivers";

"The company is carrying out an activity of adaptation to the GDPR and in this perspective it is available to modify both the information and the DPIA";

“The company will install GPS devices using a different supplier exclusively on its own vehicles in order to fulfill legal obligations. For this purpose it is preparing adequate information and DPIA”;

"at the time of the fact that was the subject of the complaint, it was possible to deactivate the gps installed inside the engine compartment of the vehicles by disconnecting the power cables";

“the company is heavily penalized by the increase in the cost of electricity which heavily affects production costs”.

3 The outcome of the investigation.

3.1 The processing of data relating to the geographical location carried out by the company.

As a result of the examination of the statements made to the Authority during the proceeding as well as of the documentation acquired, it appears that the Company has stipulated with Visirun S.p.A. (now Verizon Connect Italy S.p.A., hereinafter: Verizon) a contract for the supply of geolocation services (in particular the "Light" service), subject to the installation of devices complete with geolocation functions on the vehicles responsible for carrying out the transport of goods for account, this for the declared purpose − in itself lawful − of being able to determine, with the help of a technological tool, the "exact determination of the kilometers traveled [...] in execution of the transport contract, and therefore of the punctual fulfillment of the same" as well as in order to "show the driver the optimal route to follow to make the delivery".

Based on the examination of the documentation acquired in the deeds, it emerges that the Company placed, during 2016, some orders to Visirun S.p.A. relating to the provision of localization services (respectively on 22/1, 8/2, 3/3, 5 and 9/5, 15/6 of 2016, "for the rental of a total of 76 geolocation devices [...] and related connected services. The last replacement order for a defective item took place on June 15, 2016": see Verizon note 1/14/2022 and Annexes 6, 10 and 11).

The relationship with the location service provider was interrupted at the end of 2020 (in this regard, to be precise, the Company stated that the interruption occurred in November 2020; while Verizon specified that the contract was terminated on December 31st 2020: see Verizon note dated 14/1/2022, point 2, letter c).

The geolocation service makes it possible to acquire data relating to the circulation of the vehicle used by the carrier, collected by the device installed on board - inside the engine compartment - which can be consulted via a web application, in particular the kilometers travelled, with the possibility of extracting reports ( whose characteristics have not been specified by the Company).

It also emerged that the deactivation of the device (for example outside working hours) could only take place after opening the engine compartment and manually disconnecting the cables.

The company providing the service, during the proceeding initiated against it by the Authority, indicated the standard features of the "Light" service covered by the contract (in particular: localization using the GPS system, map control of the distance traveled by each vehicle, calculation of kilometres, travel time and average driving speed, with data retention, in relation to the specific case, for 12 months).

Verizon also specified that it was not “able to provide any specific information on the characteristics set by Giessegi, since these characteristics were associated with the device hardware. Once disabled, Verizon has no access to this data. In its standard setting, the Light subscription plan (i.e. the plan activated by Giessegi in relation to the Device) collects location data at regular intervals (not in real time), but the customer may have set these intervals to different values" (see Verizon note dated 1/14/2022).

According to what was stated, each device was associated with the vehicle's license plate and not with the name of the individual driver, therefore the Company "in most cases, does not know who is driving the vehicle and, in fact, the transport service [ …] is carried out by “owners” who alternate driving with several drivers”.

Contrary to what the Company believes, given the definition of "personal data" ("any information relating to an identified or identifiable natural person ("interested"); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity ": art. 4, n 1 of the Regulation), the association of the device to the vehicle's license plate number, even in the event that the driving of the same is actually entrusted to different drivers who take turns (a circumstance which in any case does not necessarily occur given that the holders of sole proprietorships often carry out the transport themselves), allows the driver of the vehicle to be identified through the association one with other information (e.g. documents relating to duty rosters; on the possibility of identifying the driver of the geolocated vehicle, see also, in general terms, provision 4 October 2011, no. 370, doc. web no. 1850581; see, in relation to specific cases, the provisions ti 28 June 2018, n. 396, doc. web no. 9023246 and 24 May 2017, no. 247, doc. web no. 6495708; v. also: Article 29 Data Protection Working Party, Opinion no. 5/2005 on the use of location data in order to provide value-added services, WP 115, p. 10 and Opinion no. 4/2007 on the concept of personal data, WP 136, p. 11).

Having also seen the definition of "processing" ("any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction": art. 4, n. 2, of the Regulation), it therefore emerges that, through the device installed on the vehicle used by the complainant (in ways that it was not possible to ascertain during the proceeding) to render the service consisting in transport of goods, the Company has processed, at least, data relating to the location and kilometers traveled during the execution of the self-employment contract, relating to a p identified or identifiable natural person, for the declared purpose of being able to verify "the exact fulfillment of the collaboration contract with the third parties" (including the complainant).

The qualification of the Company as data controller (see the definition pursuant to art. 4, n. 7 of the Regulation) therefore derives from an examination of the characteristics of the concrete case, in particular from the circumstance that it is the Company that has stipulated the contract with the service provider, determining purposes and means of processing, and to have had access, through a web application, to the data collected and subsequently processed ("The data were accessed by the shipping offices and a manager of the data processing group": see note from the Company 12/29/2021).

Upon examination of the feedback received from the service provider (Verizon), it therefore emerges that the latter sent the Company, in execution of orders signed in 2016, no. 76 geolocation devices, including the device with the serial number found by the complainant (Visirun device n. 30006717).

This device, according to the documentation provided by Verizon, was shipped to the Company in execution of an order dated February 8, 2016 (see Verizon transport document dated 02/09/2016, n. 672) "and the 23 November 2020 following the exchanges between Visirun and Giessegi of 24 September 2020" (see Verizon note of 14/1/2022 and Annex 10).

Therefore, the Company has processed the data collected with the Visirun device n. 30006717, complete with geolocation functionality, until 23 November 2020, even after the termination of the employment relationship with the complainant (given the possibility of accessing the data collected through the web portal up to the date of termination of the provision of the service).

The Company also declared that it was unable to produce any document relating to the delivery of the device to the complainant, due to the time elapsed since the termination of the relationship with the same. Nor, in any case, was produced − at least − a copy of similar documents relating to the delivery to the other hauliers of the devices ordered in significant numbers from the service provider. There is therefore no evidence in the records that the device subject to the complaint was physically delivered to the complainant and that, on the occasion, the Company indicated the characteristics of the device to the interested party.

3.2 Violation of articles 5, par. 1, lit. a) and 13 of the Regulation.

The data controller must process the data "lawfully, correctly and transparently" (Article 5, paragraph 1, letter a) of the Regulation), adopting "appropriate measures to provide the interested party with all the information referred to in the articles 13 and 14 [...]” (art. 12 of the Regulation).

In the present case, however, it does not appear that the Company has informed the complainant about the characteristics of the device supplied by Visirun S.p.A., the type of data collected, the purposes and methods of processing, including the possibility also for interested parties, as declared by the Company itself, to access the data collected through a web application and the specific methods (neither simple nor intuitive) necessary to deactivate the geolocation activity.

In this regard, the Company first of all claimed that it was not required to provide the information, believing that the device and system provided by Visirun "was not aimed at acquiring personal data".

Otherwise, for the reasons set out above, the data collected by the devices was attributable to identifiable persons through association with other information.

In addition, the Company, during the proceeding, has in any case produced a copy of a Information note for the personal data collected from the interested party (where it is specified that the document is addressed to "Mobile transport service providers", in relation to the geolocation of the vehicle of transport), signed by the legal representative of the company on 26 May 2022 (see Annex 2, note 26/5/2022).

However, this information model does not comply with the provisions of the Regulation, as the meager information contained therein is, in some passages, extremely generic (e.g. in relation to the indication of the treatment, where reference is made to the "Identification of the path of the vehicle" without mentioning the geolocation or other data if necessary processed), in other contradictions (e.g. on the indication of the legal basis, where the "Legitimate interest of the data controller" is indicated, specifying immediately afterwards that "the processing is necessary for the execution of a contract of which the interested party is a part or to the execution of pre-contractual measures adopted at the request of the same", therefore indicating a separate legal basis and alternative to legitimate interest).

The Company has therefore failed to inform the complainant about the specific method of treatment actually carried out through the use of the geolocation device and the service provided through this by Visirun S.p.A., in violation of the provisions of art. 13 of the Regulation.

Considering that between the Company and the complainant, according to what emerges from the elements available in the deeds, there was an independent employment relationship, in the present case the obligation to inform the worker is also an expression of the general principle of correctness of the treatments (art. 5, paragraph 1, letter a) of the Regulation).

The Company, for the above reasons, has therefore violated the articles 5, par. 1, lit. a) and 13 of the Regulation, from the date of installation and commissioning of the device (not before February 2016), as shown in the documents, to 23 November 2020.

3.3 Violation of articles 5, par. 1, lit. a), 6 and 28 of the Regulation.

It also emerged that the Company, as owner, carried out personal data processing activities relating to the complainant (and to the other carriers for whom the order of the devices was made), for the declared purpose of being able to calculate the kilometers traveled within the scope of the performance of the same and thus be able to verify "the exact fulfillment of the collaboration contract with the subcontractors", making use of the geolocation services, at the time provided by Visirun S.p.A..

The processing was carried out over a period of time between February 2016 and the end of December 2020, without however the relationship with the aforementioned service provider having been regulated, pursuant to art. 28 of the Regulation ("Data Processor"), applicable to the specific case considering that, as part of the provision of the aforementioned service, personal data processing activities have been carried out, through the system that processes and stores the information collected from the devices .

In fact, according to the provisions of the Regulation, the data controller, in the context of preparing the technical and organizational measures that are his responsibility, also in terms of security (articles 24 and 32 of the Regulation), can make use of a manager for carrying out of some processing activities, to which it gives specific instructions (see cons. 81 of the Regulation).

In this case, the controller "recourses only to data processors who present sufficient guarantees to implement [the aforementioned measures] adequate in such a way that the treatment meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties" (art. 28 , paragraph 1 of the Regulation).

Pursuant to art. 28 of the Regulation, the owner can also entrust a treatment to external subjects, however adequately regulating the relationship with a contract (or another legal act) and issuing instructions regarding the main characteristics of the treatment.
The data controller is therefore entitled to process the data of the interested parties "only upon documented instruction from the data controller" (Article 28, paragraph 3, letter a), of the Regulation) and within the specific limits defined by the data controller .

In this regard, it should be noted that the discipline defined by the Regulation is also fully applicable to the facts subject to complaint, based on the "tempus regit actum" principle, taking into account that the treatments, which began in 2016, continued until the end of 2020, with consequent applicability of the aforementioned art. 28 of the Regulation in force at the time of cessation of the conduct.

In any case, even prior to the application of the Regulation in our legal system, the art. 29 of Legislative Decree no. 196 of 2003 provided that data processing on behalf of the owner could be lawfully carried out only in case of assignment of the relative assignment on the basis of specific instructions from the owner (see, in the corresponding sense, the provision 21/7/2022 , n. 270, web doc. n. 9811732; the same conclusions were reached by the Court of Cassation, Section I Civil, order n. 21234 of 23 July 2021).

In the present case, the Company, the data controller, has not proceeded to designate Visirun S.p.A. as manager, nor to issue the due instructions, despite being required, in the terms set out above, to comply with the obligations deriving from the legislation on the protection of personal data and although, in the Terms and Conditions of the stipulated contract, the service provider itself had clarified his qualification in terms of manager and the need to proceed with the designation (see note of 14/1/2022 by Verizon, Annexes 7 and 8, spec. point 18).

On the other hand, the same contract conditions did not provide anything regarding the specific indications of the processing operations to be carried out on behalf of the company and the instructions relating to the concrete methods with which to carry out the data processing.

Finally, it is believed that, in the assessment of compliance with art. 28 of the Regulation of the treatments carried out by the Company, the document, attached to the note of 26/5/2022, called "Data treatment sheet - As established by art. 28 of EU Reg. No. 679/2016", formally dated 23/5/2018 and signed by the Company alone (and not by the supplier), with digital signature of the legal representative, dated 26/5/2022.

In fact, this document not only does not contain the elements indicated by art. 28, par. 3 of the Regulation, but moreover it is completely devoid of elements capable of proving with certainty the date of effective adoption of the document.

Failure to comply with the provisions of art. 28 of the Regulation also entailed, by the Company, a communication to third parties (see art. 4, no. 10, of the Regulation), in the absence of a suitable prerequisite of lawfulness, given that, based on the documentation in the deeds, none of the conditions of lawfulness of the treatments actually carried out by the service provider were found, in violation of the articles 5, par. 1, lit. a) and 6 of the Regulation.

3.4  Violation of articles 5, par. 1, lit. a) and 6 of the Regulation.

It also emerged that the Company carried out, until the end of 2020, processing of personal data of the complainant through the geolocation system, provided by Visirun S.p.A. - who used the device installed on the interested party's vehicle -, despite the fact that the employment relationship with the latter had ceased in May 2019.

Considering that the purpose of the processing, according to what was declared, consisted in accounting for the kilometers traveled by the carrier, in view of the assessment of the correct fulfillment of the obligations under the contract, the processing of the complainant's data, after the termination of the employment relationship with the Company, occurred in the absence of a suitable prerequisite of lawfulness, in violation of articles 5, par. 1, lit. a) and 6 of the Regulation.

Nor in this regard can the objection of the Company be accepted according to which the persistent treatment would be due to the omitted return of the device by the complainant and because, as already noted, there is no evidence in the deeds of the delivery to the latter of the device itself and because, in any case, after the termination of the employment relationship, the Company should have communicated to the supplier the interruption of the localization service relating to the device associated with the complainant and, if necessary, the impossibility of proceeding with the simultaneous return of the same.

3.5 Violation of the art. 35 of the Regulation.

Based on the art. 35 of the Regulation, in relation to treatments that involve "the use of new technologies, considering the nature, object, context and purposes of the treatment, [such as] to present a high risk for the rights and freedoms of individuals physical”, the owner is required to carry out an assessment of the impact on the protection of personal data before the start of the envisaged treatments.

In this regard, the Guidelines WP 248rev.01 of 4.4.2017 ("Guidelines on the impact assessment on data protection and determination of the possibility that the treatment "may present a high risk" for the purposes of regulation (EU) 2016 /679"), among the criteria in the presence of which the data controller is required to carry out an impact assessment, they identify the processing of "data of a highly personal nature", including data relating to the location (see, chap. III, B, n. 4), the treatment carried out in relation to "vulnerable" interested parties (e.g. as parties to an employment relationship; see chap. III, B, n. 7) as well as the treatments which carry out a "use innovation or [the] application of new technological or organizational solutions” (see, chap. III, B, n. 8).

Further indications were provided with the provision of the Guarantor of 11 October 2018, n. 467 (“List of types of processing subject to the requirement of an impact assessment on data protection pursuant to article 35, paragraph 4, of Regulation (EU) n. 2016/679”, in the Official Gazette, S. G. n. 269 of 11.19.2018), although referring to cross-border processing.

As already highlighted, the Company has carried out - as owner and at least towards the complainant - processing of data relating to the location provided by Visirun S.p.A. through the "Light" model geolocation service whose standard features include: location using the GPS system, map control of the distance traveled by each vehicle, calculation of kilometres, travel time and average driving speed, with data retention, in relation to the present case, for 12 months. The treatment lasted until November/December 2020.

The characteristics of the treatments carried out by the Company, as they allow the detection of the geographical position and further processing suitable for also representing detailed aspects of the driving activity, therefore integrate the aforementioned criteria relating to the existence of the obligation to carry out an assessment of impact on data protection.

It does not emerge that the Company has complied with the provisions of the aforementioned art. 35, given, in the first place, that the document "Data protection impact assessment and prior consultation" does not contain all the elements indicated in art. 35, paragraph 7.

In particular, in relation to the "systematic description of the treatments" only the activity of "identification of the path of the vehicle" is indicated without reference to the other, albeit relevant, functions of the system; faced with the identification of a "residual risk" (consisting in the collection of data through the device even in the event of use of the vehicle beyond the transport activity on behalf of the owner) the Company has indicated, as a measure adopted to mitigate the risk, only the preparation of information relating to the possibility of deactivating the device, information which, however, was not produced to the Authority; the security measures pursuant to art. 32 of the Regulation are indicated in an extremely general way (information to carriers and "instructions to internal personnel in charge of the confidentiality and adequacy of the processing of travel route data", which in any case have not been produced in documents) and cannot be considered however suitable, in relation to the treatments carried out, to "ensure on a permanent basis the confidentiality, integrity, availability and resilience of the treatment systems and services" (Article 32, paragraph 1, letter b) of the Regulation ; the inadequacy of the measures adopted emerges, in the present case, also from the fact that the treatment continued for a significant period of time - more than a year and a half - after the termination of the relationship.

Moreover, also with reference to the impact assessment, there are no elements suitable to prove, with certainty, the date of adoption of the document: in fact, it is dated and signed, with handwritten signature, on 5/23/2018 by the legal representative and by a person who works at the Ced, but is also signed, with digital signature, by the legal representative on 5/26/2022.

The treatment carried out by the Company therefore took place in violation of the art. 35 of the Regulation.

4 Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the preliminary investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are therefore unsuitable for allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company and in particular the processing of data relating to the geographical position of the interested party is in fact unlawful, in the terms set out above, in relation to articles 5, par. 1, lit. a), 6, 13, 28 and 35 of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

Also considering that, although the processing carried out through the geolocation service provided at the time by Visirun S.p.A. was interrupted at the end of 2020, the Company, according to what has been declared, is in the process of adopting a service with similar characteristics, "using a different supplier exclusively on its own vehicles", Giessegi Industria Mobili S.p.A. is invited. (pursuant to article 57, paragraph 1, letter d) of the Regulation) to comply with the indications contained in this provision and to verify the applicability of the sector regulations of a labor nature (see article 114 of the Code and art. 88 of the Regulation).

5 Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding, it appears that Giessegi Industria Mobili S.p.A. has violated, in various respects, the articles 5, par. 1, lit. a), 6, 13, 28 and 35 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 4, lit. a) and par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, law 11.24.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation, for the purpose of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were considered:

a) in relation to the nature and seriousness of the violation, the nature of the violation was considered relevant, which concerned the general principles and obligations of the data controller; in relation to the duration of the violation, it was considered that it lasted for more than four years, over a period between 22 January 2016 and the end of December 2020; it was also considered that the treatments carried out in violation of the Regulation concerned, in addition to the complainant, also the other interested parties attributable to the vehicles subject to geolocation through the devices delivered by Visirun S.p.A.;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the regulations on data protection, in relation to a plurality of provisions also concerning the general principles of processing (lawfulness);

c) in favor of the Company, the cooperation with the Supervisory Authority and the absence of previous relevant violations were taken into account.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the company with reference to the financial statements for the year 2021. The economic context in which the Company currently operates was also taken into account and, lastly, the amount of sanctions imposed in similar cases.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply the administrative sanction of payment of a sum equal to 50,000 (fifty thousand) euros against Giessegi Industria Mobili S.p.A..

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of treatment, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by Giessegi Industria Mobili S.p.A., in the person of its legal representative, with registered office in Via Bramante, 39, Appignano (MC), C.F. 00642760433, pursuant to art. 143 of the Code, for the violation of the articles 5, par. 1, lit. a), 6, 13, 28 and 35 of the Regulation;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulation to Giessegi Industria Mobili S.p.A., to pay the sum of 50,000 (fifty thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to the same Company to pay the aforementioned sum of 50,000 (fifty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions pursuant to art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 15 December 2022

PRESIDENT
Station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew