Garante per la protezione dei dati personali (Italy) - 9542071

From GDPRhub
Revision as of 12:18, 1 March 2021 by Davide.c (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Count...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9542071
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 14.01.2021
Fine: 30000 EUR
Parties: n/a
National Case Number/Name: 9542071
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: Davide C.

The Italian DPA (Garante) imposed a fine of € 30,000 on a local public health body for using an attendance detection system based on biometric data of employees.

English Summary

Facts

Following some news in 2019 about the adoption of a system based on biometric data to detect employees' attendance, the Garante started an investigation upon the Provincial Health Department (ASP) in Enna. According to the ASP: (a) the collection of biometrics did not consist of personal data processing, since it begins (in an automated manner) if and when (and only when) the employee initiates the process himself by carrying out two material operations that are under his personal and exclusive control (placing the badge on the reader and placing of the fingertip on the scanner); (b) ASP informed employees of the adoption of this measure to detect attendance and the relevant collection of biometric data; (c) the processing was based on employees' consent and following the prescriptions of Law n. 56/2019 aimed at preventing absenteeism.


Dispute

Holding

The Italian DPA rejected the arguments of APS declaring that: (a) ASP - even though it did not store the biometric data of the data subjects on a centralised database, but only on portable devices with adequate cryptographic capabilities (badges with smart card functions), entrusted to the direct and exclusive availability of each data subject - nevertheless carried out the processing of biometric data which (as confirmed by ASP itself) are collected - albeit for a very short amount of time - within the system used to record attendance. This applies both in the enrollment stage (with the acquisition of the fingerprints), and the recognition phase (when detecting employees' attendance); (b) employees were not duly informed according to the essential details required by art. 13 GDPR; (c) the processing did not rely on adequate legal bases, as consent is not valid in the employment context because of the imbalance in the relationship between employee and employer.

Following the findings of the DPA, ASP has stopped the collection of employees' biometric data. However, there is no evidence of the fact that fingerprint already stored as a biometric template in the badges issued to staff have been deleted. Therefore, the Garante has ordered the deletion of such data and issued a fine of € 30,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9542071&oldid=13808"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki