The Italian Data Protection Authority has fined a company specializing in car retailing for unlawfully processing its employees' biometric data and carrying out remote monitoring of workers without a collective agreement or authorization from the labor inspectorate.
Preamble
The protection of employees' personal data has crucial relevance in the socio-economic environment characterized by the increasing use of advanced and digital technologies in the workplace. Protecting the confidentiality and special data of employees not only meets legal and regulatory requirements, but is also a key element in ensuring respect for the dignity and fundamental rights of individuals. For these reasons, the issue has caught the attention of the Italian Data Protection Authority (“Authority”) who, on several occasions through recent years, has adopted multiple sanctioning measures towards companies and businesses that carried out violations of current regulations. The use of instruments that allow the control of workers' actions is forbidden by Art. 4 of Law No. 300/1970 ("Workers' Statute"), which, in its original wording, established an explicit ban of the use of “audiovisual systems and other equipment for the purpose of remote control of workers”. This wording was amended by Legislative Decree 151/2015, so-called "Jobs Act," which required employers to sign a collective agreement or obtain an authorization from the labor inspectorate before setting up audiovisual equipment or instruments through which it is also possible to remotely supervise employees.
The case in point
The sanction adopted by the Authority with the order of June 6, 2024 was against a company specializing in car retailing, which employs a total of 40 employees distributed in the establishments of Modica and Ragusa.
As a result of the complaint filed by one of the workers on October 5, 2021, the Authority, having set up investigative activities, found out that the company, through the use of the software called “Infinity DMS” and the hardware called “X-Face 380”, was carrying out invasive control over workers, without a union agreement or administrative authorization, and in defiance of the general principles of Regulation (EU) 2016/679 (“GDPR” or “Regulation”).
The complainant reported that, through the use of the “Infinity DMS” software, each employee was required, from the beginning of the workday, to record the tasks, times, and ways of working on assigned repair vehicles, including downtime, with the reason for it, e.g., “breaks” to indicate work stoppages; “picking up external parts”; “waiting for parts”.
Otherwise, the system named “X-Face 380”, which was installed at both production sites, regulated access to workplaces through a facial recognition system.
The audit conducted with the cooperation of the Privacy Protection and Technological Fraud Unit of the Guardia di Finanza, brought the Authority to start a fine procedure. In substance, it was ascertained that the company, since December 2018, had been using a facial recognition system based on the processing of biometric data, which, according to Article 9, par. 1, GDPR, is, as a rule, prohibited, unless exists one of the exceptions in paragraph 2 of the same article. In this case, the company had considered basing the processing on the legal basis of consent, which was requested from employees during the submission of the information notice of art. 13 of the GDPR. The Authority, therefore, found, in the first instance, a violation of Article 9, par. 2, lett. b, of the GDPR, because consent cannot be a suitable legal basis. In fact, it is necessary to ascertain concretely, and on a case-by-case basis, the actual freedom of the consent expressed, in light of the asymmetry between the respective parties to the employment relationship. In addition, the Authority has pointed out that the processing of biometric data for the purpose of tracking employee presence in the workplace violates the principles of minimization and proportionality set forth in Article 5, par. 1, lett. c, of the GDPR, which requires that data be relevant, adequate and limited to what is necessary in relation to the purposes for which they are processed. In addition to the violations outlined above, there is the retention of employees' biometric data in clear violation of the principle of purpose limitation (Art. 5, par. 1, lett. b GDPR). Indeed, the company, in the course of the inspection and in the documentation produced during the preliminary investigation, stated that the data in question were kept until the termination of the labor relationship, in clear contrast to the Authority's provision of 12.11.2014, which, although it refers to the previous legislation, is still applicable in its general lines and complies with the principles of the Regulation. This provision states that "Biometric samples used in the creation of the biometric template may be processed only during the registration and acquisition stages necessary for biometric comparison and shall not be stored except for the time strictly necessary for the generation of the template itself."
Regarding the “Infinity DMS” software, despite the company's evasive feedback, the Authority found that employees had received an incomplete disclosure document, which was inadequate to fully represent the processing carried out and its purpose.
For its part, the company ranked the software in question as a work tool aimed at improving the quality and efficiency of its business that justified its installation since 2013 notwithstanding the violation of the limitations established in Article 4 of the Workers' Statute.
The gravity, kind and duration of the violations committed - together with the company's uncooperative behavior and persistent processing even after the procedure was started - led the Italian Data Protection Authority order the company to: a) pay an administrative penalty of €120. 000; b) to comply with the processing of data carried out through the software "Infinity DMS" with the provisions and general principles on the processing of personal data within 90 days from the notification of the order; c) to immediately cease the processing of employees' biometric data through the facial recognition system "X-Face 380."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.