Back to Feed
GDPRJul 16, 2026

Garante per la protezione dei dati personali (Italy) - 10128005

Italy's DPA fines regional agricultural agency €50K for unlawful employee geolocation tracking during remote work.

Summary

Italy's Data Protection Authority (Garante) fined Azienda regionale per lo sviluppo dell'agricoltura calabrese €50,000 for systematically collecting precise location data of remote work employees without proper legal basis or transparency. The DPA found violations of GDPR Articles 5 (lawfulness, data minimization), 13 (transparency), and 25 (privacy by design), as well as Italian labor law. The authority clarified that employers cannot use unlawfully collected data in disciplinary proceedings.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10128005: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:10, 2 June 2025 view sourceCci (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators1,003 editsm Tag: Visual edit← Older edit Latest revision as of 12:08, 16 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators170 editsTag: Visual edit Line 62: Line 62: |EU_Law_Link_6=|EU_Law_Link_6= |National_Law_Name_1=Article 18, L. 81/2017|National_Law_Name_1=Article 18 Italian Legge 81/2017 |National_Law_Link_1=https://www.gazzettaufficiale.it/eli/id/2017/06/13/17G00096/sg|National_Law_Link_1=https://www.gazzettaufficiale.it/eli/id/2017/06/13/17G00096/sg |National_Law_Name_2=Article 4, L. 300/1970|National_Law_Name_2=Article 4 Italian Legge 300/1970 |National_Law_Link_2=https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:1970-05-20;300|National_Law_Link_2=https://www.gazzettaufficiale.it/eli/id/1970/05/27/070U0300/sg |National_Law_Name_3=|National_Law_Name_3= |National_Law_Link_3=|National_Law_Link_3= Line 125: Line 125: Additionally, the DPA found that the systematic collection of precise location information, went beyond what was necessary for managing remote work arrangements. So, the monitoring violated the principle of data minimisation as well as Article 113 of the Italian Data Protection Code.Additionally, the DPA found that the systematic collection of precise location information, went beyond what was necessary for managing remote work arrangements. So, the monitoring violated the principle of data minimisation as well as Article 113 of the Italian Data Protection Code. Finally, the DPA found violations of the transparency requirements under [[Article 13 GDPR|Article 13 GDPR]] because the controller's documentation did not contain all essential information required. Additionally, the documentation containing the information, was never meant to serve as a privacy notice and was drafted to fulfill different obligations.Finally, the DPA found violations of the transparency requirements under [[Article 13 GDPR]] because the controller's documentation did not contain all essential information required. Additionally, the documentation containing the information, was never meant to serve as a privacy notice and was drafted to fulfill different obligations. == Comment ==== Comment == Latest revision as of 12:08, 16 July 2026 Garante per la protezione dei dati personali - 10128005 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 13 GDPR Article 25 GDPR Article 35 GDPR Article 88 GDPR Guidelines 3/2019 on processing of personal data through video devicesGuidelines 4/2019 on Article 25 Data Protection by Design and by DefaultGuidelines on Consent under Regulation 2016/679Opinion 2/2017 on data processing at workArticle 18 Italian Legge 81/2017Article 4 Italian Legge 300/1970 Type: Complaint Outcome: Upheld Started: Decided: 13 March 2025 Published: Fine: 50,000 EUR Parties: Azienda regionale per lo sviluppo dell'agricoltura calabrese National Case Number/Name: 10128005 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: Garante per la protezione dei dati personali (in IT) Initial Contributor: ligialagev The DPA fined a local public entity €50,000 for unlawfully geo-tracking employees during remote work in order to monitor compliance with workplace agreements. The DPA clarified that employers cannot bring disciplinary proceedings based on unlawfully collected data. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Calabrian Regional Agency for Agricultural Development (the controller) implemented a remote work policy that required employees to use a time-tracking application called "Time Relax" when working remotely. The application required employees to enable location services on their devices and collected their precise geographical coordinates during clock-in and clock-out procedures. The controller used this geolocation data to verify that employees were working from locations specified in their individual remote work agreements. In addition to routine location tracking during daily time-stamping, the controller conducted targeted inspections of specific employees. During these inspections, an officer would call the employee during their availability hours and request them to perform double time-stamping (clock-in and clock-out) through the Time Relax application. The employee was then required to send an email declaring their exact location during the inspection. The officer would subsequently verify whether the declared location matched both the email declaration and the location data recorded by the application. An employee of the controller (the data subject) was subjected to such an inspection. The controller found discrepancies found between their declared work location in the remote work agreement and their actual location during the inspection. On these grounds, the controller initiated disciplinary proceedings against the data subject. The data subject filed a complaint with the DPA, alleging violations of data protection principles. Additionally, the Department of Public Administration reported the controller's practices to the DPA. During the proceedings, the controller claimed that the monitoring was carried out with the consent of its employees. The controller also pointed out that its monitoring system was implemented in agreement with trade union representatives, as required under Italian labor law. Holding Overall, the DPA found violations of Articles 5(1)(a), (b) and (c), and 6 GDPR, as well as Article 113 of the Italian Data Protection Code[1]. On these grounds, the DPA issued a €50,000 fine. On purpose limitation and Italian law The DPA clarified that the remote monitoring of employees is prohibited in Italian law, with limited exemptions when the monitoring is necessary for legally specified purposes ("for organisational and productive necessities"; "for workplace safety"; "for the protection of company assets")[2]. The DPA held that in the case at hand, remote monitoring did not fall under an exemption and was illegal under the Italian law. For this reason, the DPA concluded that the processing violated the principle of purpose limitation (Article 5(1)(b) GDPR), as it pursued an illegal purpose under Italian law. In this regard, the DPA held it irrelevant that trade union representatives agreed to the monitoring system beforehand. The DPA clarified that data protection law and labor law are complementary. So, an agreement with trade union representatives did not exempt the controller from complying with the GDPR. On the DPA's other findings Second, the DPA held that the controller could not collect valid consent from its employees. In this regard, the DPA referenced EDPB and WP29 guidance, as well as the DPA's own case law. Furthermore, because the collection of personal data was unlawful, the further processing of the same data for the purpose of bringing discliplinary proceedings against the data subject, was also unlawful. Therefore, the further processing of personal data in the context of disciplinary proceedings, violated Articles 5(1)(a), (b) and 6 GDPR. In this regard, the DPA referenced Recital 50 of the GPDR as well as the Italian data protection code[3]. The DPA also considered that the controller failed to conduct a Data Protection Impact Assessment (DPIA). Given that processing employee geolocation data in remote work contexts presents high risks to rights and freedoms, particularly considering the vulnerability of employees in workplace contexts and the syst

Entities

Garante per la protezione dei dati personali (vendor)Azienda regionale per lo sviluppo dell'agricoltura calabrese (vendor)