Garante per la protezione dei dati personali (Italy) - 10213711

Summary

Italy's Data Protection Authority (Garante) found that Pioneer Hi-Bred Italia unlawfully monitored employees' driving behavior using satellite telematic devices installed in company cars. The company failed to provide transparent privacy information, lacked a proper lawful basis (legitimate interest), did not conduct required Data Protection Impact Assessments, and improperly shared employee data with other group entities without formal data processor agreements. The DPA ordered deletion of all collected data and imposed a €120,000 administrative fine for violations of Articles 5, 6, 13, 28, and 35 GDPR.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10213711: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:32, 15 February 2026 view sourceCarloc (talk | contribs)678 edits Tag: Visual edit← Older edit Latest revision as of 08:31, 16 April 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators405 editsm Line 24: Line 24: |Date_Decided=18.12.2025|Date_Decided=18.12.2025 |Date_Published=|Date_Published= |Year=2035|Year=2025 |Fine=120000|Fine=120000 |Currency=EUR|Currency=EUR Latest revision as of 08:31, 16 April 2026 Garante per la protezione dei dati personali - 10213711 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 28 GDPR Article 35 GDPR Type: Complaint Outcome: Upheld Started: Decided: 18.12.2025 Published: Fine: 120000 EUR Parties: n/a National Case Number/Name: 10213711 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: lde The DPA found that an employer unlawfully monitored its employees’ driving behavior through a satellite telematic system. The controller was ordered to delete the collected data and pay a €120,000 administrative fine. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Pioneer Hi-Bred Italia, the controller, installed telematic devices in company cars to monitor employees’ driving behavior. The initial privacy information provided to employees was vague and did not clearly identify the data controller, recipients, purposes, or lawful basis for processing. One of the employees of the company, as affected data subject, filed a complaint with the DPA. The controller, in its statement, claimed legitimate interest as the lawful basis for processing, including private trips, without performing a proper balancing of interests or a full Data Protection Impact Assessment. Employee data were also shared with supervisors and administrators from other group companies without formal designation as data processors or documented instructions. Furthermore, the system stored all data relating to the trips for 13 months. Holding The DPA held that Pioneer Hi-Bred Italia’s processing was unlawful, and imposed an administrative fine of €120,000. First, the DPA observed that the information provided to employees was neither transparent nor complete, failing to clearly indicate the controller, recipients, purposes, and lawful basis, in violation of Articles 5(1)(a), (b), (c) and 13 GDPR. Moreover, the company’s reliance on legitimate interest under Article 6(1)(f) GDPR was insufficient, as it did not conduct a proper balancing test to weigh its interests against employees’ fundamental rights and freedoms, nor did it perform an adequate Data Protection Impact Assessment under Article 35 GDPR. Lastly, the sharing of employee data with supervisors and administrators from other group companies occurred without formal designation as data processors or documented instructions, in breach of Articles 6 and 28 GDPR. Furthermore, the collection and storage of such data for 13 months exceeded what was necessary to achieve the stated purposes, violating the principles of purpose limitation and data minimisation under Articles 5(1)(b) and (c) GDPR. In light of this, the Authority ordered the deletion of all data collected via telematics devices, and imposed a €120,000 administrative fine. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO NEWSLETTER of January 29, 2026 [web doc. no. 10213711] Measure of December 18, 2025 Register of Measures no. 755 of December 18, 2025 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Guido Scorza, members, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter the "Code"); HAVING SEEN the complaint filed pursuant to Article 77 of the Regulation against Pioneer Hi-Bred Italia Sementi s.r.l.; HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1/2000; REPORTER: Dr. Agostino Ghiglia; WHEREAS 1. The inspection activity carried out following the filing of a complaint with the Authority. On September 15, 2023, this Authority received a complaint, filed pursuant to Article 77 of the Regulation, alleging that, starting in June 2023, Pioneer Hi-Bred Italia Sementi s.r.l. (hereinafter "the Company") had decided to install a satellite telematics device on company vehicles assigned to its employees, capable of detecting drivers' driving behavior and using the data thus collected to assign an evaluation score. Given the sensitivity of the matter raised, the Authority ordered an on-site inspection pursuant to Articles 157 and 158 of the Code, in order to gather all necessary information to verify the compliance of the processing performed with the principles and provisions regarding the protection of personal data. The inspections were carried out on February 28 and 29, 2024, at the Company's headquarters by Authority personnel. During the inspection, it was preliminarily established that the Company is part of a multinational business group, owned by XX, as evidenced by the ordinary company records obtained during the inspection. The project to install telematics devices on vehicles used by employees for the purpose of recording driving behavior was initiated by XX, headquartered in Switzerland, and involved (at the date of the inspection) only the Italian companies belonging to the same group—XX, XX, and XX, later merged into XX—in addition to Pioneer Hi-Bred Italia Sementi s.r.l. In particular, it was found that the Swiss company had entered into a European leasing agreement with XX (a company with registered office in XX) for the leasing of vehicles and their equipment with satellite telematics devices. The contract, signed on May 12, 2021, includes an attached list of XX companies providing the service in each country where XX operates (Annex 3 to the minutes of February 28, 2024). Under this contract, the Italian companies Arval Service Lease Italia S.p.A. (hereinafter "Arval") and XX, on their own behalf and on behalf of the other Italian companies belonging to the XX group, have signed a commercial agreement that specifically governs the activation of the satellite telematics service called Arval Connect Essential on vehicles leased by Arval (Annex 4 to the minutes of February 28, 2024). The Arval Connect service is a satellite telematics service that provides the lessee, via a dedicated web platform, with a series of information collected from satellite telematics devices installed on leased vehicles. The information collected by the satellite devices varies depending on the service provided. In this case, the Italian companies of the XX group use the Essential service, which allows for the collection of information on all types of trips, both "professional" and "private," by collecting the date and time of departure and arrival, kilomete

Entities