Garante per la protezione dei dati personali (Italy) - 382/2026
Italian DPA fines Liguria Health Protection Agency €6,000 for unlawful employee monitoring.
Summary
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has fined the Liguria Health Protection Agency €6,000 for unlawfully monitoring employees via a vehicle tracking system. The agency also improperly used this data for disciplinary proceedings. While the DPA found the agency met its information obligations, it violated data minimization principles by continuously tracking employees at frequent intervals, potentially infringing on their privacy.
Full text
Help Garante per la protezione dei dati personali (Italy) - 382/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 09:58, 7 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators724 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 09:58, 7 July 2026 Garante per la protezione dei dati personali - 382/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 13 GDPR Article 25 GDPR Article 35 GDPR Article 88 GDPR Type: Complaint Outcome: Upheld Started: Decided: 28.05.2026 Published: Fine: 6,000 EUR Parties: Liguria Health Protection Agency National Case Number/Name: 382/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a health agency €6,000 for unlawfully and continuously monitoring employees through a tracking system placed in its vehicles. The agency also unlawfully further processed this data for disciplinary proceedings against an employee. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject filed a complaint before the DPA against the Liguria Health Protection Agency (the controller). The data subject was employed by the Ligurian Social and Health Care Agency, however, the organisation was later merged with the controller. According to the data subject, the controller initiated discliplinary proceedings and suspended them based on data collected unlawfully through a tracking system in the company vehicle. The data subject also argued that the controller did not sufficiently inform employees that their location was being tracked through the company vehicles. The DPA received several complaints from other data subjects, and joined the complaints. The controller argued that the geolocation system was a measure to protect its assets, to optimise the management of its vehicles, and to ensure worker safety (e.g. to ensure that an employee followed the route while carrying hazardous materials). The controller argued that it did not process employees’ personal data, as it tracked the vehicles themselves and did not link the vehicle with the employee. Finally, the controller argued that the tracking was in compliance with its workers’ statutes. Holding The DPA first stated that the controller had complied with its information obligations. Following the collective bargaining agreement, the controller informed data subjects of how their data was going to be processed. In addition, the controller had included a notice on how their location data was processed. Therefore, the DPA did not find a violation of Article 13 GDPR. The DPA also noted that the controller had adjusted the interval of tracking vehicles from every 60 seconds to every 15 minutes. Finally, the DPA found that the data was stored for 6 months instead of the controller’s initial claim of 2 years. The DPA found a violation of Article 5(1)(c) GDPR (the principle of data minimisation). The DPA found that the controller systematically and continuously monitored employees assigned company vehicles, as they were tracked at very frequent intervals without allowing them to deactivate the tracking. The DPA found this frequent tracking particularly detrimental to data subjects’ rights and freedoms, because the controller was able to access real-time information on vehicle movements.(FOOTNOTE) The DPA considered that the controller processed more data than necessary for its purposes, and that it risked processing data related to data subjects’ personal lives. The controller’s need to ensure that hazardous materials are transported safely did not justify continuously monitoring employees, especially because the controller later increased the interval of monitoring to every 15 minutes. Finally, the DPA dismissed the argument that the controller only tracked vehicles and not data subjects. This is because the controller could identify the data subject at any time by checing the logbook inside the vehicles. The DPA also found a violation of Articles 5(1)(a), (b), 6 and 88 GDPR. The DPA stated that a collective bargaining agreement was a necessary but not always sufficient condition for the data processing activities to be lawful. This means that the controller must comply with both labour and data protection legislation. Given the excessive amount of data processed, the DPA found that the controller did not have a legal basis to process this data. The DPA found that the controller also unlawfully further processed the location data of data subjects for disciplinary proceedings, in violation of the principle of purpose limitation. This is because the discplinary proceedings did not specifically concern the data subject’s movements detected by the tracking system, but rather the data subject’s failure to notify potentially dangerous situations that occurred during the performance of their duties. Finally, the DPA found a violation of Articles 25 and 35 GDPR. The DPA found that the controller failed to choose a less invasive solution during the design phase. Therefore, its processing activities did not meet the requirements of privacy by design and default (Article 25 GDPR). The controller violated Article 35 GDPR by not conducting a data protection impact assessment (DPIA) before processing data subjects’ location data. This Article is linked to the principle of accountability (Article 5(2) GDPR). The controller’s awareness of data protection issues and evidence of introducing measures to protect data subjects was not sufficient to meet this requirement. The DPA fined the controller €6,000. The DPA took into consideration the changes the controller had made during its investigations, including increasing the tracking intervals to every 15 minutes. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. [web doc. no. 10259916] Measure of May 28, 2026 Register of Measures No. 382 of May 28, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; CONSIDERING Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, the "Regulation"); SEEN Legislative Decree 30 June 2003, n. 196 of 30 April 2019, containing the "Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the "Code"); CONSIDERING Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with Resolution No. 98 of 4 April 2019, published in the Official Journal No. 106 of 8 May 2019 and on www.gpdp.it, web doc. No. 9107633 (hereinafter "Data Protection Authority Regulation No. 1/2019"); Having seen the documents in the file; Having seen the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guara