[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwHX8qCAVTkbDlbVdP80rjBKEKpZ1QHl5drYA7QK4y7M":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"5976f384-df1d-4893-ab0b-1967d1950081","Garante per la protezione dei dati personali (Italy) - 382\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-382-2026-8f35c5","← Older revision Revision as of 10:04, 7 July 2026 Line 85: Line 85: === Holding === === Holding === The DPA first stated that the controller had complied with its information obligations. Following the collective bargaining agreement, the controller informed data subjects of how their data was going to be processed. In addition, the controller had included a notice on how their location data was processed. Therefore, the DPA did not find a violation of [[Article 13 GDPR|Article 13 GDPR]]. The DPA also noted that the controller had adjusted the interval of tracking vehicles from every 60 seconds to every 15 minutes. Finally, the DPA found that the data was stored for 6 months instead of the controller’s initial claim of 2 years. The DPA first stated that the controller had complied with its information obligations. Following the collective bargaining agreement, the controller informed data subjects of how their data was going to be processed. In addition, the controller had included a notice on how their location data was processed. Therefore, the DPA did not find a violation of [[Article 13 GDPR]]. The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] (the principle of data minimisation). The DPA found that the controller systematically and continuously monitored employees assigned company vehicles, as they were tracked at very frequent intervals without allowing them to deactivate the tracking. The DPA found this frequent tracking particularly detrimental to data subjects’ rights and freedoms, because the controller was able to access real-time information on vehicle movements.(FOOTNOTE) The DPA considered that the controller processed more data than necessary for its purposes, and that it risked processing data related to data subjects’ personal lives. The controller’s need to ensure that hazardous materials are transported safely did not justify continuously monitoring employees, especially because the controller later increased the interval of monitoring to every 15 minutes. Finally, the DPA dismissed the argument that the controller only tracked vehicles and not data subjects. This is because the controller could identify the data subject at any time by checing the logbook inside the vehicles. The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA found that the controller systematically and continuously monitored employees assigned company vehicles, as they were tracked at very frequent intervals without allowing them to deactivate the tracking. The DPA found this frequent tracking particularly detrimental to data subjects’ rights and freedoms, because the controller was able to access real-time information on vehicle movements. The DPA referred to the case law of the European Court of Human Rights (ECtHR) on how the right to private life (Article 8 of the ECHR) also extends to the workplace. See cases Niemietz v. Germany (13710\u002F88), para. 29; Copland v. the United Kingdom (62617\u002F00), para. 41; Barbulescu v. Romania [GC] (61496\u002F08), paras. 70–73 and 80; Antovic and Mirkovic v. Montenegro (No. 70838\u002F13), see para. 41–42 The DPA considered that the controller processed more data than necessary for its purposes, and that it risked processing data related to data subjects’ personal lives. The controller’s need to ensure that hazardous materials are transported safely did not justify continuously monitoring employees, especially because the controller later increased the interval of monitoring to every 15 minutes. Finally, the DPA dismissed the argument that the controller only tracked vehicles and not data subjects. This is because the controller could identify the data subject at any time by checing the logbook inside the vehicles. The DPA also found a violation of Articles 5(1)(a), (b), 6 and 88 GDPR. The DPA stated that a collective bargaining agreement was a necessary but not always sufficient condition for the data processing activities to be lawful. This means that the controller must comply with both labour and data protection legislation. Given the excessive amount of data processed, the DPA found that the controller did not have a legal basis to process this data. The DPA found that the controller also unlawfully further processed the location data of data subjects for disciplinary proceedings, in violation of the principle of purpose limitation. This is because the discplinary proceedings did not specifically concern the data subject’s movements detected by the tracking system, but rather the data subject’s failure to notify potentially dangerous situations that occurred during the performance of their duties. The DPA also found a violation of [[Article 5 GDPR|Articles 5(1)(a), (b),]] [[Article 6 GDPR|6]] and [[Article 88 GDPR|88 GDPR]]. The DPA stated that a collective bargaining agreement was a necessary but not always sufficient condition for the data processing activities to be lawful. This means that the controller must comply with both labour and data protection legislation. Given the excessive amount of data processed, the DPA found that the controller did not have a legal basis to process this data. The DPA found that the controller also unlawfully further processed the location data of data subjects for disciplinary proceedings, in violation of the principle of purpose limitation. This is because the discplinary proceedings did not specifically concern the data subject’s movements detected by the tracking system, but rather the data subject’s failure to notify potentially dangerous situations that occurred during the performance of their duties. Finally, the DPA found a violation of Articles 25 and 35 GDPR. The DPA found that the controller failed to choose a less invasive solution during the design phase. Therefore, its processing activities did not meet the requirements of privacy by design and default (Article 25 GDPR). The controller violated [[Article 35 GDPR|Article 35 GDPR]] by not conducting a data protection impact assessment (DPIA) before processing data subjects’ location data. This Article is linked to the principle of accountability (Article 5(2) GDPR). The controller’s awareness of data protection issues and evidence of introducing measures to protect data subjects was not sufficient to meet this requirement. Finally, the DPA found a violation of [[Article 25 GDPR|Articles 25]] and [[Article 35 GDPR|35 GDPR]]. The DPA found that the controller failed to choose a less invasive solution during the design phase. Therefore, its processing activities did not meet the requirements of privacy by design and default ([[Article 25 GDPR]]). The controller violated [[Article 35 GDPR]] by not conducting a data protection impact assessment (DPIA) before processing data subjects’ location data. The controller’s awareness of data protection issues and evidence of introducing measures to protect data subjects was not sufficient to meet this requirement. The DPA fined the controller €6,000. The DPA took into consideration the changes the controller had made during its investigations, including increasing the tracking intervals to every 15 minutes. The DPA fined the controller €6,000. The DPA took into consideration the changes the controller had made during its investigations, including adjusting the interval of tracking vehicles from every 60 seconds to every 15 minutes == Comment == == Comment ==","The Italian Data Protection Authority (Garante per la protezione dei dati personali) has fined a company €6,000 for violating GDPR principles. The company was found to have excessively tracked employees' company vehicles at frequent intervals, processing more data than necessary and infringing on data minimization and purpose limitation principles. The DPA also cited violations of privacy by design and the lack of a DPIA.","Italian DPA fines company €6,000 for excessive employee vehicle tracking.","Help Garante per la protezione dei dati personali (Italy) - 382\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 09:58, 7 July 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators724 edits Tag: submission [1.0] Latest revision as of 10:04, 7 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators724 editsmTag: Visual edit Line 85: Line 85: === Holding ====== Holding === The DPA first stated that the controller had complied with its information obligations. Following the collective bargaining agreement, the controller informed data subjects of how their data was going to be processed. In addition, the controller had included a notice on how their location data was processed. Therefore, the DPA did not find a violation of [[Article 13 GDPR|Article 13 GDPR]]. The DPA also noted that the controller had adjusted the interval of tracking vehicles from every 60 seconds to every 15 minutes. Finally, the DPA found that the data was stored for 6 months instead of the controller’s initial claim of 2 years. The DPA first stated that the controller had complied with its information obligations. Following the collective bargaining agreement, the controller informed data subjects of how their data was going to be processed. In addition, the controller had included a notice on how their location data was processed. Therefore, the DPA did not find a violation of [[Article 13 GDPR]]. The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] (the principle of data minimisation). The DPA found that the controller systematically and continuously monitored employees assigned company vehicles, as they were tracked at very frequent intervals without allowing them to deactivate the tracking. The DPA found this frequent tracking particularly detrimental to data subjects’ rights and freedoms, because the controller was able to access real-time information on vehicle movements.(FOOTNOTE) The DPA considered that the controller processed more data than necessary for its purposes, and that it risked processing data related to data subjects’ personal lives. The controller’s need to ensure that hazardous materials are transported safely did not justify continuously monitoring employees, especially because the controller later increased the interval of monitoring to every 15 minutes. Finally, the DPA dismissed the argument that the controller only tracked vehicles and not data subjects. This is because the controller could identify the data subject at any time by checing the logbook inside the vehicles. The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA found that the controller systematically and continuously monitored employees assigned company vehicles, as they were tracked at very frequent intervals without allowing them to deactivate the tracking. The DPA found this frequent tracking particularly detrimental to data subjects’ rights and freedoms, because the controller was able to access real-time information on vehicle movements.\u003Cref>The DPA referred to the case law of the European Court of Human Rights (ECtHR) on how the right to private life (Article 8 of the ECHR) also extends to the workplace. See cases Niemietz v. Germany (13710\u002F88), para. 29; Copland v. the United Kingdom (62617\u002F00), para. 41; Barbulescu v. Romania [GC] (61496\u002F08), paras. 70–73 and 80; Antovic and Mirkovic v. Montenegro (No. 70838\u002F13), see para. 41–42\u003C\u002Fref> The DPA considered that the controller processed more data than necessary for its purposes, and that it risked processing data related to data subjects’ personal lives. The controller’s need to ensure that hazardous materials are transported safely did not justify continuously monitoring employees, especially because the controller later increased the interval of monitoring to every 15 minutes. Finally, the DPA dismissed the argument that the controller only tracked vehicles and not data subjects. This is because the controller could identify the data subject at any time by checing the logbook inside the vehicles. The DPA also found a violation of Articles 5(1)(a), (b), 6 and 88 GDPR. The DPA stated that a collective bargaining agreement was a necessary but not always sufficient condition for the data processing activities to be lawful. This means that the controller must comply with both labour and data protection legislation. Given the excessive amount of data processed, the DPA found that the controller did not have a legal basis to process this data. The DPA found that the controller also unlawfully further processed the location data of data subjects for disciplinary proceedings, in violation of the principle of purpose limitation. This is because the discplinary proceedings did not specifically concern the data subject’s movements detected by the tracking system, but rather the data subject’s failure to notify potentially dangerous situations that occurred during the performance of their duties. The DPA also found a violation of [[Article 5 GDPR|Articles 5(1)(a), (b),]] [[Article 6 GDPR|6]] and [[Article 88 GDPR|88 GDPR]]. The DPA stated that a collective bargaining agreement was a necessary but not always sufficient condition for the data processing activities to be lawful. This means that the controller must comply with both labour and data protection legislation. Given the excessive amount of data processed, the DPA found that the controller did not have a legal basis to process this data. The DPA found that the controller also unlawfully further processed the location data of data subjects for disciplinary proceedings, in violation of the principle of purpose limitation. This is because the discplinary proceedings did not specifically concern the data subject’s movements detected by the tracking system, but rather the data subject’s failure to notify potentially dangerous situations that occurred during the performance of their duties. Finally, the DPA found a violation of Articles 25 and 35 GDPR. The DPA found that the controller failed to choose a less invasive solution during the design phase. Therefore, its processing activities did not meet the requirements of privacy by design and default (Article 25 GDPR). The controller violated [[Article 35 GDPR|Article 35 GDPR]] by not conducting a data protection impact assessment (DPIA) before processing data subjects’ location data. This Article is linked to the principle of accountability (Article 5(2) GDPR). The controller’s awareness of data protection issues and evidence of introducing measures to protect data subjects was not sufficient to meet this requirement.Finally, the DPA found a violation of [[Article 25 GDPR|Articles 25]] and [[Article 35 GDPR|35 GDPR]]. The DPA found that the controller failed to choose a less invasive solution during the design phase. Therefore, its processing activities did not meet the requirements of privacy by design and default ([[Article 25 GDPR]]). The controller violated [[Article 35 GDPR]] by not conducting a data protection impact assessment (DPIA) before processing data subjects’ location data. The controller’s awareness of data protection issues and evidence of introducing measures to protect data subjects was not sufficient to meet this requirement. The DPA fined the controller €6,000. The DPA took into consideration the changes the controller had made during its investigations, including increasing the tracking intervals to every 15 minutes.The DPA fined the controller €6,000. The DPA took into consideration the changes the controller had made during its investigations, including adjusting the interval of tracking vehicles from every 60 seconds to every 15 minutes == Comment ==== Comment == Latest revision as of 10:04, 7 July 2026 Garante per la protezione dei dati personali - 382\u002F2026 Authority: Garante per la protezione dei dati p","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_382\u002F2026&diff=52076&oldid=52075","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-07-07T10:04:35+00:00","2026-07-07T12:00:25.003153+00:00",7,[18],{"name":19,"type":20},"Garante per la protezione dei dati personali","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]