Garante per la protezione dei dati personali (Italy) - 382/2026
Italian DPA fines company for systematic employee vehicle tracking without consent or deactivation.
Summary
Italy's Data Protection Authority (Garante) issued decision 382/2026 against a controller for systematic and continuous monitoring of employees' company vehicles at frequent intervals (every 15 minutes) without allowing deactivation. The DPA found violations of Articles 5(1)(a), (b), (c), 6, 13, 25, 35, and 88 of GDPR, determining the tracking was excessive, lacked proper legal basis, violated purpose limitation, and failed privacy-by-design and DPIA requirements. The DPA rejected the employer's justification based on hazardous materials transport safety and ruled that collective bargaining agreements alone do not satisfy GDPR compliance.
Full text
Help Garante per la protezione dei dati personali (Italy) - 382/2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 10:04, 7 July 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators724 editsmTag: Visual edit← Older edit Latest revision as of 13:36, 7 July 2026 view source Mba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators926 editsm Tag: Visual edit Line 87: Line 87: The DPA first stated that the controller had complied with its information obligations. Following the collective bargaining agreement, the controller informed data subjects of how their data was going to be processed. In addition, the controller had included a notice on how their location data was processed. Therefore, the DPA did not find a violation of [[Article 13 GDPR]]. The DPA first stated that the controller had complied with its information obligations. Following the collective bargaining agreement, the controller informed data subjects of how their data was going to be processed. In addition, the controller had included a notice on how their location data was processed. Therefore, the DPA did not find a violation of [[Article 13 GDPR]]. The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA found that the controller systematically and continuously monitored employees assigned company vehicles, as they were tracked at very frequent intervals without allowing them to deactivate the tracking. The DPA found this frequent tracking particularly detrimental to data subjects’ rights and freedoms, because the controller was able to access real-time information on vehicle movements.<ref>The DPA referred to the case law of the European Court of Human Rights (ECtHR) on how the right to private life (Article 8 of the ECHR) also extends to the workplace. See cases Niemietz v. Germany (13710/88), para. 29; Copland v. the United Kingdom (62617/00), para. 41; Barbulescu v. Romania [GC] (61496/08), paras. 70–73 and 80; Antovic and Mirkovic v. Montenegro (No. 70838/13), see para. 41–42</ref> The DPA considered that the controller processed more data than necessary for its purposes, and that it risked processing data related to data subjects’ personal lives. The controller’s need to ensure that hazardous materials are transported safely did not justify continuously monitoring employees, especially because the controller later increased the interval of monitoring to every 15 minutes. Finally, the DPA dismissed the argument that the controller only tracked vehicles and not data subjects. This is because the controller could identify the data subject at any time by checing the logbook inside the vehicles. The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA found that the controller systematically and continuously monitored employees assigned company vehicles, as they were tracked at very frequent intervals without allowing them to deactivate the tracking. The DPA found this frequent tracking particularly detrimental to data subjects’ rights and freedoms, because the controller was able to access real-time information on vehicle movements.<ref>The DPA referred to the case law of the European Court of Human Rights (ECtHR) on how the right to private life (Article 8 of the ECHR) also extends to the workplace. See cases Niemietz v. Germany (13710/88), para. 29; Copland v. the United Kingdom (62617/00), para. 41; Barbulescu v. Romania [GC] (61496/08), paras. 70–73 and 80; Antovic and Mirkovic v. Montenegro (No. 70838/13), see para. 41–42</ref> The DPA considered that the controller processed more data than necessary for its purposes, and that it risked processing data related to data subjects’ personal lives. The controller’s need to ensure that hazardous materials are transported safely did not justify continuously monitoring employees, especially because the controller later increased the interval of monitoring to every 15 minutes. Finally, the DPA dismissed the argument that the controller only tracked vehicles and not data subjects. This is because the controller could identify the data subject at any time by checking the logbook inside the vehicles. The DPA also found a violation of [[Article 5 GDPR|Articles 5(1)(a), (b),]] [[Article 6 GDPR|6]] and [[Article 88 GDPR|88 GDPR]]. The DPA stated that a collective bargaining agreement was a necessary but not always sufficient condition for the data processing activities to be lawful. This means that the controller must comply with both labour and data protection legislation. Given the excessive amount of data processed, the DPA found that the controller did not have a legal basis to process this data. The DPA found that the controller also unlawfully further processed the location data of data subjects for disciplinary proceedings, in violation of the principle of purpose limitation. This is because the discplinary proceedings did not specifically concern the data subject’s movements detected by the tracking system, but rather the data subject’s failure to notify potentially dangerous situations that occurred during the performance of their duties. The DPA also found a violation of [[Article 5 GDPR|Articles 5(1)(a), (b),]] [[Article 6 GDPR|6]] and [[Article 88 GDPR|88 GDPR]]. The DPA stated that a collective bargaining agreement was a necessary but not always sufficient condition for the data processing activities to be lawful. This means that the controller must comply with both labour and data protection legislation. Given the excessive amount of data processed, the DPA found that the controller did not have a legal basis to process this data. The DPA found that the controller also unlawfully further processed the location data of data subjects for disciplinary proceedings, in violation of the principle of purpose limitation. This is because the disciplinary proceedings did not specifically concern the data subject’s movements detected by the tracking system, but rather the data subject’s failure to notify potentially dangerous situations that occurred during the performance of their duties. Finally, the DPA found a violation of [[Article 25 GDPR|Articles 25]] and [[Article 35 GDPR|35 GDPR]]. The DPA found that the controller failed to choose a less invasive solution during the design phase. Therefore, its processing activities did not meet the requirements of privacy by design and default ([[Article 25 GDPR]]). The controller violated [[Article 35 GDPR]] by not conducting a data protection impact assessment (DPIA) before processing data subjects’ location data. The controller’s awareness of data protection issues and evidence of introducing measures to protect data subjects was not sufficient to meet this requirement.Finally, the DPA found a violation of [[Article 25 GDPR|Articles 25]] and [[Article 35 GDPR|35 GDPR]]. The DPA found that the controller failed to choose a less invasive solution during the design phase. Therefore, its processing activities did not meet the requirements of privacy by design and default ([[Article 25 GDPR]]). The controller violated [[Article 35 GDPR]] by not conducting a data protection impact assessment (DPIA) before processing data subjects’ location data. The controller’s awareness of data protection issues and evidence of introducing measures to protect data subjects was not sufficient to meet this requirement. Latest revision as of 13:36, 7 July 2026 Garante per la protezione dei dati personali - 382/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 13 GDPR Article 25 GDPR Article 35 GDPR Article 88 GDPR Type: Complaint Outcome: Upheld Started: Decided: 28.05.2026 Published: Fine: 6,000 EUR Parties: Liguria Health Protection Agency National Case Number/Name: 3