On January 16, 2025, the Italian Data Protection Authority (i.e. “Garante per la protezione dei dati personali”) issued a decision, publicly disclosed through its institutional newsletter on March 21, 2025, imposing a fine of €50,000 on a transport company for unlawfully monitoring approximately 50 employees using a GPS system installed in company vehicles. The Authority identified several violations following the receipt of a complaint filed by a former employee, who (i) complained about not having received the information required under Article 13 of Regulation (EU) 2016/679 (the “Regulation”) on personal data protection, and (ii) reported the failure of the employer to activate the guarantee procedure as required under Article 4 of Law No. 300/1970 (i.e. “Workers Statute” or in Italian parlance “Statuto dei Lavoratori”).
The investigation revealed that the GPS system had been installed for the protection of company assets, workplace safety, and organizational and production needs, as indicated in the authorization request submitted to the relevant Territorial Labor Inspectorate (i.e. “ITL”). Specifically, the system allowed the Company to acquire information about the vehicle’s location, its status (on or off), telemetry data, and indirectly, the drivers’ activities. This information was continuously collected by the system, though delayed by 3/5 minutes, and included work breaks. All data were retained for a period of 180 days.
Based on the findings, the Italian Data Protection Authority observed that:
- The collection of information, such as tracking the vehicle’s location during work breaks, allows for continuous monitoring of employee activities, violating the data minimisation principle (Article 5, para. 1(c) of the Regulation), which requires that the data collected be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The Italian Data Protection Authority also emphasized that the vehicle’s location should generally not be monitored continuously, but only when necessary to achieve legitimate business purposes.
- The retention of the data for an extended period is not in compliance with the principles of data minimisation and data retention limitation.
- The specific functionalities of the GPS system did not conform to the guarantees set out in the authorization granted by the Territorial Labor Inspectorate, particularly concerning the non-continuous monitoring of the geolocated vehicle, data anonymization, and the adoption of technological solutions to prevent “the processing of excessive, irrelevant, or unnecessary data beyond the purposes pursued by the data controller”.
In summary, the data processing was conducted in violation of both privacy regulations and the authorization granted, thereby contravening the principle of lawfulness of processing.
Considering the numerous and serious violations identified, the Authority imposed a €50,000 fine on the company and ordered it to provide proper notification to employees and to align its GPS data practices with the guarantees prescribed in the authorization issued by the Territorial Labor Inspectorate.
Other related insights: