DATA PROTECTION
Italian Data Protection: use of facial recognition to check the attendance of employees is forbidden.
Facial recognition to check attendance in the workplace violates the privacy of employees. There is currently no national regulation allowing the use of biometric data, as required by the GDPR, to carry out such an activity.
For this reason, the Italian Data Protection Authority fined five companies - engaged in various capacities at the same waste disposal site - for unlawfully processing the biometric data of a large number of employees.
The Authority, which intervened following complaints from several employees, also highlighted the particular risks for workers' rights related to the use of facial recognition systems, in the light of the rules and guarantees provided for in both national and European legislation.
The inspection activities of the Garante also revealed further violations by companies. In particular, the Authority ascertained that three companies had shared the same biometric detection system for more than a year, without having adopted adequate technical and security measures. Moreover, the same 'system', which the Authority considered to be unlawful, was used at nine other locations where one of the sanctioned companies operated. Lastly, the companies had not provided clear and detailed information to workers, nor had they carried out the impact assessment required by privacy legislation.
The companies, in the opinion of the Garante, should have more appropriately used less invasive systems to control the presence of their employees and collaborators in the workplace (such as badges). In addition to the payment of fines, the Garante ordered the deletion of illegally collected data.
For this reason, the Italian Data Protection Authority fined five companies - engaged in various capacities at the same waste disposal site - for unlawfully processing the biometric data of a large number of employees.
The Authority, which intervened following complaints from several employees, also highlighted the particular risks for workers' rights related to the use of facial recognition systems, in the light of the rules and guarantees provided for in both national and European legislation.
The inspection activities of the Garante also revealed further violations by companies. In particular, the Authority ascertained that three companies had shared the same biometric detection system for more than a year, without having adopted adequate technical and security measures. Moreover, the same 'system', which the Authority considered to be unlawful, was used at nine other locations where one of the sanctioned companies operated. Lastly, the companies had not provided clear and detailed information to workers, nor had they carried out the impact assessment required by privacy legislation.
The companies, in the opinion of the Garante, should have more appropriately used less invasive systems to control the presence of their employees and collaborators in the workplace (such as badges). In addition to the payment of fines, the Garante ordered the deletion of illegally collected data.
