With Decisions nos. 105, 106, 107, 108, 109 of 22 February 2024, The Italian Data Protection Authority (‘IDPA’) sanctioned five companies (with fines up to €70,000.00) for unlawful processing of biometric data of a large number of employees, and specifically for using facial recognition systems to check the presence of employees in the workplace.
These sanctions stemmed from an investigation by the IDPA originated from certain complaints filed by some employees. The inspection activities, carried out in cooperation with the Special Privacy and Technological Fraud Unit of the Italian Financial Police (“Guardia di Finanza”), brought to light particular risks for employees’ rights connected to the use of facial recognition systems, involving a principle common to all the investigations: facial recognition to check the presence of employees in the workplace violates their privacy.
The violations thus found related to:
1) the absence of privacy notice pursuant to Article 13 GDPR;
2) the absence of an agreement between the parties pursuant to Article 28 GDPR;
3) the failure to have entered the processing in the Register of Processing Activities as a “generalised obligation” pursuant to Article 30 GDPR and consequently for not having chosen adequate security measures pursuant to Article 32 GDPR;
4) not having carried out a DPIA ex art. 35 GDPR.
The IDPA therefore ordered the above companies to:
– suspend the use of biometric systems to check employees’ attendance at work, and
– use less privacy-invasive systems to check presence of employees at work.