Background information

• Date of final decision: 28 October 2021
• Cross-border case or national case: National case
• Controller: TPER Trasporto Passeggeri Emilia Romagna S.p.A.
• Legal Reference: GDPR: Article 5 (Principles applying to personal data processing); Article 6 (Lawfulness of processing); Article 13 (Information); Article 25 (Privacy by default and by design); Article 32 (Security of processing); Article 88 (Processing in the context of employment); Italian DP Code: Section 114 (Safeguards applying to remote surveillance)
• Decision: Finding of infringements of GDPR and Italian law, imposition of administrative fine
• Key words: Employer-employee relations; remote surveillance; customer care service; inbound calls management; trade union agreements; data minimization                          

Summary of the Decision

Origin of the case

The case originated from a complaint by an employee of the company TPER (public transports operator), which concerned the processing of personal data relating to the company’s call centre operators by way of the inbound calls management system.

Key Findings:

The company had implemented a system to manage inbound customer care calls which also enabled processing personal data relating to the call centre operators.

The investigations by the Italian SA showed that the employees had not been informed adequately about the processing, and that the system in question allowed recording and replaying phone calls as well as storing, for an unspecified period, additional information on the individual operators’ activities such as call duration, called numbers, date and time of each call. Since the software allowed the remote surveillance of workers, its deployment was to be made conditional on the enhanced safeguards set out in this respect by national law pursuant to Article 88 GDPR – namely, either an ad-hoc agreement with trade unions or an authorisation by the competent inspectorate for labour.

The Italian SA found that the company had processed its employees’ data in breach of sector-specific national law and the general principles of lawfulness, data minimisation, and storage limitation; the company had also failed to implement adequate technical and organisational measures to ensure data confidentiality and integrity.

Decision:

The Italian SA fined the company EUR 30,000 taking also account of the cooperation provided in the course of the fact-finding activities; the company had immediately discontinued the processing following the on-site inspection.

The Italian SA reiterated in its decision that a controller relying on products or services made available by third parties was required in all cases to check conformity with data processing principles, also with the DPO’s help where available, and to take the appropriate technical and organisational measures whilst instructing the service providers as necessary in accordance with the accountability principle.

For further information: decision in national language "Ordinanza ingiunzione nei confronti di TPER Trasporto Passeggeri Emilia Romagna S.p.A. - 28 ottobre 2021"