Italy: Garante fines Enna €30,000 for unlawful employee monitoring fingerprint system
The Italian data protection authority ('Garante') announced, on 19 February 2021, its decision to fine Enna Provincial Health Authority €30,000 for the use of an attendance monitoring system based on the processing of employees' biometric data. In particular, following its investigation, the Garante found that, through its attendance monitoring system, Enna had collected data from fingerprints of over 2,000 employees, which was subsequently stored in an encrypted form in employees' badges, and that, through this system, by presenting the fingerprints, the employee's registration number, as well as the date and time of stamping, were transmitted to the employee attendance management system.
Further to this, the Garante found that there had not been adequate legal basis for processing employees' biometric data, that employees' consent could not be considered as valid consent due to the dynamics of the working relationships, and that Enna had not provided adequate information on the processing of employees' biometric data. Therefore, the Garante considered that Enna had violated Articles 5(1)(a), 6 and 9 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition to the fine, the Garante ordered Enna to stop using the biometric processing system it had in place.