Italy: Garante fines Rebirth €15,000 for violation of information provision obligations
The Italian data protection authority ('Garante') issued, on 7 April 2022, its decision in Case No. 121, in which it imposed a fine of €15,000 to Rebirth S.r.l., for violations of Articles 5(1)(a) and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and Articles 114 and 157 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR ('the Code'), following a report by the Italian finance police.
Background to the decision
In particular, the Garante observed that it had been notified of the installation of a video surveillance system on the premises of the restaurant named 'Caffè Antica Roma', managed by Rebirth and allegedly not compliant with the rules on the protection of personal data. Given the above, the Garante noted that it had sent the company a request for information, and that it had launched an investigation in the absence of a response from Rebirth.
Findings of the Garante
Further to the above, the Garante found that 14 cameras were installed in the restaurant, in the absence of any notice providing information on their presence. Additionally, the Garante noted that the video surveillance system had been installed without prior authorisation from the Labor Inspectorate and from the relevant trade union.
Subsequently, the Garante outlined that such processing of personal data by means of video surveillance was in breach of Articles 5(1)(a) and 13 of the GDPR. Pursuant to Article 13 of the GDPR, the Garante noted that the data controller should have provided data subjects, prior to the start of the processing, with all information relating to the video surveillance.
Further to this, the Garante explained that, in the context of the employment relationship, the obligation to inform the employees about the presence of video surveillance in the workplace derives from Article 5(1)(a) of the GDPR. In particular, the Garante took the view that such surveillance violated the principle of lawfulness of processing, according to which the processing is lawful if it complies with the applicable sector regulations. Indeed, the Garante recalled Article 114 of the Code, which provides further protection of rights and freedoms with regard to the processing of personal data of workers, and establishes that such processing of data must occur in accordance with Article 4 of Law No. 300 of 1970. Thus, the Garante considered that the processing of personal data carried out by Rebirth, having failed to comply with the aforementioned provision, was therefore unlawful.
As such, the Garante imposed an administrative fine of €15,000 on Rebirth. In quantifying the amount of the fine, the Garante explained that it took into account, as an aggravating factor, Rebirth's failure to reply to the request for information sent pursuant to Article 157 of the Code.
In conclusion, the Garante highlighted that Rebirth has 30 days to settle the dispute by paying an amount equal to half of the sanction imposed. Lastly, the Garante outlined that, within the same timeframe, Rebirth may also lodge an appeal before the ordinary judicial authority.
You can read the decision, only available in Italian, here.