On May 18, 2016, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) issued an order allowing for the processing of personal geo-localization data collected through the employees’ smartphones.
An Italian company, SITE S.p.A., submitted a preliminary request for examination of the DPA with reference to the processing of personal data gathered by activating a geo-location application installed on the company’s smartphones supplied to the employees working outside the business’s premises. The application would register the starting and ending time, lunch hour, and weather events affecting the area where the employee worked in order to calculate compensation and dues.
The company that designed the application would not have access to the collected data, and the information would be stored within the company’s personnel management system. Access to the data would be granted only to selected individuals and the information would be collected just for a brief period.
The system would not allow interactions with other information on the smartphone and the company ensured that it would set up appropriate security measures for the handling of the data.
The DPA balanced the interests at stake and deemed lawful the processing of data concerning the employee’s geographical location to calculate salaries and benefits. It also deemed the processing to be relevant for the stated purposes, as well as secure. It considered the retention period to be appropriate.
The DPA concluded by indicating a series of requirements that the company had to meet for the processing to be legitimate, including among others the duty to:
- ensure that the application handled only the mentioned geo-localisation and no other data (e.g. telephone/Internet traffic, emails etc.);
- design an icon clearly visible on the device screen indicating that the app is working and the localization functionality is active;
- limit data access to the processor in charge and limit her right to modify and extract the data, recording accesses and type of operation performed by the latter;
- identify deadlines for the deletion of the data temporarily stored on the employee’s device.
The order finally reminded the need to notify the DPA of the data processing, pursuant to Italian data protection laws.
For more information, Francesca Giannoni-Crystal.