By order no. 226 of 18 May 2016, the Italian Data Protection Authority (DPA) issued a decision on the processing of personal data carried out through the localisation of company smartphones given to employees.

Click here to view image.

The ruling was issued in the framework of a preliminary assessment requested to the DPA pursuant to art. 17 of the Italian Data Protection Code (the Code) by an Italian company willing to install an application for geo-localisation on the company smartphones of employees carrying out their work out of the company premises. This app would collect times of start and end of work, lunch breaks and bad weather events, combined with the geographical location of the employee. The data thus collected would be stored in the company’s computer system for the management of employees, and would be used to calculate pay slips and allowances for travel and subsistence, as well as to check the location of weather events that prevent work performance, which the company must indicate in the request for redundancy pay for bad weather. The app would also allow the employee to manually enter the data in case of malfunction, and may be turned off for non-working periods.

In the decision in question, the DPA first highlighted that “personal data relating to geo-localisation should be processed by adopting particular caution” and that “smartphones are intended to ‘follow’ the person in their possession, regardless of the distinction between work and non-work time“, which is why such processing “entails risks for the freedom, rights and dignity of the employee“.

In the present case, however, the DPA concluded that the processing outlined by the company was legitimate, provided that it complied with the rules established by the DPA in the same decision under examination.

The DPA in fact noted that “in general terms the purposes of the proposed processing are lawful” and that the company had duly signed with the trade unions the agreement required by art. 114 of the Code and art. 4 of the Workers’ Statute (law no. 300/70), according to which “the control plants and devices that are required by organisational and production requirements or by occupational safety requirements, but from which also the possibility of remote control of the employees’ activities derives, can only be installed upon agreement with the trade unions“. In addition, according to the DPA, such processing “is consistent with the principles of relevance and no surplus of the processed data with respect to the aims pursued“. As regards its implementation, “the alternative procedure for the case of malfunction of the device (including for lack of or insufficient GPS coverage), the permitted deactivation of the application outside of working hours and for lunch breaks, and the overall system not allowing the detection of geographical localisation outside the established cases are proportionate“.

The DPA then pointed out, as to the data retention time, that:

  1. the data which by law must be recorded in the “single employment ledger” shall be kept for five years as per the provisions applicable to the latter;
  2. the data required to enforce or defend the company’s rights in court shall be kept for the time necessary to this end;
  3. the data related to the impossibility of performing work due to bad weather shall be kept for the time required by the provisions on redundancy pay for bad weather.

In conclusion, the DPA indicated the requirements that the company had to meet for the processing to be legitimate, including in particular to:

  1. ensure that the application only handles geo-localisation data and no other data (e.g. telephone / Internet traffic, texts, emails etc.);
  2. make sure that an icon is always clearly visible on the device screen indicating that the localisation functionality is active, even when working in the background;
  3. limit as much as possible the data processors in charge of editing and extracting the data from the company’s computer system, and record their access to the data via a special log file showing the date and time of the operation, the type of operation performed, the employees displayed and the data processor identifier;
  4. identify deadlines for the cancellation of the data temporarily stored on the individual employee’s device, the cancellation of which must be made by that employee safeguarding any need for additional storage by the same.

The DPA finally recalled the need to notify the DPA of the processing, in accordance with Article 37(1)(a) of the Code.