The Italian Data Protection Authority (“Garante”), in its decision no. 350 of 8 September 2016, ruled it is lawful for an employer to process the employees’ personal data obtained through the geolocation system of a smartphone application used to record the employees’ place of work and working hours (i.e. starting and ending of working activity).
More specifically, the case decided by the Italian Data Protection Authority concerned the employees of two workforce supply agencies (“agenzie di somministrazione”) who carry out their working activity in favour of third companies mainly and/or permanently “off-site”.
In its decision, the Italian Data Protection Authority clarified that the two companies’ interest to simplify the administrative management and the registration of the working hours of the employees who carry out their activity mainly and/or permanently outside the company headquarters is legitimate, upholding the companies’ request for the preliminary approval, and prescribing a series of measures that must be respected in order to protect workers.
More specifically, the Italian Data Protection Authority, besides clarifying that the employers must give their employees the choice between installing and using the smartphone application to register working hours or continuing to use the traditional registration systems, prescribed the following measures:
- companies can retain only the data regarding the place of work, the date and the time of the virtual registration, and, once the system verified the correspondence between the place of work and the employee’s geographical position, all further data relating to employees’ position must be cancelled;
- companies must configure the application in a way to ensure that: (i) when the geolocation is active, an icon is visible on the smartphone screen; and (ii) the treatment, even accidental, of other data saved in the employee’s smartphones is avoided (i.e. data related to traffic, to sms, email, browser or other information);
- companies must notify the Italian Data Protection Authority, before the implementation of the new systems for the registration of the working activity, of the type of treatment and operations that they intend to carry out with the data;
- companies must preliminarily inform employees disclosing all the elements that are requested under Article 13 of the Privacy Code (such as the type of data, the purposes and methods of processing, storage period, persons who may become acquainted with data as data processor or as persons in charge of the processing).