In a recent decision regarding data processed by the Civil Aviation Agency, and in particular automatic processing of entry and exit data of personnel, the Italian Privacy Agency has clarified the tenure of obligations on companies with regards to access by third parties of such relevant data. Employees of the company had free access on the intranet, regardless of the position held, to data regarding movements of whichever personnel engaged by the company present in company premises. The case triggered an examination of company policies adopted on security and data management and storage. The Privacy Agency stated the clear obligation of companies in general to adopt a privacy protocol ensuring the limitation of access to data only to authenticated and identified company officers. Also a general duty of segmentation of data has been further clarified, imposing coverage on data which is not pertinent to company overview of safety or management policies.
The Privacy Agency has transmitted the file also to public prosecutors, for eventual evaluation of concurrent criminal responsibilities for wrongdoing regarding compulsory privacy and security obligations.
Source: Garante Privacy