Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A GPS system installed on company vehicles, continuous monitoring of drivers, and questionable handling of personal data: this is how an Italian transport company found itself facing a fine of 50,000 euros imposed by the Privacy Authority. The case, triggered by a complaint from a former employee, revealed serious violations of GDPR regulations that could affect many other companies. Here’s what happened and how to avoid similar mistakes.
The Italian Privacy Authority (Garante per la Protezione dei Dati Personali), with decision no. 7 of January 16, 2025, fined a transport company for unlawfully processing the personal data of its employees through a geolocation system installed on company vehicles.
📍 What Happened? The Complaint from a Former Employee
The case began with a complaint from a former employee of the company, who contested the unlawful use of GPS devices installed on the trucks with trailers, which were used daily by the workers. These devices constantly recorded data related to the vehicle’s location, status, and driving information without interruption, even during work breaks.
The data was stored by the company for a period of 180 days.
⚖️ The Company’s Defense Was Insufficient
The company had received authorization from the Territorial Labor Inspectorate (ITL) to install such devices for the purposes of protecting company assets, ensuring workplace safety, and optimizing productivity. However, according to the Privacy Authority, the actual use of the system went well beyond what had been authorized.
In particular, the company claimed that driver identification only occurred under specific circumstances and through data cross-referenced with other company records. The Privacy Authority rejected this justification, emphasizing that the driver was always identifiable, directly or indirectly, through the combination of recorded information.
📝 Inadequate Privacy Notice: What Was Missing?
The company claimed it had made the privacy notice available in accordance with Article 13 of the GDPR, but the Privacy Authority clearly highlighted the deficiencies:
- The actual possibility of identifying the driver was not explicitly stated.
- The notice contained inconsistencies and typographical errors, indicating a lack of care in its drafting.
These deficiencies resulted in unlawful processing, violating the principle of fairness in the relationship with employees.
🚫 Violation of Minimization and Storage Limitation Principles
Another serious issue was the continuous and excessive collection of data, deemed disproportionate to the authorized purposes.
Furthermore, the prolonged storage of the data for 180 days did not comply with the GDPR’s principle of data retention limitation, which requires data to be kept only for the time strictly necessary to fulfill the stated purposes.
⚠️ System Not in Compliance with ITL Authorization
The company had received specific instructions from the ITL, which required:
- Non-continuous data collection;
- Anonymization of the collected information;
- Adoption of technical measures to prevent the collection of irrelevant data.
None of these conditions were fully met by the company.
💰 The Fine and Corrective Measures Imposed by the Privacy Authority
As a result of the violations found, the Privacy Authority imposed an administrative fine of 50,000 euros on the company and required it to immediately adopt corrective measures to ensure compliance with privacy regulations.
