Italy: Issued Data Protection Authority ruling specifying that biometric data use for attendance tracking lacks legal basis

On 6 June 2024, the Italian Data Protection Authority (DPA) fined Cappello Giovanni and Figli EUR 120’000 for violations of employee privacy rights at their dealership. The action followed a complaint about unauthorised facial recognition usage to track attendance and detailed logging via "Infinity DMS" software, which monitored tasks and downtime. The investigation determined that the practice violates the European Data Protection Regulation (GDPR), noting that biometric data processing lacked legal basis and employee consent was not valid due to power imbalances. The dealership had also been collecting data improperly for six years for performance reports without transparency or legal basis. The company must now adjust its data practices to meet legal standards within 45 days or face additional penalties.