Concentrix Cvg Italy s.r.l. – €20,000 Fine (Italy, 2020)

A company implemented internal rules that included a “clean desk” and locker policy. Under the policy, call centre workers could not have any objects on their desks, except for medicines or sanitary products that that they needed to have “immediately available” to them. After 3 months the company reformed the policy to include new rules, including requiring any bag containing medical items to be “no larger than a smartphone”, and a new procedure whereby employees seeking to keep medical items on their desk would have to inform Human Resources of their condition(s) in a request that would be documented, and potentially obtain proof from a doctor explaining why the employee needed to have the items in reach. In response to the complaint, the company argued inter alia that it had since reformed the policy, and that the legal basis for the processing entailed a legitimate interest for fraud prevention under Article 6(1)(f) GDPR. Did the company’s policy breach Article 6 or any other articles of the GDPR? The Garante held that the policy breached the the principles of lawfulness and minimisation under Articles 5(1)(a) and (c), and Articles 6(1)(b), (c) and Article 9(2)(b), for the processing of special categories of personal data. The breach was due to the policy involving a “submission of knowledge to others” that constituted an “elimination of any area of confidentiality and intimacy” which permitted third parties to become of employees’ health or the existence of conditions they would normally be able to keep private. The Garante did not agree that Article 6(1)f) could be used as a basis for processing here, because they were not satisfied that a balancing test on the merits of “fraud prevention” had been carried out by the company. The company was ordered to bring its policies in line with the principles of lawful processing and data minimisation, pursuant to Article 58(2)(d). The Garante also fined the company €20000 for its breach of Articles 5(1)(a) and (c) G