Sportitalia (the controller) – €20,000 Fine (Italy, 2022)

Sportitalia, an amateur sports club (the controller) manages several fitness clubs in Milan. The controller installed a system that collected biometric data (fingerprints) of its employees (the data subjects) to record their attendance at the sports clubs, and make it easier for them to record the entry and exit times from work as well as to adopt a simple and faster system than the badge-based system previously in use. This biometric system was installed in the registered office of the controller and its seven clubs with a total of 132 data subjects concerned. In October 2018, a trade union organisation lodged a complaint with the Italian DPA against the controller claiming that the system was illegal. The DPA initiated an investigation followed by a sanctioning procedure. During the procedure, the controller submitted that the processing of the data subjects' data was based on free and express consent. The controller emphasised that the data subjects could refuse to the use of the biometric system in favour of the badge, although no data subject requested the use of this alternative method. In its defence, the controller stated that this system had the sole purpose of detecting the attendance of employees in order to facilitate the registration of entry and exit times. The controller also argued to have acted in good faith and transparency with the data subjects by informing them that they could refuse to grant consent to the use of this biometric system or that they could withdraw their consent anytime. The controller indicated that, as of 2 May 2022, it would discontinue using the biometric system and erase all acquired data, returning to the traditional badge registration system. For this reason, the controller instructed its processor to erase the biometric data collected and processed during the use of the fingerprint scanning device. The Italian DPA noted that biometric data constitute sensitive data under Article 9(1) GDPR. Additionally, any processing