Sportitalia (the controller) – €20,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Sportitalia, an Italian sports club, was fined for using a biometric system to track employee attendance without proper consent. The Italian data protection authority found that the system did not comply with data protection rules. This case serves as a warning for businesses using biometric data to ensure they have valid consent.
What happened
Sportitalia implemented a biometric attendance system without obtaining proper consent from employees.
Who was affected
Employees whose biometric data was collected for attendance tracking were affected.
What the authority found
The Italian data protection authority ruled that Sportitalia lacked a valid legal basis for processing biometric data, violating GDPR.
Why this matters
This ruling underscores the need for businesses to obtain clear consent when using biometric data. Companies should review their data collection practices to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Sportitalia, an amateur sports club (the controller) manages several fitness clubs in Milan. The controller installed a system that collected biometric data (fingerprints) of its employees (the data subjects) to record their attendance at the sports clubs, and make it easier for them to record the entry and exit times from work as well as to adopt a simple and faster system than the badge-based system previously in use. This biometric system was installed in the registered office of the controller and its seven clubs with a total of 132 data subjects concerned. In October 2018, a trade union organisation lodged a complaint with the Italian DPA against the controller claiming that the system was illegal. The DPA initiated an investigation followed by a sanctioning procedure. During the procedure, the controller submitted that the processing of the data subjects' data was based on free and express consent. The controller emphasised that the data subjects could refuse to the use of the biometric system in favour of the badge, although no data subject requested the use of this alternative method. In its defence, the controller stated that this system had the sole purpose of detecting the attendance of employees in order to facilitate the registration of entry and exit times. The controller also argued to have acted in good faith and transparency with the data subjects by informing them that they could refuse to grant consent to the use of this biometric system or that they could withdraw their consent anytime. The controller indicated that, as of 2 May 2022, it would discontinue using the biometric system and erase all acquired data, returning to the traditional badge registration system. For this reason, the controller instructed its processor to erase the biometric data collected and processed during the use of the fingerprint scanning device. The Italian DPA noted that biometric data constitute sensitive data under Article 9(1) GDPR. Additionally, any processing
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Sportitalia (the controller) in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 November 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-5572About this data
Cite as: Cookie Fines. Sportitalia (the controller) - Italy (2022). Retrieved from cookiefines.eu
Last updated: