Giessegi Industria Mobili S.p.A. – €50,000 Fine (Italy, 2022)
Giessegi Industria Mobili was fined for improperly tracking a driver's location using a hidden geolocation device. This matters because it emphasizes that companies must respect privacy even when they don't have a direct relationship with the individual being tracked. It serves as a warning for businesses using tracking technologies.
What happened
Giessegi Industria Mobili failed to remove a geolocation device from a vehicle after their contract ended, which tracked a driver’s location.
Who was affected
A driver employed by a third company whose vehicle was tracked without their knowledge.
What the authority found
The Italian Data Protection Authority ruled that Giessegi did not have a valid legal basis for processing the driver's location data.
Why this matters
This ruling underscores the importance of consent and transparency in tracking practices. Companies using tracking devices should review their data handling practices to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller (Giessegi Industria Mobili S.p.A.) was in a contractual relationship with a processor (Verizon Connect Italy S.p.A.) providing geolocation devices. The controller installed geolocation devices to track vehicles delivering goods on its behalf. These vehicles were not directly owned by the controller, but rather by a third company to which the controller outsourced certain services. The data subject was a driver employed by this third company and had no direct contractual relationship with the controller. After the termination of the agreement with the processor, the controller phased out the devices. However, the controller forgot to remove one of them, which was subsequently found by the data subject in the engine of their car. It must be stressed that when the data subject found the device the contract between Giessegi and the data subject´s company was no longer in place either. Giessegi claimed that the geolocation devices were associated with car plates and not with individuals. As the controller did not know who the driver was, geolocation data could not be considered personal data under the GDPR. The Italian DPA started an investigation concerning potential violations of Articles 5(1)(a), 6, 13, 28(1) and 35 GDPR. The Italian DPA rejected the controller´s argument and clarified that “personal data” refers not only to an identified person, but also to an identifiable one, like in the case at issue. Giessegi was the controller, as it determined purposes and means of the processing. The Italian DPA then identified a number of violations. In the first place, Giessegi violated Articles 5(1)(a) and 13 GDPR, as it did not provide the data subject with a proper privacy policy. Article 28 GDPR was also infringed, as no controller-processor agreement existed between Giessegi and Verizon. With regard to the time after the end of the agreement between Giessegi and the company employing the data subject, there was also a violation of Article 6 GDPR. Geo
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Giessegi Industria Mobili S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 December 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€50,000
GDPRhub ID
gdprhub-5741About this data
Cite as: Cookie Fines. Giessegi Industria Mobili S.p.A. - Italy (2022). Retrieved from cookiefines.eu
Last updated: