Giessegi Industria Mobili S.p.A. – €50,000 Fine (Italy, 2022)
Giessegi Industria Mobili S.p.A. was fined EUR 50,000 for using geolocation devices to track vehicles without proper consent and agreements. The company failed to inform drivers about the tracking and did not have the necessary contracts with its service provider. This case shows the importance of clear privacy policies and agreements when using tracking technologies.
What happened
Giessegi used geolocation devices to track vehicles without proper consent and agreements.
Who was affected
Drivers of vehicles tracked by Giessegi's geolocation devices without their knowledge.
What the authority found
The Italian DPA ruled that Giessegi violated GDPR by not providing a privacy policy and lacking necessary agreements with its service provider.
Why this matters
This ruling highlights the need for companies to ensure transparency and proper agreements when using tracking technologies. It serves as a warning to businesses to review their privacy practices and contractual obligations.
GDPR Articles Cited
The controller (Giessegi Industria Mobili S.p.A.) was in a contractual relationship with a processor (Verizon Connect Italy S.p.A.) providing geolocation devices. The controller installed geolocation devices to track vehicles delivering goods on its behalf. These vehicles were not directly owned by the controller, but rather by a third company to which the controller outsourced certain services. The data subject was a driver employed by this third company and had no direct contractual relationship with the controller. After the termination of the agreement with the processor, the controller phased out the devices. However, the controller forgot to remove one of them, which was subsequently found by the data subject in the engine of their car. It must be stressed that when the data subject found the device the contract between Giessegi and the data subject´s company was no longer in place either. Giessegi claimed that the geolocation devices were associated with car plates and not with individuals. As the controller did not know who the driver was, geolocation data could not be considered personal data under the GDPR. The Italian DPA started an investigation concerning potential violations of Articles 5(1)(a), 6, 13, 28(1) and 35 GDPR. The Italian DPA rejected the controller´s argument and clarified that “personal data” refers not only to an identified person, but also to an identifiable one, like in the case at issue. Giessegi was the controller, as it determined purposes and means of the processing. The Italian DPA then identified a number of violations. In the first place, Giessegi violated Articles 5(1)(a) and 13 GDPR, as it did not provide the data subject with a proper privacy policy. Article 28 GDPR was also infringed, as no controller-processor agreement existed between Giessegi and Verizon. With regard to the time after the end of the agreement between Giessegi and the company employing the data subject, there was also a violation of Article 6 GDPR. Geo
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Giessegi Industria Mobili S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 December 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€50,000
GDPRhub ID
gdprhub-5741About this data
Cite as: Cookie Fines. Giessegi Industria Mobili S.p.A. - Italy (2022). Retrieved from cookiefines.eu
Last updated: