Background information

• Date of final decision: 27 March 2025
• National case
• Controller:    Istituto di Istruzione Superiore “P. Galluppi” Tropea
• Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 9 (Processing of special categories of personal data)
• Decision: Administrative fine
• Key words: Administrative fine, Consent, Lawfulness of processing, Biometrics, Public administration

Summary of the Decision

Origin of the case  

Following a complaint, the Italian Supervisory Authority (SA) - Garante found out that a high school adopted a biometric recognition system that, in order to detect presence in office and prevent damage and vandalism, required the use of administrative staff's fingerprints. The workers involved were those who had given their consent and did not wish to use traditional methods of attesting their presence at the office.

Key Findings 

The Italian SA recalled that, according to the GDPR and the Italian Data Protection Code, the use of biometric data in the workplace requires a clear legal provision and specific guarantees for the rights of the data subjects. But the national provisions that provided for the introduction of biometric presence detection systems in the public sector were repealed in 2020. 

Decision 

Regarding the consent given by the workers to the school, the Italian SA considered that, in the light of the asymmetry between employees and employers, consent is not a valid legal basis for the lawfulness of the processing of personal data in the employment context, both in the public and private sector.

The Italian SA fined the high school 4 000 EUR.

For further information: 

• Lavoro: no alle impronte digitali per la rilevazione presenze Il Garante sanziona un istituto scolastico (Italian).