Background information
- Date of final decision: 10 July 2025
- National case
- Controller: Magna PT S.p.A.
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data are collected from the data subject)
- Decision: Administrative fine, Definitive ban on data processing
- Key words: Administrative fine, Principles relating to processing of personal data, Transparency, Retention time, Lawfulness of processing, Employment
Summary of the Decision
Origin of the case
A trade union report highlighted a widespread practice within an automotive company: after an absence due to illness, accident or hospitalisation, workers were interviewed and asked to complete a questionnaire. The document, completed by a direct supervisor, was then sent to the Human Resources Department, which, together with the supervisor and/or the competent doctor, assessed, on the basis of the company's recommendations, any initiatives to protect the health of workers, such as modifying the workstation or intervening in working relationships.
Key Findings
During the investigation, the Italian Supervisory Authority (SA), Garante found several infringements of the EU Regulation (GDPR), including the lack of clear and transparent information for employees and the lack of a legal basis for data processing, including health data.
The Italian SA, Garante also found that workers' data was being stored in an irrelevant (absences from work) and disproportionate (up to ten years) manner, and that the data processing was not relevant to assessing the professional skills of the employees.
Decision
The Italian SA, Garante ordered the company the definitive ban on data processing and to delete any data already collected and stored. The Garante also issued an administrative fine of 50 000 €.
For further information:
- Read the newsletter ed. 1 August 2025 - Videosorveglianza, il Garante privacy scrive a Confcommercio: attenzione agli abusi - Data breach, il Garante sanziona Poste Vita per 80mila euro - Lavoro, il Garante privacy sanziona un’azienda per questionari post-malattia
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.