Italy’s Data Protection Authority (Garante per la Protezione dei Dati Personali) fines Autotrasporti Cuccu Riccardo, a Sardinian transport firm, for serious breaches of workplace privacy regulations. At the heart of the case lies the improper use of a geo-location system installed on company vehicles, which led to the collection and retention—deemed excessive by the Garante—of personal data relating to around fifty drivers, without providing them with proper information.
The investigation was launched following a complaint lodged by a former employee in September 2024. He reported that the company, his previous employer, had installed satellite tracking devices on its lorries “without providing adequate notice” and without following the procedures required by the Workers’ Statute. In its defence, the company claimed it had obtained authorisation from the local Labour Inspectorate (ITL) of Cagliari-Oristano and had posted the relevant notice on the company bulletin board. However, the Garante found that the information provided was “incomplete, contradictory and, in some cases, even misleading”.
The geo-location system allowed for “continuous monitoring of the vehicles”, including during drivers’ rest periods. The data collected included not only the position of the lorries but also telemetry information, vehicle status, and in some cases even the identity of the driver assigned to the vehicle. Although the company argued that the identity of the driver was only identified in the event of “irregular occurrences” such as accidents or traffic violations, the Garante found that “a link between the vehicle and the worker was technically possible at any time”, especially given that each lorry was typically assigned to the same employee.
The workers’ information notice also came under scrutiny: described as “inadequate and full of typos”, it referred to third parties not involved in the data processing and gave incorrect information about the length of data retention. Furthermore, it failed to make clear that vehicle tracking was “continuous and active even during breaks”.
Another critical issue highlighted by the Garante was that data were stored for “180 days”, a retention period deemed excessive in relation to the stated purposes, such as the protection of company assets and work organisation. Under the European General Data Protection Regulation (GDPR), data must be collected in a “proportionate and limited” way to what is strictly necessary. The company also “ignored a formal request for information” from the Garante. Only after intervention by the Guardia di Finanza were the necessary documents obtained to proceed with the inquiry. This lack of cooperation was considered an aggravating factor and contributed to the final decision by the authority.
As part of the investigation, the Garante also assessed the role of Way, the supplier of the geo-location system used by the transport firm. This assessment was essential to fully understand how employees’ personal data were handled via the technology provided. Documentation from Way and inspections carried out at its headquarters on 8 and 9 March 2023 revealed that the geo-location service contract had been signed with telecoms provider TIM, which was listed as the data processor on behalf of the client, while Way acted as a subcontractor, appointed by TIM as a sub-processor. Although this chain of responsibility was formally compliant with the European Regulation, the structure raised concerns about potential ambiguity in the practical handling of the data.
The Garante pointed out that the system provided by Way did not merely record the geographical location of the company vehicles but also allowed for the collection of a range of additional information: from telemetry data such as speed and mileage to vehicle status, and even tachograph data linked to the driver’s identity. The web platform connected to the system also enabled the exchange of messages with on-board devices and gave clients the option to manually input further worker-identifying data, such as name and driving licence number.
A key detail that emerged from the inquiry was the presence of an optional feature in the system: the so-called “privacy button”, which would have allowed drivers to disable location tracking under certain circumstances. Although this feature was technically available, it had neither been requested nor activated by the client. The same applied to the possibility, reserved for the data controller, to deactivate some platform functions or the entire tracking device—a possibility that, again, had not been used.
The Garante also confirmed that the platform developed by Way allowed personal information relating to workers to be manually recorded in its forms, making it possible to reconstruct, in detail, the activities and movements of individual drivers—even without real-time tracking. In the absence of specific measures for restriction or anonymisation, this system was deemed potentially intrusive into the private sphere of employees, raising further concerns about the processing’s compliance with the principles of proportionality and data minimisation required under EU law.
At the conclusion of the investigation, the Garante ruled that “the processing of personal data by the company is unlawful”, in breach of Articles 5, 13 and 88 of the GDPR, as well as Articles 114 and 157 of the Italian Privacy Code. In addition to the €50,000 fine, the authority ordered the company to rewrite its privacy notice, making it clear and accurately reflective of the actual data processing, and to bring its data handling practices into line with the principles of data minimisation and limited retention, as specified in the authorisation issued by the ITL. Furthermore, the decision was published on the Garante’s website for its “deterrent and transparency function”, given the seriousness of the violations.
This case serves as a warning to all businesses using geo-location systems or similar technologies installed on commercial vehicles to monitor drivers. The Garante has reiterated that “privacy in the workplace is non-negotiable” and that all data processing must be lawful, proportionate, transparent and, above all, clearly documented for those concerned.
