On March 6, the Court of Cassation was called upon to rule on a fine of 20,000 euros imposed by the Data Protection Supervisor in 2018 on a company that had been registering the attendance of its employees using their fingerprints.
Clearly, the case concerned facts occurring before European Regulation 679/2016 came into force in 2018. Nevertheless, the decision is relevant because the principles laid down by the Supreme Court are even more relevant after the entry into force of the GDPR.
Specifically, the Court confirmed that, around data protection, the person responsible for illegal processing is the employer company and not its manager, and that this liability arises from what is known as «organisational fault», resulting from the failure of the company to fulfil its obligation to take the measures required to prevent illegal activities.
The second principle is also highly relevant in the new regulatory framework imposed by the GDPR, namely that the legal basis that legitimises the processing of biometric data, in derogation of the prohibition imposed by the GDPR, can only be a legal provision or a collective agreement, finding no justification in the express consent of the employees.
(Avv. Giampiero Pino) (Avv. Eleonora Lepri)
