Italy
Concentrix Cvg Italy s.r.l.
GDPR enforcement action by Italian Data Protection Authority (Garante) on 2020-11-26.
Case details
- Authority
- Italian Data Protection Authority (Garante)
- Date
- 2020-11-26
- Controller / Processor
- Concentrix Cvg Italy s.r.l.
- Sector
- Employment
- Quoted Articles
- Art. 5 (1) a), c) GDPR, Art. 6 (1) b), c) GDPR, Art. 9 (1) b) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The union UILCOM Sardegna filed a complaint with the Italian DPA (garante) against the call center operator Concentrix Cvg Italy s.r.l. regarding an internal regulation of the controller.
Under the terms of a "clean desk policy," the company had prohibited employees from keeping certain items, such as smartphones, on their desks, which was intended to ensure confidentiality in the processing of customers' personal data. Exceptions were made for medication, which the data subjects proved they needed to take during their shift. These had to be placed visibly on the desk, making it indirectly possible for other employees to obtain information on the health status of the data subjects. The controller had indeed informed the data subjects about the rules of procedure and obtained their consents. However, this did not contain any information on the processing of their health data.
Related fines