In today’s increasingly connected world, geolocalisation has emerged as a crucial tool in the road transport sector. But while offering unparalleled advantages in terms of efficiency and customer service, it also poses significant challenges with regard to privacy, data protection and identifiable personal information. Freight transport companies using geo-localisation for third parties have to navigate the regulatory environment designed to ensure data compliance and the requirements imposed by the Italian Data Protection Authority.
Understanding the Obligation to Report to the Italian Data Protection Authority**
The obligation to notify the Italian Data Protection Authority arises from the need to ensure transparency and security in the processing of personal data collected through geolocation systems. This regulation, set in the broader context of the European Union’s General Data Protection Regulation (GDPR), requires freight transport companies to inform the control authority about the use of customers’ personal data, in particular that acquired through geolocation devices. This includes, but is not limited to, information such as:
- the geographical location of customers
- travel routes;
- stopover times.
What the handling of customers’ personal data means for freight transport companies
For transport companies working with geolocation, this obligation implies the need to develop and maintain a data processing framework that is not only effective, but also compliant with privacy laws. From this point of view, it is essential that companies implement policies and procedures to ensure that the data collected is used responsibly and that it is protected with appropriate software tools to guarantee IT security. In addition, they must be able to demonstrate compliance in the event of inspections or requests by the competent authorities. This requires constant monitoring and updating of business practices to adapt to changing privacy regulations.
Consequences of non-compliance of data processing
Non-compliance to these legal obligations can lead to significant consequences for transport companies. These can range from severe economic penalties, which can be particularly onerous for small and medium-sized companies, to long-term reputational damage. In some cases, non-compliance can also lead to operational restrictions or suspension of data collection activities, which could have a significant impact on the company’s ability to operate effectively.
Transport company and private clinic fined for failure to notify data to the Privacy Authority
The matter of compliance of the processing of personal data acquired through geolocation has, therefore, become crucial in the road transport sector, but not only. Recently, the Court of Cassation reaffirmed the importance of this obligation with ruling 26987, which rejected the Tribunal’s decision to overrule an administrative sanction given to a transport company. In this specific case, the Court emphasised that even if the company only provided the transport service, and had not directly developed the geolocation systems, the mere access to customers’ geolocation data made it responsible for processing the data.
The Court of Cassation pointed out that on the privacy front, the availability of credentials to access geolocation data is a determining factor in considering the transport company the data controller. This ‘transfer’ of power, previously overlooked by the Court, is fundamental because it implies a decision-making power over the methods and purposes of data privacy processing, as per Article 28 of the Privacy Code.
The case of the sanction against a private clinic for failure to notify the Privacy Authority
A second case of data breach concerns the judgment whereby the Court of Cassation upheld the Italian Data Protection Authority’s appeal against a Court’s decision to exclude a sanction against a private clinic. The Court had initially excluded the clinic’s liability for failure to disclose the processing of personal data, acquired through an online booking service, based on good faith and on the guidelines of an association memorandum. However, the Court of Cassation considered this reasoning to be too simplistic, emphasising that liability under the Data Protection Regulation cannot be excluded merely on the basis of the belief that one has followed the instructions of a trade association.
These examples highlight the seriousness of the consequences of non-compliance in personal data processing and corporate privacy practices. Companies are obliged to check their obligations themselves and cannot rely solely on guidance provided by private bodies such as trade associations. The presumption of guilt in these cases is a clear signal that regulatory compliance in the processing of personal data is something that all companies must consider very carefully.
Therefore, it is crucial for businesses to fully understand the regulatory requirements and take proactive measures to ensure compliance.
Fill in the Contact Form for legal advice on the processing and protection of data collected through geolocalisation systems
