The Italian Data Protection Authority’s decision of September 14, 2023 (web doc. no. 9936174) deals with the right of access under the Data Protection Regulation.
The aspects that have been touched upon are not new but offer an opportunity to better contextualize the different profiles of what, arguably in terms of the extent of the scope of exercise, is the most important right among those listed in Articles 15 to 22 of the GDPR.
The decision examines, directly or indirectly:
- the function of the right of access provided in the GDPR
- the possible instrumental exercise of the same
- the content of this right
- the modalities in case of denial
- the distinctions between privacy notice, register of processing activities and access, in terms of transparency.
The case concerns gas, electricity, and water utility service: the commissioning utility company uses a contractor (i.e., the controller company targeted by the decision) that with its own staff performs the meters reading, using a special app made by a third-party provider.
The app installed on smartphone devices provided to employees in charge of reading, has a function with a gps signal that allows, when activated, to locate the device and, therefore, its owner.
Activation of the function is left to the employee’s decision since it becomes active only when the device is turned on and is used to locate the meter and the route the employee must take to reach it. Since the work activities performed are specifically paid, the company calculates the employee’s wages and also mileage reimbursement using the app’s route.
As an employment dispute has arisen between the company and three workers regarding the calculation of these wages, they are exercising their right of access under Article 15 of the GDPR, specifically requesting the geolocation track data related to each of them.
The devices provided to the employees also have installed a Mobile Device Management (“MDM”) platform that allows the app provider to maintain the device remotely and the employer to manage the acquired data securely, even being able to delete it in case of theft, loss, or detected breach.