Garante per la protezione dei dati personali (Italy) – 10213711

2 February 2026

Lde: Created page with “{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10213711 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10213711 |Original_Source_Language_1=Italian |Original_Source_Language__Code_1=…”

{{DPAdecisionBOX

|Case_Number_Name=10213711
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=lde
|
}}

The DPA found that the controller unlawfully processed employees’ personal data through a satellite telematic system. The company was ordered to delete the collected data and pay a €120,000 administrative fine.

== English Summary ==

=== Facts ===
Pioneer Hi-Bred Italia, the controller, installed telematic devices in company cars to monitor employees’ driving behavior. The initial privacy information provided to employees was vague and did not clearly identify the data controller, recipients, purposes, or lawful basis for processing.

One of the employees of the company, as affected data subject, filed a complaint with the DPA.

The controller, in its statement, claimed legitimate interest as the lawful basis for processing, including private trips, without performing a proper balancing of interests or a full Data Protection Impact Assessment. Employee data were also shared with supervisors and administrators from other group companies without formal designation as data processors or documented instructions.

Furthermore, the system stored all data relating to the trips for 13 months.

=== Holding ===
The DPA held that Pioneer Hi-Bred Italia’s processing was unlawful, and imposed an administrative fine of €120,000.

First, the DPA observed that the information provided to employees was neither transparent nor complete, failing to clearly indicate the controller, recipients, purposes, and lawful basis, in violation of Articles 5(1)(a), (b), (c) and 13 GDPR.

Moreover, the company’s reliance on legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was insufficient, as it did not conduct a proper balancing test to weigh its interests against employees’ fundamental rights and freedoms, nor did it perform an adequate Data Protection Impact Assessment under [[Article 35 GDPR|Article 35 GDPR]].

Lastly, the sharing of employee data with supervisors and administrators from other group companies occurred without formal designation as data processors or documented instructions, in breach of Articles 6 and 28 GDPR. Furthermore, the collection and storage of such data for 13 months exceeded what was necessary to achieve the stated purposes, violating the principles of purpose limitation and data minimisation under Articles 5(1)(b) and (c) GDPR.

In light of this, the Authority ordered the deletion of all data collected via telematics devices, and imposed a €120,000 administrative fine.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

<pre>
SEE ALSO NEWSLETTER of January 29, 2026

[web doc. no. 10213711]

Measure of December 18, 2025

THE ITALIAN DATA PROTECTION AUTHORITY

IN today’s meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Guido Scorza, members, and Dr. Luigi Montuori, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter the “Code”);

HAVING SEEN the complaint filed pursuant to Article 77 of the Regulation against Pioneer Hi-Bred Italia Sementi s.r.l.;

HAVING EXAMINED the documentation in the file;

HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1/2000;

REPORTER: Dr. Agostino Ghiglia;

WHEREAS

1. The inspection activity carried out following the filing of a complaint with the Authority.

On September 15, 2023, this Authority received a complaint, filed pursuant to Article 77 of the Regulation, alleging that, starting in June 2023, Pioneer Hi-Bred Italia Sementi s.r.l. (hereinafter “the Company”) had decided to install a satellite telematics device on company vehicles assigned to its employees, capable of detecting drivers’ driving behavior and using the data thus collected to assign an evaluation score.

Given the sensitivity of the matter raised, the Authority ordered an on-site inspection pursuant to Articles 157 and 158 of the Code, in order to gather all necessary information to verify the compliance of the processing performed with the principles and provisions regarding the protection of personal data.

The inspections were carried out on February 28 and 29, 2024, at the Company’s headquarters by Authority personnel.

During the inspection, it was preliminarily established that the Company is part of a multinational business group, owned by XX, as evidenced by the ordinary company records obtained during the inspection.

The project to install telematics devices on vehicles used by employees for the purpose of recording driving behavior was initiated by XX, headquartered in Switzerland, and involved (at the date of the inspection) only the Italian companies belonging to the same group—XX, XX, and XX, later merged into XX—in addition to Pioneer Hi-Bred Italia Sementi s.r.l.

In particular, it was found that the Swiss company had entered into a European leasing agreement with XX (a company with registered office in XX) for the leasing of vehicles and their equipment with satellite telematics devices. The contract, signed on May 12, 2021, includes an attached list of XX companies providing the service in each country where XX operates (Annex 3 to the minutes of February 28, 2024).

Under this contract, the Italian companies Arval Service Lease Italia S.p.A. (hereinafter “Arval”) and XX, on their own behalf and on behalf of the other Italian companies belonging to the XX group, have signed a commercial agreement that specifically governs the activation of the satellite telematics service called Arval Connect Essential on vehicles leased by Arval (Annex 4 to the minutes of February 28, 2024).

The Arval Connect service is a satellite telematics service that provides the lessee, via a dedicated web platform, with a series of information collected from satellite telematics devices installed on leased vehicles. The information collected by the satellite devices varies depending on the service provided.

In this case, the Italian companies of the XX group use the Essential service, which allows for the collection of information on all types of trips, both “professional” and “private,” by collecting the date and time of departure and arrival, kilometers traveled, fuel consumption, and information on driving behavior such as braking, acceleration, speed, steering, and cornering, assigning a score to each of these behaviors. The average of the scores, on a monthly basis, allows for the association of a driving style with a risk level (low, medium, and high), based on which different intervention methods can be implemented to improve driving behavior (minutes of February 29, 2024).

The installation of satellite telematics devices on company vehicles by the Italian XX group began in July 2023 and was implemented on eight vehicles used individually by employees of the group’s Italian companies as a fringe benefit and on three pool cars, i.e., vehicles not assigned individually and used only for business travel (minutes of February 28, 2024, p. 3, and February 29, 2024, p. 2).

With regard to the processing carried out by Pioneer Hi-Bred Italia Sementi s.r.l., it was ascertained that:

– the Company processes data relating to employees’ driving style as the data controller, pursuant to Article 4, No. 7, of the Regulation;

– “The information notice pursuant to Article 13 of the Regulation was prepared by XX and is used by all affiliated companies, including Pioneer Hi-Bred Italia Sementi s.r.l., each of which is the data controller of the data relating to its employees” (minutes of February 29, 2024, page 3);

– The information notice was made available to employees through an internal training system, together with a document containing FAQs that illustrate some of the features of the telematics system (Annex 2 to the minutes of February 28, 2024 and Annex 4 to the minutes of February 29, 2024);

– With respect to the processing in question, a register of processing operations pursuant to Article 30 of the Regulation has been prepared, which is updated in the first three months of each year, and an impact assessment has been conducted pursuant to Article 30 of the Regulation. 35 of the Regulation (Annex 1 to the minutes of February 28, 2024, and Annex 2 to the minutes of February 29, 2024);

– the guarantee procedure referred to in Article 4 of Law No. 300/1970 was not activated, as this service was not deemed capable of providing any form of control over work activities (minutes of February 29, 2024, page 4);

– the information collected via electronic devices is retained for 13 months, so since processing began in July, the data was fully available to the Company at the date of the inspection;

– geolocation data is not processed, as the contract with Arval does not provide for the provision of this service.

With regard to the access profiles to the web platform made available by Arval and the type of data displayed, it was found that:

– each employee assigned a company car equipped with the telematics device can access the Arval Connect platform using authentication credentials and view the data collected for each trip, whether private or business (minutes of February 28, 2024, page 3);

– two additional platform access profiles are provided, supervisor and administrator, which can be assigned to employees of other group companies (minutes of February 29, 2024, page 3);

– the user with the supervisor profile receives, on a monthly basis and via email, an Excel file (accessible with a password) containing a macro showing, for each driver in their fleet, the number of events recorded for both private and business trips and the corresponding assigned score (Annex 5 to the minutes of February 29, 2024);

– The administrator user is assigned to four people, two of whom are employees of XX and two of XX. The administrator logs in to the Arval platform using authentication credentials and views information relating to the entire European fleet, which, at the time of the inspection, only concerned those used by Italian companies. The administrator also views detailed information on the business trips made by their employees, including the start and end times and the number of events recorded for both business and private trips (Annex 6 to the report of February 29, 2024).

– By the end of the relevant calendar month, the driver/interested party may select the private trips from the completed trips so as not to make the related detailed information available to the supervisor and administrator. Alternatively, the driver may activate the “privacy” button on the vehicle before making a private trip (report of February 28, 2024, page 3).

– “The classification of the trip as private affects only the calculation of kilometers traveled, and the system, in calculating scores, also takes into account driving behavior (abrupt braking, sudden acceleration, etc.) related to private trips” (minutes of February 29, 2024, page 5);

– Where the data collected indicates a score corresponding to an intermediate or high risk level, the supervisor must initiate discussions with the driver/interested party to identify corrective actions.

1.1. The documentation submitted by the Company to resolve the reservations expressed during the inspection.

With a note dated March 21, 2024, the Company submitted additional information and documents to supplement the statements made during the inspection.

In particular, a list of vehicles equipped with satellite telematics devices (identified by license plate number, make, and model) was produced, associated with the name of the driver, supervisor, and the respective employer companies. In fact, of the eight vehicles equipped with the telematics device, five are assigned to employees of the Company and three to employees of another company in the group (XX).

A review of the documentation revealed that the supervisor is employed by a company other than the driver’s, and specifically, in three cases, the supervisor is employed by companies in the XX group based abroad (XX, XX, and XX).

Regarding the roles played by the various companies in relation to the processing of personal data of drivers/employees of the Company, it was also clarified that:

– the data controller is the driver’s employer, while the supervisors “have a mentoring role in this process as they receive the results of the driving behavior and support/advise the employee and the employer by proposing improvement actions that have been established by XX’s Safety Program. Supervisors do not make decisions regarding the processing of personal data and cannot impose any disciplinary sanctions related to driving behavior.”

– “ARVAL, the supplier of the telematics device, is a Data Processor (as established in the Data Processing Agreement signed in accordance with Art. 28 of the European Privacy Regulation).”

– “The data controllers are the XX system administrator companies that have access to the data on the Arval portal (XX and XX [whose administrator profiles are employed by the administrators]). We are planning a service agreement.”

– No specific instructions on data processing were provided, but instructions on retention procedures are sent as an attachment to the monthly report.

– “System administrator access does not allow viewing details of private trips, but it does allow viewing the total number of Events (business and private trips combined) and the number of Events related to business trips only. Therefore, there is the possibility that a System Administrator could calculate the number of Events related to private trips. We have decided to remove system administrators’ access to the driving behavior data on the portal. System administrators will have access to the document sent monthly to supervisors.”

2. The initiation of the procedure for the adoption of corrective and disciplinary measures pursuant to Article 58, paragraph 1, letter a) of the Italian Legislative Decree. 166, paragraph 5, of the Code.

In light of the information gathered, the Office notified the party, pursuant to Article 166, paragraph 5, of the Code, of the initiation of proceedings for the adoption of corrective measures and sanctions (note dated 03/07/2024), for the violation of:

– Articles 5, paragraph 1, letters a), b), and c), and 13 of the Regulation, in relation to the inadequacy of the information provided;

– Article 6, paragraph 1, letter f), in relation to the lack of a balancing of legitimate interest against the data subject’s fundamental rights and freedoms;

– Articles 28 and 6 of the Regulation and 2-quaterdecies of the Code in relation to the failure to designate data processors and provide related instructions on data processing;

– Article 5, paragraph 1, letter c), in relation to the failure to designate data processors and provide related instructions on data processing; 1, letter a) and 88 of the Regulation in relation to Articles 113 and 114 of the Code.

The Company submitted its defense briefs pursuant to Article 18 of Law No. 689/1981, providing its observations with respect to the content of the notification.

In particular, the Company preliminarily communicated that it had stopped “the processing of Telematic Data (…) relating to drivers when they undertake private travel. In other words, the Company will process exclusively the Telematic Data collected during its employees’ business travel.” Therefore, “the Company has instructed its service provider, Arval Service Lease Italia S.p.A. (‘Arval’), to suspend all data processing until further notice, in order to implement appropriate technical, organizational, and contractual measures to ensure that data relating to private travel (‘Private Travel Data’) are not collected and processed by Arval on behalf of the Company.”

Regarding the violation of the principles of transparency and fairness in the processing of so-called telematics data, and of the principles of purpose limitation and data minimization in relation to the information provided, the Company stated that:

– “Prior to the date of the Order [or rather, the act initiating the sanctioning proceedings], the Company adopted a ‘layered’ approach to the privacy information provided to drivers (‘Telematics Systems Privacy Information’) relating to the Telematics Program. This approach, developed by the Company over time, took into account the transparency guidelines of the European Data Protection Board (…)”;

– “Specifically, the Privacy Notice for Telematics Systems has been integrated with the Company’s ‘Telematics FAQs’ (already provided by the Company to the Italian Data Protection Authority during the Inspection of February 29, 2024) (‘Telematics FAQs’); by doing so, the Company intended to contextualize the information relating to the Telematics Program across multiple documents and actions, in a manner that the Company believed would provide drivers with a clear understanding of how and why their personal data was being processed.”

– “In addition to the Telematics FAQs provided to employees, the Company also provided mandatory training to them through a dedicated online platform called ‘Grow U’.”

– “In light of the observations made by this Most Illustrious Authority in the Decision regarding transparency, the Company has taken steps to collect (in its updated Privacy Notice for Telematics Systems) the relevant information contained in the Telematics FAQs and the Telematics Training, with the aim of creating a single Privacy Notice for Telematics Systems.”

With regard to the violation of Article 6, paragraph 1, letter f), of the Regulation (“Lack of a balancing test of legitimate interest against the data subject’s fundamental rights and freedoms”), the Company stated that:

– the document containing the LIA (“Legitimate Interest Assessment”), “was actually provided to the Garante during the inspection of February 28, 2024 (…), in the email with the subject ‘Pioneer Hi-Bred Italia Sementi S.r.l. – assessments’, as an attachment named ‘PIA_EHS_Europe_Cartelematics_v8.xlsx’ in Annex 4 of document ‘6. LIA’. In particular, Part 3 of the latter document illustrated the considerations and assessments made by the Company regarding the balancing test relating to its legitimate interest”;

– “In any case, the Company has carefully considered the overall observations made by the Garante regarding the Telematics Program and has taken this opportunity to update its LIA accordingly (…). The updated LIA now includes further details regarding: (i) the Telematic Purposes; (ii) the Telematic Data flows between the Company and its data processors, including Arval; and (iii) the restriction of the processing of any Data relating to private travel by, or on behalf of, the Company.”

Regarding the violation of art. 28 of the Regulation, the Company stated that “as reported during the Inspection, it has now finalized the procedure for entering into a data processing agreement pursuant to Article 28 of the GDPR (‘DPA’) with the other companies that may access and process the Telematics Data in connection with the Telematics Program (see Annex 3). The DPA precisely specifies the identity of the legal entities involved, the purposes for which these entities act as data processors on behalf of the Company, as well as the other elements required by Articles 28, 29, and 45 of the GDPR.”

Finally, with reference to the violation of Articles Pursuant to Articles 113 and 114 of the Code (in relation to Articles 4 and 8 of the Workers’ Statute), the Company stated that:

– “Since the Company has not collected or processed—and will continue not to do so—employee geolocation data as part of its Telematics Program (and the Telematics Program did not appear to constitute an employee monitoring activity), the Company, together with the union representatives, believed that such an agreement was unnecessary. Therefore, the Company has not entered into any agreement with the union representatives in Italy regarding the Telematics Program. To date, based on the helpful comments provided by this Most Illustrious Authority, the Company is consulting with its union representatives in Italy with a view to reaching an agreement pursuant to Article 4 of the Workers’ Statute.”

– “On July 29, 2024, the Company instructed Arval to suspend all processing of Telematics Data under the Telematics Program until the measures and solutions agreed upon with the Company are implemented. This will ensure a more rigorous application of the data minimization principle, preventing any form of collection of Data relating to private travel by or on behalf of the Company. On August 12, 2024, Arval confirmed that it had complied with the Company’s instructions and, therefore, had stopped collecting and processing Telematics Data.”

– “Considering the above, the Company – by suspending the collection and processing of Telematics Data – is acting in full compliance with Article 8 of the Workers’ Statute, as it does not and will no longer process any Data relating to private travel (or any other personal data that is not necessary for the purposes of assessing employee driving behavior).”

In a subsequent communication dated May 23, 2025, the Company announced that:

– “At an advanced stage of discussions with Arval, the Company learned that the total mileage for each vehicle will necessarily include an aggregate percentage of kilometers traveled for both business and private trips.”

– “This information will be visible exclusively to Company administrators within the Arval dashboard, who confirmed that information relating to private trips cannot be deleted, hidden, or masked for the Company, without affecting all other Arval customers.” “In any case, data relating to private trips is available, on the Arval portal, exclusively as a total percentage, in fully aggregated form (i.e., it is not calculated for each individual trip).”

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

Following the examination of the documentation submitted and the statements made to the Authority during the proceedings, given that, unless the act constitutes a more serious crime, anyone who, in proceedings before the Data Protection Authority, falsely declares or certifies information or circumstances, or produces false documents or records, is liable pursuant to Article 168 of the Code (“False statements to the Data Protection Authority and interruption of the performance of the duties or exercise of the powers of the Data Protection Authority”), it is established, based on the documentation obtained, the findings of the inspections conducted, and the statements made by the party itself, that Pioneer Hi-Bred Italia Sementi s.r.l. is the data controller of the personal data pursuant to Article 4, No. 7, of the Regulation.

The Company, as data controller, processed personal data relating to its employees in violation of the regulations on personal data protection, as specified below.

3.1. Violation of Articles 5, paragraph 1, letters a), b), and c), and 13 of the Regulation.

First, it should be noted that, given the processing of personal data carried out by the Company using the satellite telematics program, the documentation acquired during the inspection revealed clear criticalities, particularly regarding the identification of the data controller, data processors, and recipients of the data collected through the devices.

This is because the documentation was prepared at the group level and addressed to all affiliated companies, some of which are headquartered outside the European Union. It follows that the privacy policy, even when read in conjunction with the FAQs, was not adequate to transparently and accurately represent the essential characteristics of the processing, such as its purposes and lawfulness, and to provide data subjects with sufficiently clear information about the entities responsible for data controller and processor.

The Company, in its defense, argued that it had opted for a “layered” approach in providing data subjects with information on the processing performed, acting in accordance with the indications provided by the Art. 29 Working Party in the Transparency Guidelines adopted on November 29, 2017.

In this regard, it should be noted that in the aforementioned Guidelines, the Working Party, while recommending the use of layered privacy statements/information notices (especially in the digital environment), also specifies that “All information addressed to data subjects should be available in a single location or in a comprehensive document (in digital or paper format), which they can easily access if they wish to consult the information addressed to them in its entirety” (point 17).

This introduces the criterion of “easy accessibility,” which implies that the data subject is not forced to search for the information, but rather that it is immediately clear where and how it can be accessed (point 11, Guidelines cited). In the case at hand, for example, the notice could have included a reference or link to the FAQs to inform data subjects of the existence of the other documents provided.

In any case, a joint reading of both documents (the Notice and the FAQ) does not allow us to determine who holds the role of data controller or joint controllers, a particularly relevant circumstance given the complex data flows between the various companies within the same corporate group.

In fact, the Notice appears to have been prepared by XX, without specifying whether it is XX, the parent company in Italy, or XX, the European leader of the telematics project, or something else.

Only during the inspection was it clarified that, in general, the data controller is the company that processes the personal data of its employees. This information, which was not made available to data subjects, was updated only following the changes introduced following the notification of the initiation of the sanctioning procedure.

Another element not adequately expressed in the information documents concerns the recipients of the data collected by the devices. As the investigation revealed, the supervisor and the administrator, each of whom may also be an employee of another company in the group, can access (directly via the platform or by receiving a file) various types of data.

The information document acknowledged that “access” to driver data is granted to “those with a need to know,” “which may include the manager, EH&S, Human Resources, Legal, Internal Audit, and law enforcement authorities.”

This very vague and general language does not provide precise information about the individuals authorized to access the data, the methods by which driver information is made available, and, above all, the “needs” (i.e., the legitimate grounds) that justify access to the data.

The FAQ, however, stated that “Driver driving behavior data will be available to driver supervisors (only for their team members) and the program administrator via an Excel file shared by Arval.”

In addition to the inaccuracy of this last statement, it should be noted that a joint reading of the documents does not provide a clear and transparent picture of who is actually authorized to access driver driving behavior data, and to what degree of detail (i.e., whether information related to business trips or also so-called private trips), how the processing is carried out (i.e., whether through direct access to the platform or through communication), and the relevant lawfulness requirements.

Finally, it should be noted that the information provided to data subjects at the start of the processing lacks clear indications regarding the purposes of the processing, as required by Article 13(c) of the Regulation, in conjunction with Article 5(1)(b).

The stated purpose of “maintaining safe and defensive practices and (…) zero car collisions worldwide” is irrelevant from the perspective of personal data processing, as it constitutes the general purpose of the XX Group project, which was not defined based on the characteristics of the processing.

Therefore, given the absence of a clear and specific purpose for the processing, the data relevant and necessary for achieving that purpose have not been identified (Article 5, paragraph 1, letter c) of the Regulation, principle of data minimization).

These aspects have been addressed in the new disclosure template, which currently lists the data (relating to business travel) necessary and relevant to each purpose pursued.

In any case, the violation of the principles of transparency and fairness, purpose limitation, and data minimization remains established in relation to the disclosure initially prepared by the Company (Article 5, paragraph 1, letters a), b), and c), and Article 13 of the Regulation).

3.2. Violation of Article 6, paragraph 1, letter f), of the Regulation.

Based on the initial information notice, it was found that the lawful basis for the data processing carried out through the satellite telematics program was identified as XX’s legitimate interest in “improving safe driving performance, saving lives, and efficiently and effectively managing its global fleet of vehicles” (Notice point 2.1).

In this regard, it is noted that, pursuant to Article 6, paragraph 1, letter f), of the Regulation, legitimate interest may constitute an appropriate basis for lawfulness of processing only “provided that the interests or fundamental rights and freedoms of the data subject do not prevail,” “taking into account the reasonable expectations of the data subject based on his or her relationship with the controller” (recital 47).

This condition therefore requires a balancing of the competing rights and interests at stake, by identifying and describing not only the interests of the data controller, but also the fundamental rights and freedoms of the data subjects.

Given that Article 35 of the Regulation requires the data controller to conduct the impact assessment, it should be noted that, in this case, during the inspection, an Excel file was produced containing a “DPIA questionnaire provided by Germany DPO in February 2023” and another “DPIA template from CNIL/France used by XX as EU DPIA template” (Annex 1 to the minutes of 28/02/2024).

In both cases, the document cannot be usefully evaluated for the purposes of proper fulfillment of the obligation under Article 35 of the Regulation.

Similarly, with regard to the LIA, included in the same document, which appears to have been prepared on the ICO model, only the interests of the XX group are identified, consisting, as stated, in “an improved driving safety behavior and optimization of cars cost”, without however considering the additional elements useful for the balancing, such as (in addition to the freedoms, interests and rights of the interested party), the impact of the processing on the interested parties taking into account the type of data processed, the context and the consequences on the interested parties, the reasonable expectations of confidentiality of the interested parties.

Although these aspects were addressed in the LIA prepared following the initiation of the sanctioning proceedings (attached to the defense briefs of September 2, 2024), it should be emphasized that the document does not address the processing performed by the Company with regard to data relating to so-called private travel. As specified during the preliminary investigation (see note of May 23, 2025), this data continues to be collected by IT devices and used to assess the driver’s driving behavior.

Given that, with respect to this type of information, the legitimate interest of the data controller cannot be invoked as a basis for lawfulness, the violation of Article 6, paragraph 1, letter f), of the Regulation remains established in relation to the processing of employee data by the Company.

3.3. Violation of Articles 28 and 6 of the Regulation and Article 2-quaterdecies of the Code.

Regarding the individuals authorized to view information on drivers’ driving style, it should be noted that, during the inspection, it emerged that administrators directly access company employee travel data through the Arval portal, contrary to what was stated in the information notice. Supervisors, however, receive a monthly report with information on the total number of events recorded in the reference month and the score achieved for each member of their fleet.

Furthermore, access to the system revealed that supervisors access additional information regarding the drivers assigned to their fleet, specifically the number of trips made and kilometers traveled in the reference month, and the average scores achieved for both environmental sustainability and safety up to three months prior (see Annex 5 to the minutes of February 29, 2024).

In a subsequent communication dated March 21, 2024 (issued to address the reservations raised during the inspection), the Company stated that it had standardized the procedures for accessing its employees’ driving style data, requiring the director to receive the same document sent to the supervisor on a monthly basis.

Regardless of the manner in which the information is made available to third parties and its level of detail, of particular importance in this case is the fact that both the supervisors and the directors are employees of other companies belonging to the XX group (see section 1.1 for details) and that the flow of personal data between the companies has not been regulated by an appropriate legal act.

In fact, in the aforementioned communication dated March 21, 2024, the Company merely stated that the companies to which the directors belong are data controllers and that a service agreement is being planned, without providing supporting documentation or specifying anything else.

Similarly, regarding the position of supervisors, the Company does not appear to have provided adequate instructions regarding the processing operations performed, taking into account the amount of information made available to them.

This conduct therefore conflicts with the regulations on the protection of personal data, which, in regulating data flows between companies within the same business group, establish that each affiliated or controlled company has independent ownership of the personal data of its employees and collaborators (see Guidelines on the Processing of Workers’ Personal Data for the Purpose of Managing the Employment Relationship in Private Employers, Provision No. 53 of November 23, 2006; Section 3.2).

In line with the above, it is also noted that, pursuant to the provisions of the Regulation, the data controller, as part of the implementation of the technical and organizational measures for which it is responsible, including security measures (Articles 24 and 32 of the Regulation), may avail itself of a processor to carry out certain processing activities, to whom it shall provide specific instructions (see recital 81 of the Regulation).

In this case, the data controller “shall use only processors providing sufficient guarantees to implement the appropriate measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of data subjects” (Article 28, paragraph 1, of the Regulation).

Pursuant to the aforementioned Article 28 of the Regulation, the data controller may also entrust processing to external parties, providing the relationship with them is adequately regulated by a contract (or other legal document) and providing instructions regarding the main characteristics of the processing.

The data processor is therefore authorized to process data subjects’ data “only upon documented instructions from the controller” (Article 28, paragraph 3, letter a), of the Regulation) and within the specific limits defined by the data controller.

In this case, therefore, the Company made its employees’ data available to third parties without having designated data processors and, therefore, in the absence of one of the lawful conditions established by law (Articles 6 and 28 of the Regulation), as well as in the absence of specific instructions (Article 2-quaterdecies of the Code).

It is noted, however, that the Company entered into, on August 23, 2024, a “Data Processing Agreement pursuant to Article 28 of the GDPR” with the other companies that may access and process the electronic data of its employees.

It remains understood that the disclosure of the Company’s employees’ data to third parties occurred in violation of Articles 6 and 28 of the GDPR. 6 and 28 of the Regulation and 2-quaterdecies of the Code.

3.4. Violation of Articles 5, paragraph 1, letter a) and 88 of the Regulation in relation to Articles 113 and 114 of the Code.

The investigations carried out at the Company’s headquarters revealed that, through the installation of satellite telematics devices, the Company collects information relating to its employees’ travel, both for business and private purposes, and retains this information for a period of 13 months.

Specifically, pursuant to the commercial agreement with Arval (Annex 3 to the minutes of February 28, 2024), the Arval Connect system allows the collection of “information relating to the vehicle’s journeys and their use, such as, for example, the date and time of departure and arrival for each journey classified as business, daily mileage, broken down into private mileage, mileage for each journey, indicating the type of route, fuel consumption, and certain indicators of the vehicle’s driving style in terms of safety and eco-sustainability.”

As explained in the previous paragraph, the information made available to supervisors and administrators is particularly detailed and, in fact, concerns not only the overall count of events detected by the devices and the corresponding score (as declared during the investigation), but also the number of business trips made and the kilometers traveled for each crew member. Furthermore, as stated by the Company following discussions with the service provider Arval, the score assigned to each employee takes into account the total number of events detected by the device (i.e., both private and business trips).

This circumstance is relevant for two reasons.

First, it should be noted that, although the satellite telematics installed by the Company on its vehicles lacks a geolocation system (resulting in a less invasive impact on monitoring work activity), the detailed information collected, its storage and subsequent consultation for 13 months from its collection, and the evaluation of data relating to both business and business trips through the assignment of a score, contribute, as a whole, to the performance of a monitoring activity on the employee’s activity. This monitoring activity, carried out in the absence of the guarantee procedures referred to in Article 4 of Law No. 300/1970 (referred to in Article 114 of the Code as a condition for the lawfulness of processing) constitutes a violation of Articles 5, paragraph 1, letter a) and 88 of the Regulation.

In fact, pursuant to Article 114 of the Code, compliance with the provisions of Article 4 of the aforementioned Law No. 300/1970 constitutes a condition for the lawfulness of personal data processing carried out in the workplace, as it is one of the provisions of national law “most specifically designed to ensure the protection of the rights and freedoms with regard to the processing of employees’ personal data in the employment context” identified in Article 88 of the Regulation (see Articles 5, paragraph 1, letter a) and 88 of the Regulation).

From another perspective, it is believed that the acquisition and evaluation of driving style, including during private travel, means that the processing also involves data that is not relevant to the assessment of the employee’s professional aptitude, especially considering that private use of the vehicle is also permitted for the employee’s family members.

This activity thus violates the provisions of Article 8 of Law No. 300/1970 (referenced by Article 113 of the Code as a condition for the lawfulness of processing), which prohibits the employer from conducting investigations, even through third parties, into the employee’s political, religious, or trade union opinions or “facts not relevant to professional aptitude,” either at the time of hiring or during the employment relationship.

On this point, it is useful to recall Ruling No. 18302 of the Civil Cassation Court, Section 18302. I, which establishes that “acquiring and storing data that contains (or may contain) similar information already constitutes the integration of prohibited conduct, because it results in an unauthorized investigation into the worker’s opinions and conduct, even if the data is not subsequently used.”

Although the Company, since the first months following the launch of the satellite telematics program, requested the system provider to make the necessary changes to the system to exclude details of driving behavior related to private trips from supervisors/administrators’ visibility, it is still necessary to take into account the subsequent assessments performed on the overall data collected.

Moreover, during the investigation, the Company clarified that, following discussions with the service provider Arval, “the total mileage of each vehicle will necessarily include an aggregate percentage of kilometers traveled for both business and private trips” and that “information relating to private trips cannot be eliminated, hidden, or masked for the Company, without this also impacting all other Arval customers” (note dated May 23, 2025). Therefore, in light of these further clarifications, it is confirmed that the system is not configured to eliminate information on private trips.

Therefore, the violation of Articles 5, paragraph 1, letter a), and 88 of the Regulation in relation to Articles 113 and 114 of the Code remains established.

4. Conclusions: Declaration of unlawfulness of the processing. Corrective measures pursuant to Article 58, paragraph 2, of the Regulation.

For the above reasons, the Authority believes that the statements, documentation, and reconstructions provided by the data controller during the investigation do not address the concerns notified by the Office with the document initiating the proceedings and are therefore unsuitable for dismissing the present proceedings, given that none of the cases provided for by Article 11 of the Garante Regulation No. 1/2019 apply.

The processing of personal data carried out by the company through the satellite telematics program, which consists of collecting information on employee behavior and driving style and subsequently assessing it for the purpose of assigning a score, violates the provisions of Article 5, paragraph 1, letters a), b), and c) in relation to Article 13 of the Regulation, Article 6, paragraph 1, letter f), Articles 28 and 6 of the Regulation and Article 2-quaterdecies of the Code, and finally Articles 5, paragraph 1, letter a), and 88 of the Regulation in relation to Articles 113 and 114 of the Code.

The violation, ascertained in accordance with the grounds set forth in the reasoning, cannot be considered “minor,” given the nature of the multiple violations ascertained, which concerned the general principles of processing and the more specific provisions regarding data collection and relevance.

Given the corrective powers granted by Article 6, paragraph 1, letter f), Articles 28 and 6 of the Regulation and Article 2-quaterdecies of the Code. 58, paragraph 2, of the Regulation, in light of the circumstances of the specific case:

– orders the deletion of the data and information collected by the aforementioned devices, relating to the overall journeys made by the data subjects, on the basis of which the scores are assigned (Article 58, paragraph 2, letter g) of the Regulation);

– orders the application of an administrative pecuniary sanction pursuant to Article 83 of the Regulation (Article 58, paragraph 2, letter i) of the Regulation).

Finally, it is believed that the conditions set out in Article 17 of the Regulation of the Garante no. 1/2019 are met.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and additional sanctions.

Following the outcome of the proceedings, it was established that the company violated Articles 5, paragraph 1, letters a), b), and c) in relation to Article 83 of the Regulation. 13 of the Regulation, Article 6, paragraph 1, letter f), Articles 28 and 6 of the Regulation and 2-quaterdecies of the Code, and finally Articles 5, paragraph 1, letter a) and 88 of the Regulation in relation to Articles 113 and 114 of the Code.

Violation of the aforementioned provisions entails the application of the administrative sanction provided for in Article 83, paragraph 5, letters a) and d), of the Regulation, through the issuance of an injunction (Article 18 of Law No. 689/1981).

Deeming it necessary to apply Article 13, paragraph 3. Article 83 of the Regulation provides that “If, in relation to the same or linked processing operations, a controller […] intentionally or negligently infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.” The total amount of the fine is calculated so as not to exceed the maximum amount set forth in the same Article 83, paragraph 5.

With reference to the elements listed in Article 83, paragraph 2, of the Regulation for the purposes of applying the administrative fine and its quantification, considering that the fine must “in any event be effective, proportionate and dissuasive” (Article 83, paragraph 1 of the Regulation), it should be noted that, in this case, the following circumstances were considered:

– with regard to the nature, gravity, and duration of the infringement, the infringements established must be considered relevant, which primarily concern the general principles of processing and the more specific provisions protecting workers’ rights;

– The fact that the processing involved data that was not relevant to assessing the worker’s professional aptitude, or data collected outside of the employment relationship, was also taken into account, as was the fact that such data was disclosed to third parties without lawful disclosure;

– With regard to duration, the fact that the processing began in July 2023 and was suspended for approximately 12 months following notification of the violations (July 2024) was also taken into account; the limited number of data subjects involved (5 employees) was also taken into account;

– The lack of previous relevant violations committed by the data controller, the level of cooperation provided during the investigation, and the fact that the Company contacted the system provider to initiate the necessary changes to the program were also taken into account.

Furthermore, it is believed that, given the aforementioned principles of effectiveness, proportionality, and dissuasiveness, which the Authority must adhere to in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), the financial circumstances of the offender, determined based on the turnover for the 2024 financial year, are relevant in this case.

In light of the above factors and the assessments made, it is deemed appropriate, in this case, to impose an administrative fine of €120,000.00 (one hundred and twenty thousand) against Pioneer Hi-Bred Italia Sementi s.r.l.

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Italian Data Protection Authority No. 1/2019, this chapter containing the injunction should be published on the Italian Data Protection Authority’s website.

This is in light of the type of violations identified that involved data collected through satellite telematics devices.

NOW, CONSIDERING ALL THE ABOVE, THE AUTHORITY

pursuant to Article 57, paragraph 1, letter f), and Article 83 of the Regulation, finds the processing carried out by Pioneer Hi-Bred Italia Sementi s.r.l., represented by its legal representative pro tempore, with registered office in Sissa Trecasali (PR), Via 6 Ottobre 2013 no. 52/54, VAT No. 13349060155, unlawful for violations of Articles 5, paragraph 1, letters a), b), and c) in relation to Article 13 of the Regulation, Article 6, paragraph 1, letter f), Articles 28 and 6 of the Regulation and Article 2-quaterdecies of the Code, and finally Articles 5, paragraph 1, letter c), and 2-quaterdecies of the Code. 1, letter a) and 88 of the Regulation in relation to Articles 113 and 114 of the Code;

pursuant to Article 58, paragraph 2, letter g), of the Regulation, orders the deletion of the data collected through the satellite telematics program, relating to the so-called private trips made by the interested parties on the basis of which driving scores are assigned, providing feedback to this Authority within 30 days of notification of this order, pursuant to Article 157 of the Code;

ORDERS

pursuant to Article 58, paragraph 2, letter i) of the Regulation, the same to pay the total sum of €120,000.00 (one hundred and twenty thousand) as an administrative fine for the violations indicated in this order;

ORDER

that the Company pay the aforementioned sum of €120,000.00 (one hundred and twenty thousand), according to the methods indicated in the attachment, within 30 days of notification of this order, under penalty of the adoption of the subsequent enforcement proceedings pursuant to Article 27 of Law No. 689/1981.

It is hereby stated that, pursuant to Article 166, paragraph 8, of the Code, the offender retains the right to settle the dispute by paying—again according to the methods indicated in the attachment—an amount equal to half the fine imposed, within the deadline set forth in Article 10, paragraph 3, of Legislative Decree No. 150 of September 1, 2011, provided for filing an appeal as indicated below (Article 166, paragraph 8, of the Code).

ORDERS

– pursuant to Article 166, paragraph 7, of the Code and Article 16 of the Guarantor’s Regulation No. 1/2019, the publication of the injunction order on the Guarantor’s website;

– pursuant to Article 154-bis, paragraph 3, of the Code and Article 37 of the Guarantor’s Regulation No. 1/2019, the publication of this provision on the Guarantor’s website;

– pursuant to Article 17 of the Guarantor’s Regulation No. 1/2019, where applicable, the recording in the Authority’s internal register provided for by Article 57, paragraph 1, letter u), of the Regulation of the violations and measures adopted pursuant to Article 58, paragraph 2, of the same Regulation.

Pursuant to Article 78 of the Regulations, Articles 152 of the Code, and Article 10 of Legislative Decree No. 150/2011, an appeal against this decision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same Article 10, within thirty days of the date of notification of the decision, or sixty days if the appellant resides abroad.

Rome, December 18, 2025

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE SECRETARY GENERAL
Montuori

SEE ALSO NEWSLETTER of January 29, 2026

[web doc. No. 10213711]

Decision of December 18, 2025

THE ITALIAN DATA PROTECTION AUTHORITY

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”);

SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter, the “Code”);

SEEN the complaint filed pursuant to Article 77 of the Regulation against Pioneer Hi-Bred Italia Sementi s.r.l.;

HAVING EXAMINED the documentation in the file;

SEEN the observations made by the Secretary General pursuant to Article 15 of the Guarantor’s Regulation No. 1/2000;

REPORTER: Dr. Agostino Ghiglia;

WHEREAS

1. The inspection activity carried out following the filing of a complaint with the Authority.

On September 15, 2023, this Authority received a complaint, filed pursuant to Article 77 of the Regulation, alleging that, starting from June 2023, Pioneer Hi-Bred Italia Sementi s.r.l. (hereinafter “the Company”) had decided to install a satellite telematics device on company vehicles assigned to its employees, capable of detecting drivers’ driving behavior and using the data thus collected to assign an evaluation score.

Given the sensitivity of the matter raised, the Authority ordered an on-site inspection pursuant to Articles 157 and 158 of the Code to gather all the information necessary to verify the compliance of the processing performed with the principles and provisions regarding the protection of personal data.

The inspections were carried out on February 28 and 29, 2024, at the Company’s headquarters by Authority personnel.

During the inspection, it emerged, preliminarily, that the Company is part of a multinational business group, owned by XX, as evidenced by the ordinary business register obtained during the inspection.

The project to install telematics devices on vehicles used by employees for the purpose of monitoring driving behavior was initiated by XX, headquartered in Switzerland, and involved (at the date of the investigation) only the Italian companies belonging to the same group—XX, XX, and XX, later merged into XX—as well as Pioneer Hi-Bred Italia Sementi s.r.l.

In particular, it was found that the Swiss company entered into a European leasing agreement with XX (a company with registered office in XX) for the leasing of vehicles and their equipment with satellite telematics devices. The agreement, signed on May 12, 2021, includes an attachment to the list of XX companies providing the service in each country where XX operates (Annex 3 to the minutes of February 28, 2024).

Under this agreement, the Italian companies Arval Service Lease Italia S.p.A. (hereinafter “Arval”) and XX, on their own behalf and on behalf of the other Italian companies belonging to the XX group, have signed a commercial agreement that specifically governs the activation of the satellite telematics service called Arval Connect Essential on vehicles leased by Arval (Annex 4 to the minutes of February 28, 2024).

The Arval Connect service is a satellite telematics service that provides the lessee, via a dedicated web platform, with a series of information collected from satellite telematics devices installed on the leased vehicles. The information collected by the satellite devices varies depending on the service provided.

In this case, the Italian companies of the XX group use the Essential service, which allows them to collect information relating to all types of trips made, both “professional” and “private,” collecting the date and time of departure and arrival, kilometers traveled, fuel consumption, and information relating to driving behavior such as braking, acceleration, speed, steering, and cornering, assigning a score to each of these behaviors. The average of the scores, on a monthly basis, allows driving style to be assigned a risk level (low, medium, and high), based on which different intervention methods can be implemented to improve driving behavior (minutes of February 29, 2024).

With regard to the processing carried out by Pioneer Hi-Bred Italia Sementi s.r.l., it was ascertained that:

– the Company processes data relating to employees’ driving style as the data controller, pursuant to Article 4, No. 7, of the Regulation;

– the information collected via electronic devices is retained for 13 months, so since processing began in July, the data was fully available to the Company at the date of the inspection;

– geolocation data is not processed, as the contract with Arval does not provide for the provision of this service.

With regard to the access profiles to the web platform made available by Arval and the type of data displayed, it was found that:

– two additional platform access profiles are provided, supervisor and administrator, which can be assigned to employees of other group companies (minutes of February 29, 2024, page 3);

– “The classification of the trip as private affects only the calculation of kilometers traveled, and the system, in calculating scores, also takes into account driving behaviors (abrupt braking, sudden acceleration, etc.) related to private trips” (minutes of February 29, 2024, page 5);

1.1. The documentation submitted by the Company to resolve the reservations expressed during the inspection.

With a note dated March 21, 2024, the Company submitted further information and documents to supplement the information provided during the inspection.

Specifically, the list of vehicles equipped with satellite telematics devices (identified by license plate number, make, and model) was provided, associated with the name of the driver, the supervisor, and the respective employer companies. Indeed, of the eight vehicles equipped with the telematics device, five are assigned to Company employees and three to employees of another group company (XX).

An examination of the documentation revealed that the supervisor is employed by a company other than the driver, and specifically, in three cases, the supervisor is employed by XX group companies based abroad (XX, XX, and XX).

Regarding the roles played by the various companies in relation to the processing of personal data of the Company’s drivers/employees, it was also clarified that:

– The data controller is the driver’s employer, while supervisors “have a mentoring role in this process as they receive the results of driving behavior and support/advise the employee and employer by proposing improvement actions that have been established by XX’s Safety Program. Supervisors do not make decisions regarding the processing of personal data and cannot impose any disciplinary sanctions related to driving behavior.”

– “ARVAL, the supplier that provides the telematics device, is a Data Controller (as established in the Data Processing Agreement signed in accordance with Article 28 of the European Privacy Regulation).”

– “The Data Controllers are XX’s system administrator companies that have access to the data contained in the Arval portal (XX and XX [whose administrator profiles work for them]). We are planning a service agreement.”

– No specific instructions on data processing were provided, but instructions on retention procedures were sent as an attachment to the monthly report;

– “System administrator access does not allow viewing details of private trips, but it does allow viewing the total number of Events (business and private trips combined) and the number of Events related to business trips only. Therefore, a System Administrator could calculate the number of Events related to private trips. We have decided to remove system administrator access to driving behavior data on the portal. System administrators will have access to the document sent monthly to supervisors.”

2. The initiation of the procedure for the adoption of corrective measures and sanctions pursuant to Article 58, paragraph 1, letter d), of the Regulation and Article 166, paragraph 5, of the Code.

In light of the information gathered, the Office notified the party, pursuant to Article 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of corrective measures and sanctions (note dated 03/07/2024), for the violation of:

– Articles 5, paragraph 1, letters a), b), and c), and 13 of the Regulation, in relation to the inadequacy of the information provided;

– Article 6, paragraph 1, letter f), in relation to the lack of a balancing of legitimate interest against the fundamental rights and freedoms of the data subject;

– Articles 28 and 6 of the Regulation and 2-quaterdecies of the Code in relation to the failure to designate data processors and provide related instructions on data processing;

– Article 5, paragraph 1, letter a), and 88 of the Regulation in relation to Articles 113 and 114 of the Code.

The Company submitted its defense briefs pursuant to Article 18 of Law No. 689/1981, providing its observations regarding the content of the notification.

In particular, the Company preliminarily communicated that it had stopped “the processing of Telematic Data (…) relating to drivers, when they undertake private travel. In other words, the Company will process exclusively the Telematic Data collected during its employees’ business travel.” Therefore, “the Company has instructed its service provider, Arval Service Lease Italia S.p.A. (‘Arval’), to suspend all data processing until further notice, in order to implement appropriate technical, organizational, and contractual measures to ensure that data relating to private travel (‘Private Travel Data’) are not collected and processed by Arval on behalf of the Company.”

With regard to the violation of the principles of transparency and fairness in the processing of so-called “private travel data,” the Company has issued a formal request to: Telematics, and the principles of purpose limitation and data minimization in relation to the information provided, the Company stated that:

– “Prior to the date of the Order [or rather, the act initiating the sanctioning proceedings], the Company adopted a ‘layered’ approach to the privacy notice provided to drivers (‘Telematics Privacy Notice’) relating to the Telematics Program. This approach, developed by the Company over time, took into account the transparency guidelines of the European Data Protection Board (…)”;

– “In particular: the Telematics Privacy Notice was integrated with the Company’s ‘Telematics FAQs’ (already provided by the Company to the Italian Data Protection Authority during the Inspection of February 29, 2024) (‘Telematics FAQs’); in doing so, the Company intended to contextualize the information relating to the Telematics Program across multiple documents and actions, in a manner that the Company believed would provide drivers with a clear understanding of how and why their personal data was being processed.”

– “In addition to the FAQs on Telematics provided to employees, the Company has also provided them with mandatory training through a dedicated online platform called ‘Grow U'”;

– “In light of the observations made by this Most Illustrious Authority in the Transparency Order, the Company has collected (in its updated Privacy Notice for Telematics Systems) the relevant information contained in the FAQs on Telematics and the Training on Telematics, with the aim of creating a single Privacy Notice for Telematics Systems.”

With regard to the violation of Article 6, paragraph 1, letter a) of Legislative Decree no. Pursuant to Article 6(f) of the Regulation (“Lack of a balancing test of legitimate interest against the data subject’s fundamental rights and freedoms”), the Company stated that:

– the document containing the LIA (“Legitimate Interest Assessment”), “was actually provided to the Data Protection Authority during the inspection of February 28, 2024 (…), in the email with the subject ‘Pioneer Hi-Bred Italia Sementi S.r.l. – assessments’, as an attachment named ‘PIA_EHS_Europe_Cartelematics_v8.xlsx’ in Annex 4 of document ‘6. LIA’. In particular, Part 3 of the latter document illustrated the considerations and assessments made by the Company regarding the balancing test relating to its legitimate interest”;

Finally, with reference to the violation of Articles Pursuant to Articles 113 and 114 of the Code (in relation to Articles 4 and 8 of the Workers’ Statute), the Company stated that:

In a subsequent communication dated May 23, 2025, the Company announced that:

– “This information will be visible exclusively to Company administrators within the Arval dashboard, who confirmed that information relating to private trips cannot be deleted, hidden, or masked for the Company without affecting all other Arval customers.” “In any case, data relating to private trips is available, on the Arval portal, exclusively as a total percentage, in fully aggregated form (meaning it is not calculated for each individual trip).”

3. The outcome of the investigation and the procedure for the adoption of corrective measures and sanctions.

Following an examination of the documentation submitted and the statements made to the Authority during the proceedings, and given that, unless the act constitutes a more serious crime, anyone who, in proceedings before the Data Protection Authority, falsely declares or certifies information or circumstances, or produces false documents or records, is liable pursuant to Article 168 of the Code (“False statements to the Data Protection Authority and interruption of the performance of the duties or exercise of the powers of the Data Protection Authority”), it is established, based on the documentation obtained, the findings of the inspections conducted, and the statements made by the party itself, that Pioneer Hi-Bred Italia Sementi s.r.l. is the data controller pursuant to Article 4, No. 7, of the Regulation.

The Company, as data controller, has processed personal data relating to its employees in violation of the regulations on the protection of personal data, as specified below.

3.1. Violation of Articles 5, paragraph 1, letter b) of the GDPR. a), b), and c), and 13 of the Regulation.

First of all, it should be noted that, given the processing of personal data carried out by the Company using the satellite telematics program, the documentation acquired during the inspection presented clear critical issues, particularly regarding the identification of the data controller, data processors, and recipients of the data collected through the devices.

This is because the documentation was prepared at the group level and addressed to all affiliated companies, some of which are headquartered outside the European Union. Consequently, the privacy notice, even when read in conjunction with the FAQs, was not adequate to transparently and accurately represent the essential characteristics of the processing, such as the purposes and lawfulness of processing, and to provide data subjects with sufficiently clear information on the entities holding the role of data controller and data processor.

In its defense, the Company argued that it opted for a “layered” approach to providing data subjects with information on the processing performed, acting in line with the guidance provided by the Article 29 Working Party in the Transparency Guidelines adopted on November 29, 2017.

In this regard, it should be noted that in the aforementioned Guidelines, the Working Party, while recommending the use of layered privacy statements/information notices (especially in the digital environment), also specifies that “All information addressed to data subjects should be available in a single location or in a comprehensive document (in digital or paper format), to which they can easily access if they wish to consult the information in its entirety” (point 17).

This introduces the criterion of “easy accessibility,” which implies that the data subject is not forced to search for the information, but rather that it is immediately clear where and how it can be accessed (point 11, Guidelines cited). In this case, for example, the information notice could have included a reference or link to the FAQs to inform data subjects of the existence of other prepared documents.

In any case, reading both texts (the information notice and the FAQs) together does not allow us to determine who holds the role of data controller or joint controllers, a particularly relevant circumstance given the complex data flows between the various companies within the same corporate group.

In fact, the information notice appears to have been prepared by XX, without specifying whether it is XX, the parent company in Italy, or XX, the European leader of the telematics project, or something else.

Only during the inspection was it clarified that, in general, the data controller is the company that processes the personal data of its employees. This information, which was not made available to data subjects, was updated only following the changes introduced following notification of the initiation of the sanctioning procedure.

The FAQ, however, stated that “Driver driving behavior data will be available to driver supervisors (only for their team members) and the program administrator via an Excel file shared by Arval.”

These aspects have been addressed in the new disclosure template, which currently lists the data (relating to business travel) necessary and relevant to each purpose pursued.

3.2. Violation of Article 6, paragraph 1, letter f), of the Regulation.

In both cases, the document cannot be usefully assessed for the purposes of proper fulfillment of the obligation under Article 35 of the Regulation.

Similarly, with regard to the LIA included in the same document, which appears to have been prepared using the ICO model, only the interests of the XX group are identified, consisting, as mentioned, in “an improved driving safety behavior and optimization of car costs.” However, this does not consider other elements useful for balancing the two, such as (in addition to the data subject’s freedoms, interests, and rights), the impact of the processing on the data subjects, taking into account the type of data processed, the context and consequences for the data subjects, and the data subjects’ reasonable expectations of confidentiality.

Although these aspects were addressed in the LIA prepared following the initiation of the sanctioning proceedings (attached to the defense briefs of September 2, 2024), it should be emphasized that the document does not take into account the processing carried out by the Company with reference to data relating to so-called “travel-related” trips. Private individuals who, as specified during the investigation (see note dated May 23, 2025), continue to be collected by IT devices and used to evaluate driver behavior.

Given that with respect to this type of information, the legitimate interest of the data controller cannot be invoked as a basis for lawfulness, the violation of Article 6, paragraph 1, letter f), of the Regulation remains established in relation to the processing of employee data by the Company.

3.3. Violation of Articles 28 and 6 of the Regulation and Article 2-quaterdecies of the Code.

With regard to the persons authorized to view information on drivers’ driving behavior, it should be noted that, during the inspection, it was discovered that directors directly access the travel data of Company employees through the Arval portal, contrary to what was indicated in the information notice; Supervisors, however, receive a monthly report with information on the total number of events recorded in the reference month and the score achieved for each member assigned to their fleet.

Furthermore, system access revealed that supervisors access additional information regarding the drivers assigned to their fleet, specifically the number of trips made and kilometers traveled in the reference month, and the average scores achieved for both environmental sustainability and safety up to three months prior (see Attachment 5 to the minutes of February 29, 2024).

With the subsequent communication of March 21, 2024 (issued following the resolution of reservations expressed during the inspection), the Company declared that it had standardized the procedures for accessing data on its employees’ driving style, requiring the administrator to also receive the same document sent to the supervisor on a monthly basis.

In fact, in the aforementioned communication of March 21, 2024, the Company merely stated that the companies to which the directors belong are data controllers and that a service agreement is being planned, without providing supporting documentation or specifying anything else.

Similarly, regarding the position of the supervisors, it does not appear that the Company provided adequate instructions regarding the processing operations performed, given the amount of information made available to them.

This conduct therefore violates the data protection regulations, which, in regulating data flows between companies within the same corporate group, provide that each affiliated or controlled company has independent ownership of the personal data of its employees and collaborators (see Guidelines on the Processing of Workers’ Personal Data for the Purpose of Managing the Employment Relationship in Private Employers, Order No. 53 of 23 November 2006; paragraph 3.2).

In line with the above, it is also noted that, pursuant to the provisions of the Regulation, the data controller, in implementing the technical and organizational measures for which it is responsible, including security measures (Articles 24 and 32 of the Regulation), may appoint a data processor to carry out certain processing activities, to whom it provides specific instructions (see Recommendation 81 of the Regulation).

In this case, the controller “shall use only processors providing sufficient guarantees to implement appropriate measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of data subjects” (Article 28, paragraph 1, of the Regulation).

Pursuant to the aforementioned Article 28 of the Regulation, the controller may also entrust processing to external parties, but must adequately regulate the relationship with them through a contract (or other legal document) and provide instructions regarding the main characteristics of the processing.

The processor is therefore entitled to process data subjects’ data “only upon documented instructions from the controller” (Article 28, paragraph 3, letter a), of the Regulation) and within the specific limits defined by the controller.

In this case, therefore, the Company made its employees’ data available to third parties without having designated data processors and, therefore, in the absence of one of the conditions for lawfulness provided for by law (Articles 6 and 28 of the Regulation), as well as in the absence of specific instructions (Article 2-quaterdecies of the Code).

It remains clear that the disclosure of the Company’s employees’ data to third parties occurred in violation of Articles 6 and 28 of the Regulation and Article 2-quaterdecies of the Code.

3.4. Violation of Articles 5, paragraph 1, letter a) and 88 of the Regulation in relation to Articles 5, paragraph 1, letter c) and 88 of the Regulation in relation to Articles 5, paragraph 2, letter e) of the Code. 113 and 114 of the Code.

The investigations carried out at the Company’s headquarters revealed that, through the installation of satellite telematics devices, the Company collects information relating to the trips made by its employees, both for work and private purposes, and retains this information for a period of 13 months.

In particular, pursuant to the provisions of the commercial agreement with Arval (Annex 3 to the minutes of February 28, 2024), the Arval Connect system allows the collection of “information relating to the journeys made by the vehicle and its use, such as, for example, the date and time of departure and arrival for each trip classified as business, daily mileage with a distinction between private mileage, mileage for each trip with an indication of the type of route, fuel consumption, and certain indicators regarding the vehicle’s driving style in terms of safety and eco-sustainability.”

As explained in the previous paragraph, the information made available to supervisors and administrators is particularly detailed and, in fact, concerns not only the overall count of events detected by the devices and the associated score (as declared during the investigation), but also the number of business trips made and kilometers traveled for each crew member. Furthermore, as stated by the Company following discussions with the service provider Arval, the score assigned to each employee takes into account the overall number of events detected by the device (i.e., both private and business trips).

This circumstance is relevant for two reasons.

First, it should be noted that, although the satellite telematics installed by the Company on its vehicles lacks a geolocation system (resulting in a less invasive impact on monitoring work activity), the detailed information collected, its storage and subsequent consultation for 13 months from its collection, and the evaluation of data relating to both business and private travel through the assignment of a score, all contribute, taken together, to monitoring the worker’s activity. This monitoring, carried out in the absence of the safeguard procedures referred to in Article 4 of Law No. 300/1970 (referred to in Article 114 of the Code as a condition for the lawfulness of processing), constitutes a violation of Articles 5, paragraph 1, letter a) and 88 of the Regulation.

Indeed, pursuant to Article 114 of the Code, compliance with the provisions of Article 4 of the aforementioned Law No. 300/1970 constitutes a condition for the lawfulness of personal data processing carried out in the workplace, as it is one of the provisions of national law “most specific to ensure the protection of the rights and freedoms with regard to the processing of employees’ personal data in the context of employment relationships” identified by Article 88 of the Regulation (see Articles 5, paragraph 1, letter a) and 88 of the Regulation).

From another perspective, it is believed that the collection and evaluation of driving style, including during private travel, means that the processing also involves data that is not relevant to the assessment of the employee’s professional aptitude, especially considering that private use of the vehicle is permitted even by the employee’s family members.

This activity thus violates the provision of Article 8 of Law No. 300/1970 (referenced by Article 113 of the Code as a condition for the lawfulness of processing), which prohibits the employer from conducting investigations, even through third parties, into the employee’s political, religious, or trade union opinions or “facts not relevant to professional aptitude,” either at the time of hiring or during the employment relationship.

On this point, it is useful to recall Ruling No. 18302 of the Civil Cassation Court, Section 18302. I, which establishes that “acquiring and retaining data that contains (or may contain) such information already constitutes prohibited conduct, as it constitutes an unauthorized investigation into the employee’s opinions and conduct, even if the data is not subsequently used.”

Although the Company, since the first months following the launch of the satellite telematics program, requested the system provider to make the necessary changes to the system to exclude details of driving behavior related to private trips made by the individuals concerned from supervisors/administrators’ visibility, it is still necessary to take into account the subsequent assessments performed on the overall data collected.

Furthermore, during the investigation, the Company clarified that, following discussions with the service provider Arval, “the total mileage of each vehicle will necessarily include an aggregate percentage of kilometers traveled for both business and private trips” and that “information relating to private trips cannot be eliminated, hidden, or masked for the Company, without this also impacting all other Arval customers” (note dated 23/05/2025). Therefore, in light of these further clarifications, it is confirmed that the system is not configured to eliminate information on private trips.

Therefore, the violation of Articles 5, paragraph 1, letter a), and 88 of the Regulation in relation to Articles 113 and 114 of the Code remains established.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to Article 58, paragraph 2, of the Regulation.

For the above reasons, the Authority believes that the statements, documentation, and reconstructions provided by the data controller during the investigation do not address the concerns notified by the Office in the initiation of the proceedings and are therefore unsuitable for dismissing this proceeding. Furthermore, none of the cases provided for in Article 11 of the Italian Data Protection Authority Regulation No. 1/2019 apply.

The processing of personal data carried out by the company using the satellite telematics program, which consists of collecting information on employee behavior and driving style and subsequently assessing it for the purpose of assigning a score, appears to have occurred in violation of the provisions of Article 5, paragraph 1, letters a), b), and c) in relation to Article 13 of the Regulation, in violation of Article 6, paragraph 1, letter f), Articles 28 and 6 of the Regulation, Article 2-quaterdecies of the Code, and finally Articles 13 and 14 of the Regulation. 5, paragraph 1, letter a) and Article 88 of the Regulation in relation to Articles 113 and 114 of the Code.

The violation, ascertained in the terms set out in the grounds, cannot be considered “minor,” given the nature of the multiple violations ascertained, which concerned the general principles of processing and the more specific provisions regarding data collection and relevance.

Given the corrective powers granted by Article 58, paragraph 2, of the Regulation, in light of the circumstances of the specific case:

– orders the application of an administrative pecuniary sanction pursuant to Article 83 of the Regulation (Article 58, paragraph 2, letter i) of the Regulation).
Finally, it is believed that the conditions set forth in Article 17 of the Guarantor Regulation No. 1/2019 are met.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and additional sanctions.

Following the outcome of the proceedings, it was established that the company violated Articles 5, paragraph 1, letters a), b), and c) in relation to Article 13 of the Regulation, Article 6, paragraph 1, letter f), Articles 28 and 6 of the Regulation and Article 2-quaterdecies of the Code, and finally Articles 5, paragraph 1, letter a), and 88 of the Regulation in relation to Articles 113 and 114 of the Code.

Violation of the aforementioned provisions entails the application of the administrative sanction provided for in Article 83, paragraph 5, letter c). (a) and (d) of the Regulation, by issuing an injunction order (Article 18 of Law No. 689/1981).

Considering that Article 83(3) of the Regulation should be applied, which provides that “If, for the same or linked processing operations, a controller […] infringes several provisions of this Regulation, intentionally or negligently, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement,” the total amount of the fine is calculated so as not to exceed the maximum fine provided for in the same Article 83(5).

With reference to the elements listed in Article 83(1), 2 of the Regulation for the purposes of applying the administrative fine and its quantification, taking into account that the fine must “in any case be effective, proportionate, and dissuasive” (Article 83, paragraph 1 of the Regulation), it is noted that, in this case, the following circumstances were considered:

– with reference to the nature, severity, and duration of the violation, the established violations must be considered relevant, which primarily concern the general principles of processing and the more specific provisions protecting workers’ rights;

– the circumstance that the processing concerned data that was not relevant for the purposes of assessing the worker’s professional aptitude, or data collected outside the employment relationship, as well as the fact that such data was disclosed to third parties without the conditions of lawfulness, was also taken into account;

– With regard to duration, it was considered that the processing began in July 2023 and that, following the notification of the violations (July 2024), it was suspended for approximately 12 months to identify corrective actions. The limited number of data subjects involved (5 employees) was also taken into account.

– Furthermore, the absence of previous relevant violations committed by the data controller, the level of cooperation provided during the investigation, and the fact that the Company contacted the system provider to initiate the necessary changes to the program were also taken into account.

This is in light of the type of violations identified that involved data collected through satellite telematics devices.

NOW, CONSIDERING ALL THE ABOVE, THE AUTHORITY

ORDERS

ORDER

ORDERS

– pursuant to Article 166, paragraph 7, of the Code and Article 16 of the Guarantor’s Regulation No. 1/2019, the publication of the injunction order on the Guarantor’s website;

– pursuant to Article 154-bis, paragraph 3, of the Code and Article 37 of the Guarantor’s Regulation No. 1/2019, the publication of this provision on the Guarantor’s website;

Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree No. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same Article 10, within thirty days from the date of notification of the provision itself, or sixty days if the appellant resides abroad.

Rome, December 18, 2025

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE SECRETARY GENERAL
Montuori
</pre>

NAIH (Hungary) – 7905/2025

DSB (Austria) – 2025-0.620.443