DLP Insights

Controls: company information found on former employee’s company PC can be used

Categories: DLP Insights, Case Law | Tag: Dismissal

29 Nov 2021

With its ruling no. 33809 of 12 November 2021, the Court of Cassation stated that an employee who deletes or transfers company data outside is engaging in disciplinary conduct and a civil and criminal offence. The employer may legitimately acquire and produce the private correspondence found after the Company’s personal computer is returned and present this evidence in Court to prove the employee’s unlawful conduct. The right to defence in Court prevails over the inviolability of correspondence.

Facts of the case

In this case, a manager, after resigning, returned to the company the personal computer assigned, completely formatted and without any document, data or company information. The employer then turned to a computer expert to recover the data and information deleted by the former employee.

After retrieving the password to access the Skype platform, the expert found some conversations had by the former employee with parties outside the company organisation (including competing companies), revealing the perpetration of a series of disloyal and illegal conducts. The Company filed a claim for compensation for the damages allegedly suffered because of the manager’s conduct.

The Court of Appeal of Turin, overturning the first instance court’s decision, held that the Company’s claim was unfounded, ruling out the existence of any evidence of the employee’s allegedly unlawful conduct and consequently the right to compensation for the damages claimed. The Court of Appeal considered the conversations acquired by the Company on the manager’s Skype account unusable in Court, as they were obtained in violation of the secrecy of correspondence and without his consent.

The Supreme Court of Cassation’s ruling

In overturning the Court of Appeal’s decision, the Court of Cassation found that the employee conduct damaged the Company’s assets. This was relevant not only in civil law terms, with the consequent right of the employer to compensate for the damage suffered, but in criminal law, as it constituted an offence provided for in Article 635 bis of the Italian Criminal Code (i.e. damaging information, data and computer programs). According to the Court of Cassation, the employee conduct is relevant from a disciplinary point of view as it was contrary to the obligations of loyalty and diligence.

As for the legitimacy of documents containing personal data produced in legal proceedings, the Supreme Court, referring to previous decisions, affirmed that this is allowed when necessary to exercise one’s own right of defence, even in the absence of the owner’s consent and any method used to acquire their knowledge. However, defending oneself in legal proceedings, using the others’ personal data, must be exercised regarding the duties of correctness, pertinence and non-excessiveness (…). Document production legitimacy must be based on the balance between the content of the data used, to which the degree of confidentiality must be applied, and the defence needs.”

As for the personal data processing, the Court stated that “the right to defence in Court prevails over the right to inviolability of correspondence, allowing art. 24, letter f) Law 196/2003 to disregard the data subject consent for personal data processing, when it is necessary to protect a right in Court.” The Court continued, “This is conditional on data being processed exclusively for that purpose and the period strictly necessary for its pursuit.

According to the Supreme Court, the right of defence would not be limited to the legal proceedings stage, as it could be extended to evidence gathering in the procedure, even before a dispute has been formally established.

Finally, the Court of Cassation, in explaining its decision, confirmed the legitimacy of the checks carried out by the employer under the rules contained in art. 4, Law no. 300/1970 (applicable ratione temporis), finding the checks “defensive” in nature. According to the Court, the checks took place after the employment termination and after the commission of the harmful act which consisted of deleting company data by the manager.

Other related insights:

More insights