In its 15 April 2021 injunction order, the Italian Data Protection Authority fined a company operating in the manufacturing sector for failing to punctually and adequately inform the employees about the features of a computer system. In doing so, the company unlawfully processed workers’ data beyond the limits set by the authorisation of the local labour inspectorate and the purposes indicated in the provided policies.
The complaint and investigation
As a result of the investigation carried out by the Data Protection Authority, it emerged that the computer system coexisted with the previous work organisation method, based on the completion of paper forms in which the names of employees were revealed in plain text. The forms were stored and recorded on the software, but without any form of separation, thus contradicting the privacy policies on the system functioning and the authorisation issued by the Labour Inspectorate, which had expressly prohibited using the data collected for disciplinary purposes. It had emerged that the data collected through this tool had been used to verify the truthfulness of the statements made by an employee during disciplinary proceedings initiated against them.
In addition, it emerged that there were irregularities in the retention periods of the data collected and processed, which, according to the company’s statement, should have been commensurate with what was necessary for the “monitoring/evaluating production cycles.”
The Data Protection Authority’s decision
Other related insights: