DLP Insights

Data Protection Authority: the employer must properly inform employees about the company systems used

Categories: DLP Insights, Practice | Tag: Data Protection Authority, GDPR

31 May 2021

In its 15 April 2021 injunction order, the Italian Data Protection Authority fined a company operating in the manufacturing sector for failing to punctually and adequately inform the employees about the features of a computer system. In doing so, the company unlawfully processed workers’ data beyond the limits set by the authorisation of the local labour inspectorate and the purposes indicated in the provided policies. 

The complaint and investigation

The Data Protection Authority intervened following the complaint lodged by the FIOM CGIL, on behalf of some workers, requesting the adoption of an investigation and compliance measure against the employer company. It was alleged that the company’s system required a personal password on the workstation before starting work, which made it possible to store the data of individual workers relating to stoppages and production throughout the working day. Since the data collected relates to the work of individual employees following authentication with the password, the company, in the union’s opinion, collected data through this system and for purposes other than those outlined in the privacy policy.

As a result of the investigation carried out by the Data Protection Authority, it emerged that the computer system coexisted with the previous work organisation method, based on the completion of paper forms in which the names of employees were revealed in plain text. The forms were stored and recorded on the software, but without any form of separation, thus contradicting the privacy policies on the system functioning and the authorisation issued by the Labour Inspectorate, which had expressly prohibited using the data collected for disciplinary purposes. It had emerged that the data collected through this tool had been used to verify the truthfulness of the statements made by an employee during disciplinary proceedings initiated against them.

In addition, it emerged that there were irregularities in the retention periods of the data collected and processed, which, according to the company’s statement, should have been commensurate with what was necessary for the “monitoring/evaluating production cycles.”

The Data Protection Authority’s decision

In the light of the information gathered, the Data Protection Authority ordered the definitive limitation of the processing operations carried out using the data collected through this system, ordering the company (i) to bring its organisation and processing operations in line with Regulation (EU) 2016/679, including by updating the privacy policy provided to the employees concerned, (ii) adopt appropriate measures to segregate the data collected using paper forms and software and (iii) pay €40,000 as a financial penalty for the violations found.

Other related insights:

More insights