It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.

The preliminary investigation

The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.

The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.

The Italian DPA’s Order

On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:

  • in breach of the principles of ‘lawfulness, fairness and transparency’, employees had not been provided with information on the processing of personal data in accordance with Articles 12 and 13 of the GDPR. And, as the Italian DPA noted, the fulfilment of the information obligations ‘constitutes a specific precondition for the lawful use of the data collected through technological tools, by the employer, including for all purposes related to the employment relationship (Article 4, paragraph 3, of Italian Law No 300/1970)’;
  • given that ‘the generalised collection and extensive retention of e-mail metadata […] are not instrumental to the “employee’s work performance”, such data processing may entail an – albeit indirect – remote monitoring of the employees’ activities. Therefore, the employer breached not only the existing data protection legislation but also the regulations on remote monitoring of employees;
  • the processing and monitoring carried out enabled the employer to acquire information on the employees’ private lives or on matters that were not in any way relevant to the assessment of their professional suitability;
  • the processing of the metadata was carried out in breach of principles of data protection law, namely the principles of retention limitation, of data protection by design and by default, as well as of the principle of accountability;
  • the processing of metadata was carried out in the absence of a prior data protection impact assessment.

On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.

Other related insights:

An employer can monitor its employee’s corporate email account

Dismissal for just cause: monitoring the company chat without adequate information is unlawful

On 25 March, the European Commission and the United States of America announced that they had reached a new framework agreement on the cross-border transfer of personal data (the “Trans-Atlantic Data Privacy Framework”) that will be the basis for an adequacy decision by the European Commission. The new agreement was announced less than two years after the European Court of Justice ruled that the Privacy Shield was invalid. It ensures that the GDPR-guaranteed levels of data protection are not undermined by being transferred to the US and when European citizens’ data is processed. The agreement’s crucial points will be represented by binding rules and safeguards to limit the access to data by the US authorities, which assumed considerable importance in the cited Court of Justice decision. The authorities will be allowed to access and process personal data only to the extent that this is necessary and proportionate to protect and pursue the defined objectives of national security. The communiqué stated that this will be achieved by establishing an independent two-level review mechanism, to establish corrective measures and improve the strict and layered oversight of intelligence activities by ensuring compliance with limitations during surveillance. The Trans-Atlantic Data Privacy Framework will provide a basis for transatlantic data flows that is fundamental to protecting data subject rights. The communiqué confirmed that teams from the US government and the European Commission will continue their cooperation to turn this agreement into legal documents to be adopted by both sides. Once this process is completed, European and US data controllers and processors must comply with the framework agreement provisions.

Other related insights:

The Court of Venezia, in its ruling no. 494/2021, stated that a company that suffered a cyber-attack and was forced to pay a ransom to recover stolen data can fire an employee who has repeatedly surfed on unsafe sites for private purposes and put internal security at risk.

Facts of the case

The worker employed by a company operating as a shipping agency was dismissed for just cause, following a legitimate disciplinary procedure, for having improperly used a company personal computer.

The charges brought by the company against the employee were twofold:

  1. having carried out activities outside of work during working hours, consulting personal e-mail, viewing photos and repeatedly and prolonged surfing on the internet on information websites, booking travel and shows and even on pornographic websites. This was in breach of Company Regulations, jeopardising the security of the computer system and taking time away from work (even on days when he had requested authorisation to work overtime);
  2. having prepared and transmitted to third parties statements in the company’s name by misusing the company’s letterhead and stamp during working hours.

The employee challenged the company’s termination because it was retaliatory and discriminatory, with the sole aim of ousting him as a union representative (RSA) and therefore considered an “inconvenient employee.” The employee claimed that the misconduct was not attributable to him since the computer assigned to him did not have a password and any person could have accessed it.

The employer took legal action, rejecting the employee’s claims and emphasising the entirely causal nature of the discovery of the data since it emerged as a result of the necessary checks carried out following a hacking of its computer systems and the spread of the ransomware virus.

The Court’s decision

The Court of Venice – confirming the decision of the Judge in the summary stage of the proceedings – declared that there was just cause for termination and, consequently, the dismissal was lawful.

The Judge pointed out that the allegations against the employee had been acquired by the company under art. 4 of the Workers’ Statute. Under the above Article, the employer may legitimately acquire information from the company tools assigned to employees and use them for all purposes related to the employment relationship (including disciplinary purposes). This is on the condition that employees have been given adequate information on how to use such tools and control methods, under the Privacy Code. The company had adopted a Regulation on the use of the tools provided. Since its adoption, it had been posted on the notice board and published in a folder on the server accessible to all employees.

The Judge observed that even without considering the actual adoption of the regulation (which is the subject of censure by the employee), what mattered was the numerous and perpetual use for obvious (and not disputed) personal purposes of the computer, such that the disciplinary value of the facts existed.

Finally, the Judge rejected the employee’s complaint about the failure to place a personal password on the computer. According to the Judge, its improper use was undoubtedly attributable to the employee in question since he had: visited his account, booked trips in his name, used personal USB keys, visited social networks linked to him, etc.

In the Court’s opinion, the charges brought against the employee and legitimately acquired by the company became actual and were so severe as to justify his immediate dismissal.

Whistleblowing is being redefined . The Legislative Decree implementing the EU Directive 2019/1937 “on the protection of persons who report Union law violations” (the “Directive“) is almost ready. It will bring significant changes compared to the rules that came into force in 2012 (Law 6 November 2012, no. 190) in the public sector and at the end of 2017 (Law 30 November 2017, no. 179) in the private sector.

◊◊◊◊

Delegated Law

On 23 October 2019, the European Parliament and the Council adopted the Directive laying down “common minimum standards” to ensure adequate protection of whistleblowers in the Member States’ legal systems. The aim is to give consistency to heterogeneous or fragmented national regulations and enhance the value of this tool.

On 23 April 2021, Law no. 53/2021 (the European Delegation Law) was published in the Official Gazette. This Law consists of 29 articles containing delegated provisions for transposing European directives and adapting national legislation to certain EU regulations.

With this Law, the Parliament delegated the Government to adopt a legislative decree to implement the Directive. In art. 23 of the delegated law, it is stated that the Government, in the exercise of the delegation, must observe the following principles and directive criteria:

  1. under the Directive, amend the existing legislation on the protection of those reporting violations of which they have become aware within a public or private working framework and those listed in Article 4, paragraph 4 of the same Directive;
  2. ensure coordination with existing provisions, and a high level of protection and safeguard of those referred to in letter a), by carrying out the necessary repeals and adopting the appropriate transitional provisions;
  3. exercise the option provided for in Art. 25 paragraph  1 of the Directive, which introduces or maintains provisions more favourable to the rights of those reporting and those listed in the Directive, to ensure the maximum level of protection and safeguard.

This rule will affect national regulations. The impact of the new European regulation seems to concern its extension more than its content. In the matters covered by the Directive, the protection of whistleblowers does not differentiate between the public and private sectors, as in Law no. 179/2017.

Having said this, let us go into detail on the main innovations introduced by the Directive.

Personal scope of application

The Directive better defines the reporting person, i.e. the individual who reports or discloses information on violations acquired in their working framework.

This includes (i) self-employed persons working for a public or private sector entity, (ii) shareholders and members of the administrative, management or supervisory body of a company, including non-executive members, volunteers and paid and unpaid trainees, and (iii) any person working under the supervision and direction of contractors, subcontractors and suppliers.

The protective measures may be applied to colleagues or relatives of whistleblowers where there is a risk of retaliation at work due to the report.

The personal scope of application is broader than under Italian Law and, therefore, the list of protected whistleblowers should be reviewed in the light of the new European rules.

Conditions for the protection of whistleblowers

Unlike the current Law 179/2017, for the application of the protections provided in favour of the reporting person, it will not be necessary for the reports to be based on unlawful conduct, relevant under Legislative Decree no. 231/2001 and based on precise and concordant facts.

It will be sufficient that the reporting person had, at the time of reporting, reasonable grounds to believe that the information reported was accurate and that the report or public disclosure was necessary to bring to light a violation of public interest falling within the scope of the Decree. The reasons underlying the whistleblower’s report are considered irrelevant to their protection.

Reporting channels

The Directive requires the establishment of internal reporting channels before reporting through external channels (i.e., reporting to the authorities designated by the Member States and relevant authorities at a European level), “where the breach can be effectively dealt with internally and the reporting person considers that there is no risk of retaliation.”

Companies with more than 50 employees, regardless of the nature of their activities, and legal entities in the public sector, including those owned or controlled by them, must have internal reporting channels. The exemption of small and medium-sized enterprises from this requirement does not apply to companies falling within the AML/CFT framework scope.

In addition, following an appropriate risk assessment, Member States may require companies with a smaller number of employees to establish internal reporting channels in some cases.

For public disclosures of wrongdoing, the Directive provides that the protection of the reporting person is triggered only if one of the following conditions is met:

  • they have previously reported the offence internally or externally without adequate follow-up within the prescribed time limits; or
  • at the time of the report, they have reasonable grounds to believe that:
  • the breach may constitute an imminent or clear danger to the protected public interest or there is a risk of irreversible damage, including to the physical safety of one or more persons; or
  • in the case of an internal or external report, there would have been a risk of retaliation, or the report would not have provided sufficient guarantees of effectiveness according to the case circumstances.

The above-mentioned public disclosure (under certain conditions) is not reflected in Italian Law.

Protection of whistleblowers

According to the Directive, Member States must ensure that the reporting person’s identity is not disclosed, without their explicit consent, to anyone other than the authorised personnel responsible for receiving or following up reports. This is without prejudice to specific exceptions. The same applies to any other information from which the reporting person’s identity can be deduced directly or indirectly.

Under the Directive, Member States must take the necessary measures to prohibit any form of retaliation against a whistleblower, including dismissal, change of job, reduction of salary or modification of working hours and imposition of disciplinary sanctions.

Personal data processing

Data collection and processing shall be carried out under Regulation (EU) 2016/679 on the protection of personal data.

Personal data that is manifestly not useful for the processing of a specific report, according to the Directive, must not be collected or, if accidentally collected, must be deleted without delay.

Sanctions

According to the Directive, high sanctions should be applied to those who obstruct reporting persons. Sanctions should be imposed on those who publicly report or disclose information about violations that is knowingly false.

◊◊◊◊

All that remains is to wait for the publication in the Official Gazette of the Legislative Decree transposing the Directive.

Other related insights:

The Court of Cassation, IV Criminal Section, in its ruling no. 22256 of 3 March 2021 (filed on 8 June), ruled on the existence of the requisites of interest and advantage of the entity in cases of culpable offences for violation of accident prevention regulations under Legislative Decree no. 231/01 on administrative liability of entities.

Facts of the case

The case concerned a workplace accident involving a driver in a waste sorting plant, who got out of his vehicle while removing the cover of a container to unload the material coming from the sorted waste collection. The employee was hit by another worker’s forklift truck and suffered serious injuries.

The Court of First Instance and the Court of Appeal found the defendant employer guilty of the offence of culpable injury aggravated by breach of the rules on accident prevention.  This was because they were held to be consequential to the infringement of the combined provisions of Articles 63 and 64 paragraph 1 of Italian Legislative Decree no. 81/2008 (respectively under the headings “Health and safety requirements” and “Employer’s obligations“) for the employer’s failure to organise a safe road system by using signs and road markings, regulating traffic in the external yard of the waste sorting plant, separating the traffic lanes, indicating the storage areas and the lanes intended for forklifts and pedestrians, and areas for manoeuvring vehicles.

The judges declared that the company was liable for an administrative offence (under Articles 5, paragraph 1, letter a) and 25-septies, paragraph 3) of Legislative Decree no. 231/2001), while recognising an extenuating circumstance, the company was ordered to pay an administrative fine (of €12,900).

According to the Court, the company was guilty of failing to assess the risk of injury resulting from possible interference between the drivers of the forklift trucks and the workers unloading the material. This liability stemmed from the reduction in the costs of the consultant’s work for the revision of the DUVRI (single document on the assessment of risk from interference) and the increase in the speed of production due to the failure to take the necessary measures.

An appeal was lodged against the Court of Appeal’s ruling.

The Supreme Court of Cassation’s ruling

The Court of Cassation clarified that (i) the concepts of interest and advantage must necessarily refer to the conduct and not the event and, (ii) they are alternatively applicable. The interest requirement must be assessed at the time of the fact, while the advantage requirement must be evaluated later, based on the effects practically derived from the offence committed.

The Court of Cassation specified that:

  • the interest requirement is met if the offender knowingly violates the precautionary rule to obtain a benefit for the organisation, while
  • the advantage requirement exists when the party systematically violates the prevention rules, allowing a reduction in costs and a containment of expenditure with a consequent profit advantage.

According to the Court of Cassation, the appealed ruling did not clarify the evidence from which it deduced the advantage obtained by the organisation in terms of cost savings and acceleration of the production process. In its opinion, the cost savings were small, and the company had generally complied with the accident prevention regulations.

For these reasons, the Court of Cassation upheld the Court of Appeal’s ruling insofar as it had recognised the employer’s liability as an individual. It annulled the ruling where it had identified the entity administrative liability and referred the case back to the relevant Court of Appeal in a different composition.

Other related insights: