With Ruling dated 6 July 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that data processing carried out by a public utility service company (the “Company”) was unlawful. The DPA ruled that an employer has an obligation to allow a worker to access all his or her personal data, including data contained in a report produced by an investigative agency appointed by the employer to collect information about the worker and used by the Company for disciplinary purposes.

The facts

The matter originates from a complaint submitted to the DPA by an employee who did not receive a full response to multiple requests for access to his personal data submitted to the employer Company after receiving a disciplinary complaint. The disciplinary complaint was followed by the dismissal of the worker, and contained “specific references” to conduct unrelated to the actual work activity and which therefore suggested potential monitoring “contrary to the regulations in force (condotta non iure) and detrimental to the personal legal status of others protected by law (condotta contra ius) and, consequently leading to data collected being unusable”.

The Company justified the denial of access to the personal data processed by arguing that the requests presented by the worker were too general and that he should have indicated in detail the information he wanted to access.

Furthermore, it emerged that the employee only learned of the existence and content of the investigative report when the Company entered an appearance in the proceedings appealing the dismissal before the competent judicial authorities.

The outcome of the preliminary investigation

At the time of the investigation, the DPA found that the Company, in its capacity as data Controller, carried out processing in breach of:

• Article 15 of Regulation (EU) 2016/679 (the “GDPR”), as it made the response to the access request presented by the worker conditional on the detailed indication of the documents and information he wanted to access. The request to exercise the right of access, a right recognised to all data subjects in relation to the processing of personal data by the article in question, must be understood in general terms, including all personal data concerning the data subject, as also specified in the “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023). Furthermore, the DPA reiterates that, if the data are not collected directly from the data subject, the data Controller must indicate their origin.

In this case, the Company should have provided all the data collected with the investigative report, considering that it also contained information relating to the worker but which had not been mentioned in the disciplinary complaint;

• Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;

• Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The Company, in the response provided to the worker, had not in fact specified the origin of the personal data used for the disciplinary complaint.

The DPA’s decision

For all the reasons set out above, the DPA found the processing carried out by the Company in relation to Articles 5, paragraph 1, letter (a), 12 and 15 of the GDPR to be unlawful. It reiterated that “unless otherwise explicitly requested by the data subject, the request to exercise the right of access is understood in general terms, including all personal data concerning them”. The DPA therefore, ordered the employer Company to pay an administrative fine of EUR 10,000 and also ordered the publication of the Ruling on its website.

Other related insights:

• Ascertainment of breaches of discipline by private detectives
• The right to have access to the records throughout the disciplinary procedure

The National Labour Inspectorate (Ispettorato Nazionale del Lavoro, ‘INL’), in note No 2572 of 14 April 2023, provided operational guidelines for the issuance of authorisations for video surveillance systems and instruments which enable remote control of workers within the meaning of Article 4 of the Workers’ Charter (Italian Law No 300/1970). As set out in the operational note, the guidelines are based on application experience and operational problems that have emerged over time, including in the light of the technological evolution of the instruments that can be adopted, while also taking into account the guidelines of the Italian Data Protection Authority (Garante per la protezione dei dati personali).

The INL has, among other things, specified that:

• the installation of an audio-visual system or other instruments which may enable remote control of workers must necessarily and as a priority be preceded by a collective agreement with the workplace unions (Rappresentanza Sindacale Aziendale/Rappresentanza Sindacale Unitaria, ‘RSA/RSU’). The authorisation procedure, in fact, appears to be only contingent and subsequent to failure to agree with the unions and is conditional on proving the absence of the RSA/RSU;
• the installation of such instruments cannot be justified by any consent, even informed consent, of the individual workers concerned. In this case, installation would not only be unlawful but also criminally sanctioned;
• undertakings with several production units located within the competence of the same INL area office may submit only one authorisation application;
• companies located in several provinces, as an alternative to concluding individual agreements with the RSA/RSU, may conclude a single agreement with the trade unions that are comparatively more representative at national level;
• Article 4 of Italian Law No 300/1970 applies to companies where there are workers: (i) in the case of establishing a new company that at the time of the application has no workers but plans to employ staff as soon as the business activity starts, it may submit the authorisation application indicating the number of workers that there will be when the activity starts; (ii) in the event that a company already in operation with a plant legitimately installed and functioning but without workers, intends to employ personnel, it may submit an application but must – at the same time – certify the decommissioning of the plant, which will be put into operation only after the authorisation measure, if any.

The note also clarifies how geolocalisation systems can be used. The INL, expressly referring to the conclusions that the Italian Data Protection Authority has over time provided on the subject, refers to the Authority’s requirements for the configuration of these systems. The systems, in fact, must:

• exclude continuous monitoring of the worker;
• allow authorised persons to view the location only when strictly necessary in relation to the purposes pursued;
• allow the device to be deactivated during breaks and outside working hours;
• process by pseudonymising personal data;
• provide for the storage of collected data only when necessary and with retention times proportionate to the purposes pursued.

The INL also clarifies that the procedure imposed by Article 4 of Law No 300/1970 also applies to the types of work to which the protections given to subordinate employment relationships are extended by law. This includes collaborations that take the form of predominantly personal, continuous services organised through an employer (etero organizzate), even if organised through platforms, including digital ones.

Other related insights:
Video surveillance: the repetition of the procedure following a change in the ownership structure is unnecessary

Video surveillance: note of the Ministry of Labour no. 1241 dated 1 June 2016

Protection also extends to shareholders, apprentices, the self-employed, and consultants.

Wide-ranging whistleblowing protection. In addition to their current employees and collaborators, private sector companies must also provide protection to employed workers, apprentices, self-employed workers, freelancers and consultants, volunteers and trainees (including unpaid ones), shareholders, those exercising administrative, management, control, supervisory or representative functions (including if those functions are exercised on a de facto basis) and all persons working under the supervision and direction of contractors, subcontractors and suppliers. This is provided for by Italian Legislative Decree No 24/2023 in which the Italian legislator implemented Directive (EU) 2019/1937 (the so-called Whistleblowing Directive). The provisions will be effective from 15 July 2023 or from 17 December thereafter for companies with an average number of employees of up to 249, as well as for companies that have adopted the organisational model required by Italian Legislative Decree No 231. The purpose of the provision is to oblige companies and other organisations covered by the regulation to activate computer tools to enable the reporting of breaches of regulatory provisions. The legislator, including the EU legislator, intended to protect potential whistleblowers. Protection must also be guaranteed even when the employment relationship has not yet been established, if the information was acquired during the selection process or in any case during the pre-contractual phase, during the probationary period or after termination of the relationship if the information on possible breaches was acquired during the course of the relationship. The protection measures for whistleblowers are also aimed at ‘facilitators’ (i.e. those who assist the worker in the reporting process), persons who work in the same work context as the whistleblowers and who are related to them by a stable emotional or familial relationship up to the fourth degree, work colleagues of the whistleblower who work in the same work context and who have a long-standing and ongoing relationship, or entities owned by and entities that work in the same context as these persons. Between now and the entry into force of the decree, recipient companies will have to i) identify and approve appropriate procedures to regulate the reporting process, ii) activate the aforementioned computerised reporting channels, iii) implement what is necessary to ensure protection and confidentiality for the reporting parties, and iv) provide for and regulate remedial initiatives in the event of reported breaches. This is without neglecting seemingly insignificant details, such as the finalisation and posting of the disciplinary code, which is often missing, incomplete or inadequately completed.

With an Order dated 11 January 2023, the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed on a company the payment of an administrative fine equal to EUR 5,000 for having kept active and read the contents of the email account of a collaborator.

The facts

During some negotiations aimed at defining the acquisition of a cooperative company, a company agreed that a representative of the latter should collaborate, using the name of the purchasing company, in the promotion of a common supplier on the occasion of a trade fair.

A company email account was then activated for the collaborator in order to allow her to communicate with potential customers met at the event.

A few months later, the negotiations between the two companies were interrupted and the complainant requested the deactivation of the email account assigned to her. In order not to lose the contacts of potential new customers collected during the event, the company kept the account active and set up a system for forwarding incoming communications to the sales manager’s email, deactivating the complainant’s email address only after (approximately) six months from activation.

The outcome of the investigation by the Authority

The Authority first of all noted that the company has not complied with its obligation to inform the complainant about the processing of data carried out on her email account as instead required by Article 13 of Regulation (EU) 2016/679 (the ‘Regulation’). This obligation, the Authority recalls, also applies in the context of any pre-contractual negotiations as an expression of the principles of fairness and transparency (see Article 5 of the Regulation).

In the present case, the company:

1. processed personal data in the absence of a legitimation criterion to the extent that it has (i) viewed, without an appropriate legal basis, the correspondence received and sent to the account during collaboration with the complainant and (ii) set up, at the end of the collaboration, an automatic email forwarding system to a different company account;
2. did not achieve an adequate balancing of ‘the interests at stake’: on the one hand, in fact, the need for the company to continue its economic activities is recognized and on the other, the right to privacy of the data subject (namely the complainant). In this regard, the order reads, ‘the (legitimate) purpose of not losing useful contacts for one’s commercial activity, […], could have been pursued with less invasive processing activities and, therefore, compliant with data protection regulations, with respect to that carried out in the present case’;
3. did not comply with the obligation to facilitate the exercise of the rights of the data subject to the extent that it has not provided a suitable response to the request for cancellation – the so-called ‘right to be forgotten’ – submitted several times by the complainant.

◊◊◊◊

That said, the Authority recalls that: ‘[…] the legitimate interest in processing personal data to defend one’s legal claim [can]not lead to an a priori cancellation of the right to the protection of personal data recognized to the data subjects […]’.

The order in question also recalls a well-established orientation of the Authority according to which an adequate balancing of the interests as mentioned in letter b) above is achieved by activating an automatic response system with which the sender is provided with alternative addresses through which to contact the company, data controller, without accessing incoming communications, as instead done in the case in question in breach, among others, of the principle of data minimization (see Article 5 of the Regulation).

Other related insights:

Employers who keep the former employee’s email account active commits an offence

Company e-mail account and data processing (Legal – Le Fonti, N. 24 May 2018, Vittorio De Luca)

With a decision of 10 November 2022, the Italian Data Protection Authority (l’Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed a fine of EUR 20,000 on an Italian company for monitoring employee attendance by reading fingerprints. The Authority reiterated that ‘the processing of biometric data in the workplace is allowed only if necessary to fulfil obligations and exercise the employer’s rights provided for by a legal provision and with appropriate safeguards’.

The case arose following a report made to the Authority by a trade union organisation that complained about the introduction by the company, the employer, of a stamping system that used a biometric terminal to monitor access and attendance of employees and collaborators within its facilities. The union also challenged the fact that the system had been introduced even though the company had been asked to adopt ‘less invasive means’ that did not involve the processing of biometric data of the data subjects.

The company defended itself by stating that the system adopted was intended to facilitate the registration of entry and exit times for data subjects and represented a ‘more streamlined and faster’ tool than the one previously used, which recorded attendance through a personal identification badge.

After carrying out its preliminary investigation, the Authority held, among other things, that the processing of biometric personal data carried out by the company was unlawful for (i) having carried out processing in the absence of an appropriate lawful basis: the Authority, in fact, reaffirmed that the processing of biometric data in the workplace is allowed only if it is provided for by a national or European law; (ii) not having provided the data subjects with adequate information, thus infringing the fundamental principles on the subject such as those of lawfulness, fairness and transparency; (iii) not having updated the Record of Processing Activities which, in the version presented to the Authority, did not record any processing of employee biometric data, thus also infringing the principle of accountability; (iv) having processed a category of special data for the sole purpose of simplifying employment relationship management activities.

For all these reasons, therefore, the Authority sanctioned the company, ordering it not only to pay the above-mentioned administrative fine for the above-mentioned infringements but also ordering the publication of the decision on its institutional website.

In conclusion, while in the work context monitoring employees’ attendance is necessary to verify compliance with working hours as well as for the employer to fulfil specific obligations and exercise specific rights, for the processing of biometric data of employees to be lawful, it must be based on a legislative provision and cannot be based on the collection of the data subjects’ consent ‘in the light of the asymmetry between the respective parties to the employment relationship and the resulting, if any, need to ascertain from time to time and in concrete terms the effective freedom of expression of will of the employee’.

Other related insights:

• The requirements relative to the processing of special categories of data have been issued
• Data Processing Register and Impact Assessment: clarifications provided by the Data Protection Authority