With Ruling dated 6 July 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that data processing carried out by a public utility service company (the “Company”) was unlawful. The DPA ruled that an employer has an obligation to allow a worker to access all his or her personal data, including data contained in a report produced by an investigative agency appointed by the employer to collect information about the worker and used by the Company for disciplinary purposes.
The facts
The matter originates from a complaint submitted to the DPA by an employee who did not receive a full response to multiple requests for access to his personal data submitted to the employer Company after receiving a disciplinary complaint. The disciplinary complaint was followed by the dismissal of the worker, and contained “specific references” to conduct unrelated to the actual work activity and which therefore suggested potential monitoring “contrary to the regulations in force (condotta non iure) and detrimental to the personal legal status of others protected by law (condotta contra ius) and, consequently leading to data collected being unusable”.
The Company justified the denial of access to the personal data processed by arguing that the requests presented by the worker were too general and that he should have indicated in detail the information he wanted to access.
Furthermore, it emerged that the employee only learned of the existence and content of the investigative report when the Company entered an appearance in the proceedings appealing the dismissal before the competent judicial authorities.
The outcome of the preliminary investigation
At the time of the investigation, the DPA found that the Company, in its capacity as data Controller, carried out processing in breach of:
In this case, the Company should have provided all the data collected with the investigative report, considering that it also contained information relating to the worker but which had not been mentioned in the disciplinary complaint;
The DPA’s decision
For all the reasons set out above, the DPA found the processing carried out by the Company in relation to Articles 5, paragraph 1, letter (a), 12 and 15 of the GDPR to be unlawful. It reiterated that “unless otherwise explicitly requested by the data subject, the request to exercise the right of access is understood in general terms, including all personal data concerning them”. The DPA therefore, ordered the employer Company to pay an administrative fine of EUR 10,000 and also ordered the publication of the Ruling on its website.
Other related insights:
The National Labour Inspectorate (Ispettorato Nazionale del Lavoro, ‘INL’), in note No 2572 of 14 April 2023, provided operational guidelines for the issuance of authorisations for video surveillance systems and instruments which enable remote control of workers within the meaning of Article 4 of the Workers’ Charter (Italian Law No 300/1970). As set out in the operational note, the guidelines are based on application experience and operational problems that have emerged over time, including in the light of the technological evolution of the instruments that can be adopted, while also taking into account the guidelines of the Italian Data Protection Authority (Garante per la protezione dei dati personali).
The INL has, among other things, specified that:
The note also clarifies how geolocalisation systems can be used. The INL, expressly referring to the conclusions that the Italian Data Protection Authority has over time provided on the subject, refers to the Authority’s requirements for the configuration of these systems. The systems, in fact, must:
The INL also clarifies that the procedure imposed by Article 4 of Law No 300/1970 also applies to the types of work to which the protections given to subordinate employment relationships are extended by law. This includes collaborations that take the form of predominantly personal, continuous services organised through an employer (etero organizzate), even if organised through platforms, including digital ones.
Other related insights:
Video surveillance: the repetition of the procedure following a change in the ownership structure is unnecessary
Video surveillance: note of the Ministry of Labour no. 1241 dated 1 June 2016
Protection also extends to shareholders, apprentices, the self-employed, and consultants.
Wide-ranging whistleblowing protection. In addition to their current employees and collaborators, private sector companies must also provide protection to employed workers, apprentices, self-employed workers, freelancers and consultants, volunteers and trainees (including unpaid ones), shareholders, those exercising administrative, management, control, supervisory or representative functions (including if those functions are exercised on a de facto basis) and all persons working under the supervision and direction of contractors, subcontractors and suppliers. This is provided for by Italian Legislative Decree No 24/2023 in which the Italian legislator implemented Directive (EU) 2019/1937 (the so-called Whistleblowing Directive). The provisions will be effective from 15 July 2023 or from 17 December thereafter for companies with an average number of employees of up to 249, as well as for companies that have adopted the organisational model required by Italian Legislative Decree No 231. The purpose of the provision is to oblige companies and other organisations covered by the regulation to activate computer tools to enable the reporting of breaches of regulatory provisions. The legislator, including the EU legislator, intended to protect potential whistleblowers. Protection must also be guaranteed even when the employment relationship has not yet been established, if the information was acquired during the selection process or in any case during the pre-contractual phase, during the probationary period or after termination of the relationship if the information on possible breaches was acquired during the course of the relationship. The protection measures for whistleblowers are also aimed at ‘facilitators’ (i.e. those who assist the worker in the reporting process), persons who work in the same work context as the whistleblowers and who are related to them by a stable emotional or familial relationship up to the fourth degree, work colleagues of the whistleblower who work in the same work context and who have a long-standing and ongoing relationship, or entities owned by and entities that work in the same context as these persons. Between now and the entry into force of the decree, recipient companies will have to i) identify and approve appropriate procedures to regulate the reporting process, ii) activate the aforementioned computerised reporting channels, iii) implement what is necessary to ensure protection and confidentiality for the reporting parties, and iv) provide for and regulate remedial initiatives in the event of reported breaches. This is without neglecting seemingly insignificant details, such as the finalisation and posting of the disciplinary code, which is often missing, incomplete or inadequately completed.
With an Order dated 11 January 2023, the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed on a company the payment of an administrative fine equal to EUR 5,000 for having kept active and read the contents of the email account of a collaborator.
The facts
During some negotiations aimed at defining the acquisition of a cooperative company, a company agreed that a representative of the latter should collaborate, using the name of the purchasing company, in the promotion of a common supplier on the occasion of a trade fair.
A company email account was then activated for the collaborator in order to allow her to communicate with potential customers met at the event.
A few months later, the negotiations between the two companies were interrupted and the complainant requested the deactivation of the email account assigned to her. In order not to lose the contacts of potential new customers collected during the event, the company kept the account active and set up a system for forwarding incoming communications to the sales manager’s email, deactivating the complainant’s email address only after (approximately) six months from activation.
The outcome of the investigation by the Authority
The Authority first of all noted that the company has not complied with its obligation to inform the complainant about the processing of data carried out on her email account as instead required by Article 13 of Regulation (EU) 2016/679 (the ‘Regulation’). This obligation, the Authority recalls, also applies in the context of any pre-contractual negotiations as an expression of the principles of fairness and transparency (see Article 5 of the Regulation).
In the present case, the company:
◊◊◊◊
That said, the Authority recalls that: ‘[…] the legitimate interest in processing personal data to defend one’s legal claim [can]not lead to an a priori cancellation of the right to the protection of personal data recognized to the data subjects […]’.
The order in question also recalls a well-established orientation of the Authority according to which an adequate balancing of the interests as mentioned in letter b) above is achieved by activating an automatic response system with which the sender is provided with alternative addresses through which to contact the company, data controller, without accessing incoming communications, as instead done in the case in question in breach, among others, of the principle of data minimization (see Article 5 of the Regulation).
Other related insights:
Employers who keep the former employee’s email account active commits an offence
Company e-mail account and data processing (Legal – Le Fonti, N. 24 May 2018, Vittorio De Luca)
With a decision of 10 November 2022, the Italian Data Protection Authority (l’Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed a fine of EUR 20,000 on an Italian company for monitoring employee attendance by reading fingerprints. The Authority reiterated that ‘the processing of biometric data in the workplace is allowed only if necessary to fulfil obligations and exercise the employer’s rights provided for by a legal provision and with appropriate safeguards’.
The case arose following a report made to the Authority by a trade union organisation that complained about the introduction by the company, the employer, of a stamping system that used a biometric terminal to monitor access and attendance of employees and collaborators within its facilities. The union also challenged the fact that the system had been introduced even though the company had been asked to adopt ‘less invasive means’ that did not involve the processing of biometric data of the data subjects.
The company defended itself by stating that the system adopted was intended to facilitate the registration of entry and exit times for data subjects and represented a ‘more streamlined and faster’ tool than the one previously used, which recorded attendance through a personal identification badge.
After carrying out its preliminary investigation, the Authority held, among other things, that the processing of biometric personal data carried out by the company was unlawful for (i) having carried out processing in the absence of an appropriate lawful basis: the Authority, in fact, reaffirmed that the processing of biometric data in the workplace is allowed only if it is provided for by a national or European law; (ii) not having provided the data subjects with adequate information, thus infringing the fundamental principles on the subject such as those of lawfulness, fairness and transparency; (iii) not having updated the Record of Processing Activities which, in the version presented to the Authority, did not record any processing of employee biometric data, thus also infringing the principle of accountability; (iv) having processed a category of special data for the sole purpose of simplifying employment relationship management activities.
For all these reasons, therefore, the Authority sanctioned the company, ordering it not only to pay the above-mentioned administrative fine for the above-mentioned infringements but also ordering the publication of the decision on its institutional website.
In conclusion, while in the work context monitoring employees’ attendance is necessary to verify compliance with working hours as well as for the employer to fulfil specific obligations and exercise specific rights, for the processing of biometric data of employees to be lawful, it must be based on a legislative provision and cannot be based on the collection of the data subjects’ consent ‘in the light of the asymmetry between the respective parties to the employment relationship and the resulting, if any, need to ascertain from time to time and in concrete terms the effective freedom of expression of will of the employee’.
Other related insights: