In ruling no. 8628 of 16 March 2022, The Court of Cassation ruled that the validity of dismissal for exceeding the protected period “‘by summation” requires specification of the days of absence due to illness, to which unjustified absences cannot be counted.

Facts of the case

An employee of the Udine Prefecture had challenged her dismissal for exceeding the protected period, arguing that the dismissal notice did not correctly specify the days counted and added together.

The Court of First Instance upheld the employee’s appeal, declared the dismissal unlawful and ordered the Ministry to reinstate her.

The Ministry then appealed against the ruling before the Court of Appeal of Trieste, which confirmed the first instance ruling, upholding the principle that if the employer specifies the employee’s days of absence in the termination notice, it cannot subsequently change or add them.

In this case, the period specified by the Ministry of Health for absence due to illness was 472 days (taking into account the “protected period by summation”) and was less than the protected period under collective bargaining and set for 484 days. This is because the period specified by the Ministry included 12 days of employee unjustified absence and, therefore, was not included in the protected period calculation.

In addition, the Court of Appeal found that the Ministry’s evidence that the days of unjustified absence were attributable to the employee’s illness was worthless. According to the Court of Appeal, what mattered was the “incontrovertibility” of the periods specified in the dismissal notice, based on the principle that the reasons for dismissal cannot be changed.

The unsuccessful Ministry thus appealed the Court of Appeal’s ruling in cassation.

The Supreme Court of Cassation’s ruling

The Court of Cassation confirmed the decisions of the courts. The Court of Cassation upheld the local court’s finding that the 12 days of unjustified absence were not taken into account for a protected period exceeding purposes, as they related to a different case.

The Court of Cassation observed that, contrary to the Ministry’s claim, the Court of Appeal did not intend to affirm that in cases where the protected period was exceeded the employer must specify the individual days of illness considered for the calculation of the protected period in the letter of dismissal. This precluded a subsequent specification by the employer.

The Court of Cassation stated that the employer cannot ex post add to or change the days taken into account to exceed the protected period allowed by collective bargaining, if it specifies the absences taken into consideration.

According to the Court, for cases of dismissal for exceeding the protected period, “the employer does not have to specify the individual days of absence since more comprehensive information is sufficient. This is based on the amended Article 2 of Law no. 604/1966, which requires the simultaneous communication of the reasons, without prejudice to the burden of alleging and proving in court the facts constituting the power exercised. However, this applies to the protected “single period” (i.e. a single uninterrupted period of illness), where the days of absence are easily calculable even by the worker. In cases of protected period “by summation” (i.e.multiple and fragmented absences), a specification of the calculated absences is required to enable the worker to defend themselves.” In the Court of Cassation’s opinion, even when there was a dismissal for exceeding the protected period “by summation” the rule of unchangeability of the reasons underlying the termination applies. This rule constitutes a guarantee for the worker who, otherwise, would not have the opportunity to challenge the dismissal.

Other related insights:  

• Exceeding the protected period: the Company does not have to inform the employee
• DID YOU KNOW THAT… the dismissal notified after a considerable lapse of time following the protected period is not unlawful?
• Protected period: excluding quarantine and later voluntary homestay period due to Covid-19 infection

An announcement published on the website of the European Data Protection Board (EDPB) confirms that, in March 2019, the Polish data protection authority (UODO) imposed its first fine on a Swedish company pursuant to the data personal protection Regulation (EU) 2016/697 (“GDPR”), ordering it pay a penalty of 220,000 euro. The Swedish company had processed the personal data of a number of people without them knowing and without giving them appropriate information on the processing of their data, in flagrant breach of art. 14 of the GDPR.

Reference Regulations

Where personal data have not been obtained directly from the data subject, art. 14 of the GDPR requires that the controller provides the data subject with the following information:

1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
2. the contact details of the data protection officer, where applicable;
3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4. the categories of personal data concerned;
5. the recipients or categories of recipients of the personal data, if any;
6. where applicable, that the controller intends to transfer personal data to a third country outside the European Union;
7. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
8. the legitimate interests pursued by the controller or by a third party;
9. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing and to object to processing as well as the right to data portability;
10. where processing is based on consent given, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
11. the right to lodge a complaint with the supervisory authority;
12. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
13. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject.

The controller must provide said information within a reasonable period, at the latest within one month from the date of collection or at the time of the first communication to that data subject or to third parties.

The facts

In the case examined, the fined company – which supplies decision-making support in the form of digital business, marketing and credit information – had processed the personal data of a large number of natural persons (entrepreneurs) without them knowing.

The data subjects were not informed that their personal data were being processed and were thus deprived of the possibility to exercise their rights under the GDPR. Nor were they able to object to further processing or request the rectification or erasure of the personal data.

Specifically, the company provided the information set out in art. 14 of the GDPR only to those persons for whom it had an email address. For the other persons, it did not to satisfy the information requirement because of (on its own admission) the “significant operating costs” involved in sending the notice to the data subjects by recorded delivery – therefore limiting its action solely to the publication of the privacy notice on its website.

According to the President of the UODO, since the company had the postal addresses and telephone numbers of such persons, it should have satisfied the information requirement using that information. In fact, the GDPR does not require the controller to send notices by “recorded delivery”.

The President of the UODO thus held that the breach was intentional, since – as established during the procedure – the company was aware of the requirement to provide appropriate information and of the need to inform the data subjects directly.

In imposing the fine, the UODO also considered that the company had failed to take any action to remedy the breach, or declare its intention to do so.

To conclude, the UODO considered the breach to be very serious as “it affects the fundamental rights and freedoms of the persons whose personal data the company has processed, and refers to the basic issue of: the information to be provided to data subjects regarding the processing of personal data concerning them. The fine must be imposed since the controller has not complied with the law”.

Comments

The decision is important insofar as (i) the fine arises from the breach not of a national law but of a European law (applicable also in the Italian legal system) on the protection of personal data and (ii) it highlights an error in terms of corporate compliance. Indeed, by failing to notify the data subjects that data concerning them was being processed, the company had failed to satisfy its legal obligation.