The Spanish Data Protection Authority (i.e. “AEPD”) initiated sanction proceedings against a Spanish company belonging to an international group, following a complaint filed by a former employee.
The employee alleged that the company had added her personal mobile phone number to a corporate WhatsApp group, without her consent, for work-related purposes while waiting to receive a company phone – which she never actually received. Before taking a holiday, the employee had expressly notified the company by email that she would stop using her private number for work matters and had left the corporate WhatsApp group. However, only a few days later, her number was added again to a company group chat. The company argued that the inclusion was temporary, pending delivery of the business phone, and that WhatsApp groups were used solely for internal work communications among employees.
The AEPD, however, found that the use of the employee’s personal number without consent violated Article 6, paragraph 1, of the GDPR, which requires a lawful basis for any processing of personal data.
The Spanish Authority recalled that a personal mobile phone number is a personal data item, and that its use to include an employee in a corporate messaging group constitutes data processing which must rely on one of the legal bases set out in Article 6, paragraph 1, of the GDPR.
In the case under review, there was no consent from the data subject, nor any contractual necessity or other legitimate ground for processing. Moreover, the Spanish Authority stated that the existence of an internal company policy on the use of mobile devices does not exempt the employer from the obligation to establish a proper legal basis for processing.
The company was therefore fined €70,000, reduced to €42,000 after it acknowledged the violation and opted to pay the reduced amount. The AEPD also ordered the company to adopt corrective measures to ensure future compliance with the GDPR.
BYOD (Bring Your Own Device) policies are corporate rules governing the use of personal devices – such as smartphones, laptops, or tablets – for work-related purposes.
In practice, a BYOD policy sets out how employees may use their personal devices to access corporate data, emails, or applications, and defines the relevant security measures.
It is always preferable for companies to provide corporate devices and maintain a clear separation between personal and business tools. However, if the employer decides to allow employees to use personal devices for business purposes, a documented internal policy should be adopted, regulating:
Other related insights:
Sundar Pichai, CEO of Google, has recently announced that the company intends to permanently integrate remote working into its working practices, albeit with a hybrid approach, e.g. three days in the office and two days remotely.
These statements highlight the growing interest in remote working, a system that many companies were forced to try out for the first time during the lockdown and which has now become a real revolution. In many cases, it has become a structural choice due to its undoubted advantages, from a better work-life balance to reducing the stress of travelling to work.
A NEW NORMALITY
At present, according to INAPP (National Institute for Public Policy Analysis) data, 54% of employees in large companies work wholly or partly on a remote basis; furthermore, according to an analysis conducted by the Milan Polytechnic Observatory and Randstad Research, remote working may involve 3 to 5 million workers in the coming months. The path should be the one traced by the CEO of Google: according to a recent study by Fondirigenti, people will prefer to split the week in two or to alternate days in the office and remote work, so as not to sacrifice social relations and physical interaction with their colleagues. According to Vittorio De Luca, managing partner of the De Luca & Partners law firm, specialised in labour law and GDPR (General Data Protection Regulation), “in the near future, remoteworking policies will become more and more a rule and no longer just an exception”. remoteworking policies have also been promoted by the law: the Riaperture Decree has extended until 31 July the possibility for employers to use this instrument with a unilateral act, i.e. without having to sign an individual agreement. This deadline should be extended until 31 December also for the private sector, thus aligning it with what is already in place for the public administration. “However,” De Luca points out, “at the end of the emergency period it will be appropriate and necessary to regulate the relationship between the parties involved, i.e. employers on the one hand and workers (remote workers) on the other hand.”
THE PROBLEMS TO BE SOLVED
Remote working was first introduced in the Italian system by Law 81/2017. Remote working, says De Luca, is defined in the law “as a new and flexible way of organising employment, with no exact definition of the place and time of work, providing that the activity can take place partly inside the company’s premises and partly outside, without a fixed location, though in compliance with the limits on maximum daily and weekly working time established by law and by the applicable national collective agreement. In order for this to happen”, he adds, “an agreement, strictly in writing (for the purposes of proof and administrative regularity), must be entered into by the company and the worker”. And it is precisely the release from spatial and temporal limits, notes the expert, “which, if not regulated in advance, might have negative consequences for both the employee and the employer, from both a professional/work and a social/personal point of view”.
“Indeed, remote working has made the time profile of the service not essential, placing the objectives and performances of the resources concerned at the centre”, explains De Luca. So that “it is of primary importance for employers to be able to check and assess the results of remote workers”, whilst also determining “the forms of exercise of the employer’s power, paying attention to the manner, purpose and content of the same”. There follows the need, he concludes, to “introduce agreements, accompanied by internal procedures and regulations, which govern these aspects, also instructing the worker on the use of work equipment and on company security and personal data protection”.
With Decision No. 17 of 23 January 2020 and in imposing a sanction on an Italian University for not having properly protected the confidentiality of the identification data of two persons – the whistleblowers –, who had reported possible unlawful behaviours, the Italian Data Protection Authority has laid stress on the fact that an obligation weighs on the Employer, namely, the “Controller” (pursuant to Article 4 of Regulation EU 2016/679, hereinafter, the “GDPR”) to implement technical and organisational measures fit to ensure the protection of the personal data processed (cf. Newsletter of the Italian Data Protection Authority No. 462 of 18 February 2020).
In particular, at the time of the facts and in aligning itself with the obligations to properly protect the employee that reports unlawful behaviours within the working environment (the so-called “whistleblowing” introduced in the Italian legal system with Legislative Decree No. 165 of 30 March 2001), the University had chosen to use a technological solution. In this case, in order to ensure the protection in the capture and management of all reports of offences, the University had availed itself to the use of a software platform supplied by a third party outside the University’s organisation.
In changing and concomitantly updating the software platform, there was the so-called overwriting of access credentials leading to an exposure of the personal data of the two whistleblowers on some browsers accessible and viewable by whomever searched on the Internet.
As a result of the above, the University served notice on the Italian Data Protection Authority as to the so-called data breach, with which the University reported the spread of the common personal data of the two whistleblowers on the public web, to the extent that they could potentially be consulted by anyone.
The investigation carried out by the Italian Data Protection Authority has found that the University had not adopted proper technical and organisational measures aimed at ensuring “the security and confidentiality needs typical of data management within whistleblowing procedures”; on the other hand, the University failed to define a correct procedure for controlling accesses, which should have limited data processing to the authorised staff.
Indeed, the University had limited itself to embrace the security measures chosen by the software supplier. Nonetheless, the above-mentioned security measures were neither suitable nor fit, since they failed to foresee measures such as coding or the adoption of a safe communication protocol for information, thus allowing the infringement of the confidentiality and of the integrity of the personal data processed, as well as the respective incorrect keeping and accessibility.
In particular, the Italian Data Protection Authority held that “As regards the application at issue, in light of the nature, the scope and the aim of the processing, as well as of the high risk for the rights and freedoms of the whistleblowers, the solution adopted by the University can in no way be deemed a technical measure fit to ensure the confidentiality and the integrity of the data processed as well as the authenticity of the website used by the users both as a whistleblowing channel (employees, students, etc.) and as a tool for managing any whistleblowing (Head of Corruption Prevention and of Transparency, i.e. RPCT and the respective collaborators, if any”.
Click here to continue reading the article.
