As is well known, on 23 February 2023 the European Commission requested its employees and collaborators to uninstall the TikTok social network application from their business and personal electronic devices. This request was accompanied by the notice that, for those who had not uninstalled the social network by 15 March, it would no longer be possible to access other company applications such as the e-mail box or Skype services.
The decision taken by the European entity derives from a need to protect the data and information of those who work for it as well as from the need to increase IT security.

Could a private sector employer in Italy take the same decision?
In an attempt to provide an answer to this complex question, it is first of all necessary to distinguish between business and personal devices. If electronic tools, including mobile phones, are provided by the employer they are company equipment and, as such, the employer has the ability to implement a certain level of ‘control’ over them.

In fact, through the identification and adoption of internal policies defining rules for the correct use of the work tools with which its employees are equipped, the employer may introduce rules to prevent the improper use of the assigned tool and prohibit its use for personal purposes rather than prohibiting the installation of applications not connected to work activities on the device.

In the event of assignment of company tools, it is therefore highly recommended to implement internal policies and regulations that govern their correct use by assignees. In fact these aspects have across-the-board consequences related to the management of the employment relationship. Just think, for example, of topics relating to (i) employment law which also include aspects relating to disciplinary sanctions that can be adopted in the event of a breach of company rules as well as the correct exercise of control powers by the employer, (ii) the protection of personal data, both of the employees themselves and of the data they process due to their duties as well as (iii) health and safety and the risks to which the employees who use them could be exposed.

However, different conclusions can be reached on the subject of personal devices. Since these are, in fact, the employee’s own tools, the employer can limit, or even possibly exclude, the use of personal mobile phones during the workday without, however, entering into the merits of what can or cannot be installed on them.

Lastly, the use of electronic instruments, whether personal or business, exposes corporate assets to the risk of accidental loss, theft and dissemination. Therefore, employers must take care to adopt all appropriate measures to ensure sufficiently high levels of safety in full compliance with all applicable regulations in such circumstances.

On the basis of the considerations set out above, which in any case merit further investigation, it does not appear possible for an Italian employer to intervene directly on the personal electronic devices of its employees in the same way as the European Commission. However, defining, adopting and updating policies over time that regulate the use of work tools or the use of personal devices – during, for example, rest times during the working day – appears to be a fundamental measure that companies should consider in the broader definition of the strategic plan for the protection of both corporate assets and the parties that make up the reference organisation.

On 5 December last, the Data Protection Supervisory Authority (the “Authority”) developed FAQ (“Frequently Asked Questions”) on personal data processing carried out by public and private entities using video surveillance systems.

The Authority’s clarifications take account of what was introduced by Regulation (EU) 2016/679 on personal data protection (known as “GDPR”) and by the Guidelines adopted by the European Data Protection Board (“EDPB”) on the point.

The FAQ clarify, firstly, that (i) processing carried out using video surveillance systems must be performed in respect of the principle of minimisation, in relation to the choice of recording methods and the positioning of the system, and (ii) the data processed must be pertinent and not excessive with respect to the purposes pursued.

Based upon the principle of accountability, it is the duty of each Controller to carry out assessments of the lawfulness and proportionality of processing, considering the context and respective purposes, as well as the risk to the rights and freedoms of the data subjects.

In the Authority’s opinion, each Controller must assess if the requirements are in place to carry out a data protection impact assessment (“DPIA”) before commencing the processing.

In relation to the privacy notice to be provided to the data subjects, the FAQ specify that the simplified model (warning sign), developed by the EDPB and disseminated with its Guidelines, may be adopted. The sign must contain (i) contact details of the Controller and, where present, Data Protection Officer (DPO); (ii) storage period of information collected and (iii) purposes of processing carried out. The sign must be positioned before the surveilled area, so that the data subjects can see which area is covered by a video camera, and must refer to a complete privacy notice containing all information indicated in Article 13 of the GDPR, including indications on the methods of acknowledgement.

The Authority also reiterates that the recorded images should be erased after a few days (24/48 hours) and that the longer the storage period, the more detailed the analysis on the legitimacy of the purpose and the actual need for longer storage must be.

Finally, it is noted that video surveillance systems can only be installed in workplaces for organisational and production requirements, for workplace safety and protection of company property, in respect of the guarantees envisaged by Article 4 of Italian Law no. 300/1970.

◊◊◊◊

In conclusion, the FAQ, available on the Authority’s website (www.garanteprivacy.it), contain indications on the necessary requirements in order for personal data processing carried out using video surveillance systems to be lawful.

The FAQ supersede, albeit partially, the previous “Measure on video surveillance dated 8 April 2010”, adjusting the provisions contained therein to what was introduced by the GDPR and by the EDPB Guidelines.

Other insights related:

EDPB: Preliminary version of Guidelines 3/2019 on video surveillance