{"id":25544,"date":"2025-01-08T16:46:22","date_gmt":"2025-01-08T15:46:22","guid":{"rendered":"https:\/\/www.delucapartners.it\/news\/penalmente-sanzionabile-il-responsabile-che-accede-al-sistema-informatico-con-le-credenziali-del-sottoposto-2\/"},"modified":"2026-03-11T12:00:39","modified_gmt":"2026-03-11T11:00:39","slug":"penalmente-sanzionabile-il-responsabile-che-accede-al-sistema-informatico-con-le-credenziali-del-sottoposto","status":"publish","type":"post","link":"https:\/\/www.delucapartners.it\/en\/insights\/pubblicazioni\/penalties-may-be-imposed-on-the-manager-who-accesses-the-computer-system-by-using-a-subordinates-credentials\/","title":{"rendered":"Penalties may be imposed on the manager who accesses the computer system by using a subordinate\u2019s credentials"},"content":{"rendered":"\n

\u201cViolates the employer\u2019s directives (even if implicit, but clear) the employee who, although in a hierarchically superior position to the holder of the access credentials to a company\u2019s IT system, has them revealed in order to gain access without specific authorization: the protection of data through access credentials alone is sufficient to make such directives clear\u201d<\/em>. This has been established by the Supreme Court of Italy, Criminal Section V, no. 40295\/2024. <\/p>\n\n\n\n

The case<\/strong> <\/h2>\n\n\n\n

An employee of a hotel in Chianciano Terme (Italy) had requested from another employee, directly subordinate to him, the access keys to the company\u2019s IT system for the storage and promotional purposes of the customer database, which included about 90,000 individual records, accessing it for purposes unrelated to the mandate received. In the first two levels of judgment, was established the commission of the crime of \u00abUnauthorized access to an IT or telematic system<\/em>\u00bb, under Article 615-ter, paragraph 1, of the Italian Penal Code. <\/p>\n\n\n\n

The employee appealed to the Italian Supreme Court, claiming that it was not an abuse access, both because he had the power \u00abin his capacity as director and superior manager of the employee<\/em>\u00bb from whom he had requested for the credentials, \u00abalso for the purpose of supervising her work<\/em>\u00bb and because until shortly before, he had a personal and direct access to those data. <\/p>\n\n\n\n

The position of the Supreme Court<\/strong> <\/h2>\n\n\n\n

The Supreme Court of Italy ruled that the offence of unauthorized access to IT systems (under Article 615-ter, paragraph 1, of the Italian Penal Code) also occurs in the case of a hierarchical superior using the access credentials provided by the employee. <\/p>\n\n\n\n

The judges of the Italian Supreme Court did not find convincing the appellant\u2019s argument that relied on his power to access any company location in order to carry out checks on those hierarchically subordinate to him. In the case of an IT system protected by credentials, the Court pointed out that \u00abeach authorized person has his\/her own \u2018key\u2019 (i.e., the access credentials)<\/em>\u00bb. \u00abThis is because it is data which, quite simply, the owner considers should be protected, both by limiting access to those who are provided with such credentials and, at the same time, by ensuring that a digital trace is left of the individual access and of who carries them out <\/em>\u00bb. <\/p>\n\n\n\n

It is therefore incorrect to hold that the defendant \u00absolely by virtue of his duties, automatically had the power to access data that, on the other hand, according to the employer\u2019s discretionary assessment, were to remain available only to certain employees (even if subordinate to the appellant)<\/em> \u00bb <\/p>\n\n\n\n

Moreover, by doing so, the appellant made it \u00abfalsely appear that the access had been made by the employee who, imprudently, had revealed her credentials to him<\/em>\u00bb. \u200b <\/p>\n\n\n\n

Other related insights:\u202f\u202f<\/strong> <\/p>\n\n\n\n