DLP Insights

Italian Court of Cassation: Defence checks on employee’s company e-mail

Categories: DLP Insights, Legislation | Tag: account di posta aziendale, controlli datoriali, Dismissal, Court of Cassation

31 Jul 2023

By judgment No. 18168 of 26 June 2023, the Italian Court of Cassation once again addressed the issue of the limits of employer controls via the use of IT tools, establishing the unlawfulness of dismissal and the non-usability of evidence gathered following a check on an employee’s company e-mail carried out by the employer company in breach of, inter alia, the provisions on the protection of personal data.

The facts of the case

The procedural case stems from a disciplinary measure against a worker for ‘insubordinate conduct and breach of the duties of diligence and loyalty as well as of the general principles of fairness and good faith’ because, among other things, he had had dealings with competitors.

The evidence relating to the alleged facts had been collected following an indiscriminate investigation carried out by the company into the company email assigned to the worker.

The Court of Appeal, in upholding the first instance ruling, found that the dismissal was unlawful and ordered the company to pay sums in lieu of notice supplementary indemnity, and as amounts due as severance pay (TFR)

The unsuccessful company thus appealed to the Italian Court of Cassation.

‘Defensive controls’

On this occasion, the Court of Cassation once again returned to the issue of so-called ‘defensive controls’, reaffirming the distinction between a. ‘controls in defence of the company’s assets’ and b. ‘defensive controls in the strict sense’.

a. The ‘controls in defence of company assets’

The ‘controls in defence of company assets’ concern all employees (or groups of employees) who in carrying out their work are in contact with company assets and must necessarily be carried out in compliance with, and within the limits of, the provisions of Article 4 of the Italian Workers’ Statute (Italian Law No. 300/70).

b. ‘Defensive controls in the strict sense

The ‘defensive controls in the strict sense’, on the other hand, are aimed at ascertaining specific unlawful conduct attributable, on the basis of specific indications, to individual workers and ‘remain, even today, outside the scope of application of Article 4’; these controls must be targeted and implemented ex post, prompted, therefore, by episodes that have already occurred ‘because only from that point onwards the employer can collect usable information’.

The decision of the Italian Court of Cassation

Returning to the present case, the Court of Appeal found that the company:

  • had not given reasons justifying access to and monitoring of the e-mail inbox;
  • had carried out its investigations ‘indiscriminately [on] all communications on the company PC in use’ without, inter alia, establishing a time limit for the search;
  • had not proved that he had informed the worker in advance of the possibility that his communications might be monitored nor ‘of the nature and extent of the monitoring or the level of intrusion in his correspondence’;
  • had engaged in such conduct without complying with the company regulations governing the use of company e-mails.

Since it is not possible ‘to remove the worker’s relationship with his employer from the general rules on the protection of personal data’, the Italian Court of Cassation itself – which refers to the founding principles of the matter including (i) the principles of minimisation and proportionality (ii) the principles of relevance and non-excessiveness with respect to a lawful purpose as well as (iii) the principles of transparency and fairness – clarifies that even in the context of a ‘defensive control in the strict sense’ it is necessary to ensure ‘a correct balance between the employer’s needs to protect the company’s assets and property and the indispensable protection of the worker’s dignity and confidentiality’.

For all these reasons, the Court concludes, the second instance judges correctly assessed the balance between the conduct engaged in by the company and the resulting level of intrusion into the worker’s private life.

The Italian Court of Cassation rejected the appeal, finding against the appellant company and upholding the unlawfulness of the dismissal as well as the unusability of the unlawfully acquired data.

The Italian Court of Cassation indicated the elements useful for guiding the Italian judge’s balancing act in cases of ‘defensive checks in the strict sense’:

By referring to the case law of the European Court of Human Rights (specifically, the case Barbulescu v. Romania, 5 September 2017), the Italian Court of Cassation indicated the elements useful for guiding the Italian judge’s balancing act in cases of ‘defensive checks in the strict sense’:

  • informing the worker about the possibility of the employer taking monitoring measures;
  • the level of intrusion into the private sphere of employees, taking into account, inter alia, the more or less private nature of the place in which monitoring takes place, the spatial and temporal limits of the monitoring, and the number of persons who have access to its results;
  • the existence of a justification for the use of surveillance and its extension on lawful grounds;
  • the assessment, based on the specific circumstances of each case, of whether the lawful purpose pursued by the employer could be achieved by causing a lower level of invasion of privacy;
  • verification of how the employer used the results and whether they served the stated purpose;
  • the provision of adequate guarantees to the employee on the level of intrusion of the surveillance measures.

Other related insights:

More insights