Q&A

Data Protection

Data Protection

Last update : 26/04/2023
Is the employer allowed to use security camera recordings to challenge disciplinary infringement?

By order no. 8375 of March 23rd, 2023, the Italian Court of Cassation, Labour Section, confirmed the admissibility of the video surveillance systems recordings, installed for security purposes, to prove an employee’s disciplinary breach provided, however, that such systems are installed in compliance with the guarantees set forth in Article 4 of the Workers’ Statute. Pursuant to the article above, audiovisual systems and other devices from which derive a possibility of remote control of workers’ activities (including video surveillance systems) may be used by the employer exclusively for:

  • organizational and productive needs;
  • safety at workplace;
  • safeguarding corporate assets.

Moreover, Article 4 states that such instruments may only be installed subject to the formalization of a collective agreement with trade

Last update : 22/03/2023
Company e-mail: how shall the employer manage a former employee's e-mail account?

In accordance with a settled guideline, the Italian Data Protection Authority stated that the employer, consistently with the applicable fundamental principles of data protection, after the termination of an employment relationship is required to remove and deactivate the company e-mail accounts of the former employee if referable to an identified or identifiable person. This must be done within a reasonable period after the termination of the employment relationship which may be commensurate, in practice, with the technical time required to prepare the necessary measures.

 

According to the Authority, moreover, the employer, together with the closure of the account, is required to:

  • set up automatic systems aimed at informing third-party senders of the deactivation of the former employee’s account and providing information on the different company representatives to be contacted, indicating their e-mail addresses;
  • take appropriate measures to prevent the display of incoming messages on the former employee’s account for as long the automatic system is operating.
Last update : 08/03/2023
Under a recruitment process, should a recruiter inform the candidate concerning the processing of persona data? If yes, when shall the information be provided?

In general terms, articles 13 and 14 of the General Data Protection Regulation 2016/679 (“GDPR”) oblige the data controller to provide data subjects with complete and accurate information about the processing of their personal data. This obligation must also be complied with in relation to the processing of personal data carried out in the context of recruitment activities: the recruiter, when processing candidates’ personal information, shall indeed necessarily provide them with a data protection information notice containing all the information referred to in Articles 13 and 14 of the GDPR above.

This information, where personal data are collected directly from the candidate, shall be provided at the time of their acquisition. If, on the other hand, personal data are not obtained from the candidate, the information shall be provided (i) within a reasonable period of time after obtaining the personal data, but at the latest, within one month in view of the specific circumstances in which the personal data are processed; (ii) if the personal data are intended for communication with the data subject, at the latest, upon the first communication; or (iii) if a communication to another recipient is envisaged, no later than the first communication of the personal data.

Last update : 22/02/2023
Is it possible for the employer installing an App on the devices (e.g., mobile phone) of the employees for the purpose of time attendance in the workplace that also includes the use of geolocation data?

The Italian Data Protection Authority came out in favor of the possibility of installing, on employees’ devices, Apps for tracking the start and end time of working activities, also with geolocation functions. According to the Authority, it is nevertheless necessary for the employer to comply with appropriate security measures to protect employees’ rights. Among others, the Data Protection Authority ruled that:

  • the attendance management system must be designed in compliance with the data protection principles of “Privacy by design” and “Privacy by default”;
  • the employer, once verified the match between the employee’s position and the geographic coordinates of the place of work, may, if necessary, store only the data of the latter position, the date and the time of stamping, eliminating instead the data relating to the employee’s position;
  • the screen of the device in use by the employee must always display an icon indicating that the localization functionality is active;
  • the App must be set up in such a way as to prevent the processing, even accidentally, of other data contained in the employee’s device;
  • the employer must provide the concerned employees with a privacy disclaimer including all the elements required by the applicable data protection law as well as take all the security measures to preserve the integrity of the data and the access by unauthorized persons.
The contents of this Section are not to be intended as a technical and/or legal opinion or other professional advice of any nature.
The contents of this Section are provided merely as information for public outreach purposes, they are not exhaustive and may be removed or amended at any time.
For specific problems or situations, you will need to seek specific advice.
The Firm disclaims all liability for any damages, whether direct or indirect, incidental or consequential, resulting from proper or improper use of the contents of this Section.