By judgment No. 18168 of 26 June 2023, the Italian Court of Cassation once again addressed the issue of the limits of employer controls via the use of IT tools, establishing the unlawfulness of dismissal and the non-usability of evidence gathered following a check on an employee’s company e-mail carried out by the employer company in breach of, inter alia, the provisions on the protection of personal data.

The facts of the case

The procedural case stems from a disciplinary measure against a worker for ‘insubordinate conduct and breach of the duties of diligence and loyalty as well as of the general principles of fairness and good faith’ because, among other things, he had had dealings with competitors.

The evidence relating to the alleged facts had been collected following an indiscriminate investigation carried out by the company into the company email assigned to the worker.

The Court of Appeal, in upholding the first instance ruling, found that the dismissal was unlawful and ordered the company to pay sums in lieu of notice supplementary indemnity, and as amounts due as severance pay (TFR)

The unsuccessful company thus appealed to the Italian Court of Cassation.

‘Defensive controls’

On this occasion, the Court of Cassation once again returned to the issue of so-called ‘defensive controls’, reaffirming the distinction between a. ‘controls in defence of the company’s assets’ and b. ‘defensive controls in the strict sense’.

a. The ‘controls in defence of company assets’

The ‘controls in defence of company assets’ concern all employees (or groups of employees) who in carrying out their work are in contact with company assets and must necessarily be carried out in compliance with, and within the limits of, the provisions of Article 4 of the Italian Workers’ Statute (Italian Law No. 300/70).

b. ‘Defensive controls in the strict sense

The ‘defensive controls in the strict sense’, on the other hand, are aimed at ascertaining specific unlawful conduct attributable, on the basis of specific indications, to individual workers and ‘remain, even today, outside the scope of application of Article 4’; these controls must be targeted and implemented ex post, prompted, therefore, by episodes that have already occurred ‘because only from that point onwards the employer can collect usable information’.

The decision of the Italian Court of Cassation

Returning to the present case, the Court of Appeal found that the company:

  • had not given reasons justifying access to and monitoring of the e-mail inbox;
  • had carried out its investigations ‘indiscriminately [on] all communications on the company PC in use’ without, inter alia, establishing a time limit for the search;
  • had not proved that he had informed the worker in advance of the possibility that his communications might be monitored nor ‘of the nature and extent of the monitoring or the level of intrusion in his correspondence’;
  • had engaged in such conduct without complying with the company regulations governing the use of company e-mails.

Since it is not possible ‘to remove the worker’s relationship with his employer from the general rules on the protection of personal data’, the Italian Court of Cassation itself – which refers to the founding principles of the matter including (i) the principles of minimisation and proportionality (ii) the principles of relevance and non-excessiveness with respect to a lawful purpose as well as (iii) the principles of transparency and fairness – clarifies that even in the context of a ‘defensive control in the strict sense’ it is necessary to ensure ‘a correct balance between the employer’s needs to protect the company’s assets and property and the indispensable protection of the worker’s dignity and confidentiality’.

For all these reasons, the Court concludes, the second instance judges correctly assessed the balance between the conduct engaged in by the company and the resulting level of intrusion into the worker’s private life.

The Italian Court of Cassation rejected the appeal, finding against the appellant company and upholding the unlawfulness of the dismissal as well as the unusability of the unlawfully acquired data.

The Italian Court of Cassation indicated the elements useful for guiding the Italian judge’s balancing act in cases of ‘defensive checks in the strict sense’:

By referring to the case law of the European Court of Human Rights (specifically, the case Barbulescu v. Romania, 5 September 2017), the Italian Court of Cassation indicated the elements useful for guiding the Italian judge’s balancing act in cases of ‘defensive checks in the strict sense’:

  • informing the worker about the possibility of the employer taking monitoring measures;
  • the level of intrusion into the private sphere of employees, taking into account, inter alia, the more or less private nature of the place in which monitoring takes place, the spatial and temporal limits of the monitoring, and the number of persons who have access to its results;
  • the existence of a justification for the use of surveillance and its extension on lawful grounds;
  • the assessment, based on the specific circumstances of each case, of whether the lawful purpose pursued by the employer could be achieved by causing a lower level of invasion of privacy;
  • verification of how the employer used the results and whether they served the stated purpose;
  • the provision of adequate guarantees to the employee on the level of intrusion of the surveillance measures.

Other related insights:

The Data Protection Authority, with “Measure no. 216 dated 4 December 2019“, confirmed an already consolidated position, according to which employers that keeps an employee’s company email account active after the termination of the employment contract and accesses the emails contained in the mailbox, commits an offence.

The case

A company used the labour court against a former employee because he offered products in direct competition with its own products. The information in support of the action had been collected by the applicant company by logging in to the email address account of the former employee even after the termination of the employment contract.

The worker thus complained to the Data Protection Authority, claiming that his former employer had not deactivated his email account and had accessed the messages he had received.

The company, in challenging the complaint filed by the employee, stated that the failure to deactivate the account and the simultaneous forwarding of emails to the address of the head of the Information Technology department had been arranged because (i) the former employee had failed to send customers a communication with the new company references. Adding, moreover, that (ii) only correspondence containing business messages had been opened and not personal messages and that (iii) the former employee was aware of the “business practice” according to which the employer, after the termination of the contract, would check correspondence addressed to him.

Acknowledging that the facts complained of are prior to the entry into force of EU Regulation 2016/679 and that the information was given to employees verbally, the Data Protection Authority in any case declared the repeated use of the individual company account of a person no longer belonging to that company organisation unlawful.

The Data Protection Authority, in fact, stated that the employer must act in accordance with the principles of lawfulness, necessity and proportionality, which are the foundations of the matter of personal data protection, ordering the removal of corporate email accounts attributable to identified or identifiable persons. At the same time as closing the account, according to the Authority, the employer is obliged, if necessary, to equip itself with automatic systems to inform third parties and provide them with alternative addresses to contact. In addition, the employer must take appropriate measures to prevent incoming messages from being displayed throughout the period when the automatic system is active.

According to the provisions of the Measure, it is the implementation of appropriate technical and organisational measures that makes it possible to balance, on the one hand, the interest of the owner (alias the employer) to access the information necessary for it to continue the management of the work activity and, on the other hand, to ensure respect for the legitimate expectation of the worker to confidentiality on correspondence. In addition, in the opinion of the Data Protection Authority, the adoption of internal rules on the basis of which information on technical and organisational management adopted is shared with employees is one of the correct measures to be implemented.