The Court of Cassation, IV Criminal Section, in its ruling no. 22256 of 3 March 2021 (filed on 8 June), ruled on the existence of the requisites of interest and advantage of the entity in cases of culpable offences for violation of accident prevention regulations under Legislative Decree no. 231/01 on administrative liability of entities.

Facts of the case

The case concerned a workplace accident involving a driver in a waste sorting plant, who got out of his vehicle while removing the cover of a container to unload the material coming from the sorted waste collection. The employee was hit by another worker’s forklift truck and suffered serious injuries.

The Court of First Instance and the Court of Appeal found the defendant employer guilty of the offence of culpable injury aggravated by breach of the rules on accident prevention.  This was because they were held to be consequential to the infringement of the combined provisions of Articles 63 and 64 paragraph 1 of Italian Legislative Decree no. 81/2008 (respectively under the headings “Health and safety requirements” and “Employer’s obligations“) for the employer’s failure to organise a safe road system by using signs and road markings, regulating traffic in the external yard of the waste sorting plant, separating the traffic lanes, indicating the storage areas and the lanes intended for forklifts and pedestrians, and areas for manoeuvring vehicles.

The judges declared that the company was liable for an administrative offence (under Articles 5, paragraph 1, letter a) and 25-septies, paragraph 3) of Legislative Decree no. 231/2001), while recognising an extenuating circumstance, the company was ordered to pay an administrative fine (of €12,900).

According to the Court, the company was guilty of failing to assess the risk of injury resulting from possible interference between the drivers of the forklift trucks and the workers unloading the material. This liability stemmed from the reduction in the costs of the consultant’s work for the revision of the DUVRI (single document on the assessment of risk from interference) and the increase in the speed of production due to the failure to take the necessary measures.

An appeal was lodged against the Court of Appeal’s ruling.

The Supreme Court of Cassation’s ruling

The Court of Cassation clarified that (i) the concepts of interest and advantage must necessarily refer to the conduct and not the event and, (ii) they are alternatively applicable. The interest requirement must be assessed at the time of the fact, while the advantage requirement must be evaluated later, based on the effects practically derived from the offence committed.

The Court of Cassation specified that:

  • the interest requirement is met if the offender knowingly violates the precautionary rule to obtain a benefit for the organisation, while
  • the advantage requirement exists when the party systematically violates the prevention rules, allowing a reduction in costs and a containment of expenditure with a consequent profit advantage.

According to the Court of Cassation, the appealed ruling did not clarify the evidence from which it deduced the advantage obtained by the organisation in terms of cost savings and acceleration of the production process. In its opinion, the cost savings were small, and the company had generally complied with the accident prevention regulations.

For these reasons, the Court of Cassation upheld the Court of Appeal’s ruling insofar as it had recognised the employer’s liability as an individual. It annulled the ruling where it had identified the entity administrative liability and referred the case back to the relevant Court of Appeal in a different composition.

Other related insights:

Decree-Law no.  82/2021 (the “Decree“) was published in the Official Gazette on 14 June, containing “urgent provisions on cyber-security – definition of the national cyber-security architecture and establishment of the National Cyber-security Agency” .

The term “Cyber-security” means “activities necessary to protect networks, information systems, computer services and electronic communications from cyber threats, ensuring their availability, confidentiality, integrity and resilience” (Art. 1, paragraph 1, letter a).

The Interministerial Committee on cyber-security

The Decree, which consists of 19 articles, institutionalises the “Interministerial Committee for cyber-security” (“CIC“). CIC performs advisory, proposal and supervisory functions in the field of cyber-security policies, including the protection of national security in cyberspace. In addition, CIC has the following tasks:

  • advising the Prime Minister on general national cyber-security policies guidelines;
  • supervising national cyber-security strategy;
  • promoting the adoption of the necessary initiatives to (i) foster effective national and international cooperation, between institutional and private stakeholders in cyber-security, sharing information and (ii) adopting best practices and measures aimed at cyber-security and industrial, technological and scientific development in the cyber-security field;
  • providing an opinion on the national cyber-security Agency’s budget and balance sheet.

National Cyber Security Agency

Among the Decree’s main features is the establishment of the “National Cyber-security Agency” (“NCA” or “Agency“). The Decree specifies its functions by clarifying its composition and organisation. A special regulation, to be approved within 120 days from the entry into force of the Decree, shall define the Agency’s functioning, which is composed of eight general management level offices and thirty non-general management level offices within the available resources (art. 12 paragraph 1).

The Agency is the main body in the cyber-security field, acting as a national authority and centralising the various expertise hitherto attributed to other bodies, including those of the Ministry of Economic Development. Its tasks include:

  • protecting national interests and essential state functions from cyber threats;
  • developing national prevention, monitoring, detection and mitigation capabilities to deal with cyber-security incidents and cyber-attacks;
  • enhancing the security of Information and Communications Technology (“ICT”) systems of entities included in the national cyber security perimeter, public administrations, essential service operators and digital service providers;
  • supporting the development of industrial, technological and scientific skills, promoting projects for innovation and development, while stimulating the growth of a solid national workforce in the cyber-security field aiming at national strategic autonomy;
  • providing a single national stakeholder for public and private entities in the field of security measures and inspection activities in the national cyber-security perimeter, security of networks, information systems, and electronic communication networks.

Cyber-security Unit

The Agency is supported by the “Cyber-security unit“, which supports the Prime Minister, for aspects relating to the prevention and preparation for possible crises and the activation of warning procedures. The main tasks entrusted to this body include:

  • formulating initiatives concerning the country’s cyber-security;
  • promoting, programming and operational planning of the response to cyber crisis situations by administrations and private operators;
  • conducting inter-ministerial exercises, i.e. national participation in international exercises involving the simulation of cyber events to increase the country’s resilience and involvement in cyber-security crises.

◊◊◊◊

By 30 April of each year, the Prime Minister must report to Parliament on the Agency’s activity in the previous year. As an Italian National Coordination Centre, the Agency will interface with the “European Cyber-security Industrial, Technology and Research Competence Centre“, contributing to increasing the European strategic autonomy in the sector.

Other related insights:

The Court of Cassation, with order No. 18292 issued on 3 September 2020, has pointed out that failure to arrange the relevant technical and organisational measures safeguarding the protection of the personal data of the data subject is comparable to the organisational fault linked to the failure to adopt an organisational model pursuant to Legislative Decree No. 231/2001.

The facts of the case

In the case at issue, a local authority lodged an appeal before the Court of Cassation against an injunction order of the Italian Data Protection Authority with which a sanction had been inflicted thereto for having published the personal data of one of its civil servants beyond the 15 day term provided for under article 124 TUEL (“Local Authorities Consolidation Act”) in the online municipal notice board.

Indeed, it was ascertained that the City had kept some decisions visible for more than one year, from which the following were clear (i) name and surname of the data subject, (ii) existence of litigation between the data subject and the City, (iii) family certificate and (iv) the circumstances that the data subject lived by herself, had made a request for paying the amount due by instalments and that the request had not been accepted.

To back its own position, the City objected that the fault for the failure to cancel the data of the data subject from the online municipal city board needed to be attributed to an outside consultant who had been instructed to configure the Internet Website in compliance with the laws and regulations currently in force.

The decision of the Court of Cassation

In rejecting the appeal, the Court of Cassation clarified that the employee’s data did not concern any “aspect of the organisation”, they did not amount to “indicators concerning the operating trend and the use of resources”, nor did they even represent “results of the activity related to the measurement and assessment carried out by the competent bodies”. Therefore, the respective publication beyond the term fixed by law could not be deemed to be lawful.

Then, in so far as the liability of the outside consultant is concerned, the Court of Cassation has specified that the Data Controller, pursuant to article 4 of Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “GDPR”) is the legal entity and not the legal representative or the director, therefore, standalone liability precisely on the legal entity’s side takes shape. This liability, the judges carry on, must be understood as “fault on the organisation’s side”, that is “reprimand arising out of the breach by the authority of the obligation to take the necessary organisational and operating precautions to prevent the perpetration of the breaches of the law”, “just like under Legislative Decree No. 231/2001 on liability of entities arising out of crime”.

In light of the foregoing, the Court of Cassation reached the conclusion that the delay in removing the published data from the online municipal notice board is “may be fully traced back to the scope of authority of the Entity and of its own apparatus”.

Conclusions

With the order under examination, the Court of Cassation finds an important similarity between the subject matter of the protection of personal data and that of liability of entities arising out of crime, by precisely comparing and making the failure to adopt adequate technical and organisational measures (under article 32 GDPR) equal to the so-called “fault on the organisation’s side” foreseen by Legislative Decree No. 231/2001.

Others Insights related:

The provision included in article 42, paragraph 2, of the “Cura Italia” Decree (Legislative Decree No. 18/2020) states that the Coronavirus infection contracted in the workplace is treated as an accident at work. This qualification opens the way to profiles of relevance, in term of responsibility, of the conduct attributable to the employer for non-compliance with safety standards in the workplace. As is well known, the protection of the employees’ psychophysical integrity, including from the biological risk they are exposed to in the performance of their work activities, constitutes a specific burden on the employer pursuant to Article 2087 of the Italian Civil Code.

In addition to this general rule, the special provisions contained in Legislative Decree no. 81/2008 and in the “Shared protocol to regulate measures to counter and contain the spread of Covid-19 virus in the workplace” also play a fundamental role.

In summary, under certain conditions, the violation of the provisions at issue could have repercussion on the employer and on the company including:

  • the criminal liability of the employer where a causal link between the violation and the contagion can be assessed;
  • the administrative responsibility of the company pursuant to Legislative Decree no. 231/2001.

Continue here to read the full version of the article in Italian language.

Source: Agendadigitale.eu

News regarding the spread of Novel Coronavirus (2019-nCoV) require companies to take measures to prevent the risk of infection as far as possible, since, as it is known. In accordance with the Italian applicable law, the employer:

– pursuant to article 2087 of the Italian Civil Code, has the duty to provide all security measures to ensure the physical integrity and moral personality of the employees, and

– pursuant to Legislative Decree 81/2008, has the responsibility to protect workers from exposure to biological risk with the collaboration of the competent doctor, where present).

In this respect, it should preliminarily be noted that, in our continent, at the time, there is no sign of the spread of the epidemic, as cases of coronavirus are sporadic and not alarming. As far as the territory of Italy is concerned, the Ministry of Health stated that “the virus circulation does not exist”.

The risk of transmission, therefore, is to be considered remote, except for those who have close and long-lasting contacts with sick subjects.

Cautions must be taken in particular with regard to employees (both on-site or travelling) who, due to their duties, have relations with “Eastern Countries” and mainly with people from the areas of China where the epidemic is ongoing.

Due to the above, in accordance with the indications provided by the Italian Ministry of Health, employers must provide employees who work closely with the public with guidelines to prevent the spread of the virus, using the standard hygiene measures to limit the geographic spread of respiratory transmitted diseases, such as:

– wash hands frequently;

– pay attention to surface hygiene;

– avoid close and long-lasting contacts with those who present flu-like symptoms.

According to the Ministry of Health, if, during the work relationship, somebody gets in contact with a person who meets the definition of a “suspicious case” as defined by the circular issued by the Ministry of Health on January 27, he/she has immediately contact the health services and report that it is a suspicious case of 2019-nCoV.

While waiting for the medical staff to arrive:

– avoid close contact with the sick subject;

– provide her/him with a surgical mask;

– wash hands thoroughly and pay attention to body surfaces that may have come into contact with fluids (respiratory secretions, urine and faeces) of the sick subject;

– ask to the sick subject to throw away the used napkins directly in a waterproof bag. The bag will be discarded with the infected materials produced during the medical activities of the rescue staff.

To prevent the risk of infection, the employer is required to adopt procedures and provide the employees with hygiene instructions.

De Luca & Partners Compliance Department is at your complete disposal to provide you with the necessary support.

For further information and details, please contact Elena Cannone, Focus Team Compliance coordinator.