By judgment of 26 September 2023, no. 46188, the Italian Court of Cassation, Third Chamber, ruled on the components necessary for the offence referred to in Article 4 of Italian Law no. 300 of 1970 (the “Workers’ Charter”) stating that the installation of a video surveillance system without the authorisation required by law does not constitute an offence if there are no employees within the company premises and if the system does not imply effective monitoring of work activities.
The Court of Messina held the owner of a commercial establishment to be criminally liable for the offence referred to in Article 4 of Italian Law no. 300 of 1970 , ordering it to pay a fine of EUR 3,000 for having installed a video surveillance system inside its business premises in the absence, in this case, of authorisation from the Territorial Labour Inspectorate (Ispettorato Territoriale del Lavoro, “ITL”).
The owner appealed against this decision to the Italian Court of Cassation, on the ground, among others, of the breach of Article 4 of the Workers’ Charter arguing that the Court of first instance had not provided information on two central aspects of the offence, namely (i) whether the system was used to record images and (ii) whether employees were employed at the owner’s company.
The applicant stated that the system installed was closed-circuit, did not involve any image recording, and that its company had no staff.
In ruling on the case, the Italian Court of Cassation took the opportunity to briefly summarise the rules and principles in force regarding video surveillance and remote monitoring of workers.
First, it pointed out that the presence of employees in the place filmed by the video surveillance systems is “an essential requirement for the offence in dispute”, since the provision referred to in Article 4, paragraph 1, of the Workers’ Charter is specifically aimed at regulating the employer’s use of audio-visual systems – and other tools which may also enable remote monitoring – “of workers’ activities”.
Secondly, the Italian Court of Cassation noted that there is no breach of the legislation if a system, although installed in the absence of an agreement with the legitimate trade union representatives or an authorisation from the ITL, “is strictly for the purpose of protection of the company’s assets”, provided that (i) “its use does not imply significant monitoring of the ordinary performance of employees’ work activities” or (ii) “necessarily remains “confidential” to enable the investigation of serious unlawful conduct”.
However, the decision of the court of first instance did not clarify whether the conditions referred to in paragraphs (i) and (ii) above were fulfilled in the present case. Consequently, an assessment of the merits of those conditions required the Court to set aside the judgment and refer the judgment under appeal back to the same Court sitting in a different composition.
Other related insights:
In the last few days, Italian online services and sites, including the websites of the Senate and the Ministry of Defence, have suffered a cyber-attack from a group of Russian cybercriminals. Vittorio De Luca, from Studio De Luca & Partners said:
“Cyber-attacks are a daily occurrence and no one can consider themselves safe. Attacks on institutions cause a stir, but for years hundreds of companies suffered daily attacks from cybercriminals. These attacks have a considerable impact on productivity and lead to data theft, service disruption and image damage. Robust cyber security is essential to protect a company’s knowledge assets and ensure business continuity. GDPR requires small and large companies to conduct a survey of their cyber risk exposure and the impact they could have on their business. An “incident” response plan must be prepared, security policies and measures to protect the IT system must be adopted. There must be periodic audits. It is essential to raise employee awareness on cyber security through training sessions, so that they can recognise and deal with the various threats. Protection from cyber-attacks takes place in two phases – prevention and protection. If there is a successful attack, companies must inform the data protection authority, and initiate a data breach procedure within 72 hours of becoming aware of the violation.”