With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.
The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.
To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:
In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.
In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used.
Other related insights:
Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.
GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.
The Authority assessed the processing carried out using this tool and showed that website operators (such as the sanctioned company) use cookies transmitted to the user’s browser to collect information on how these interact with the website, individual pages, and services offered. The data collected consists of: unique online identifiers that allow the identification of the user’s browser or device while visiting the website, and the website operator (through the Google Account ID); address, website name and navigation data; IP address of the user’s device; information on the browser, operating system, screen resolution, language selected, and date and time of website visit.
This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.
The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.
For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.
At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.
◊◊◊◊
While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.
Other related insights:
Following a report by a group of worker-members of a cooperative, the Data Protection Authority (“Garante”) established the unlawfulness of certain processing operations carried out through the publication of information on the assessment of their work, on the company notice board.
As part of a “contest with prizes for worker-members, entitled “Guardiamoci in faccia…soci!” (Let’s look at each other…members!) to incentivise the most deserving members and […] discouraging inefficiencies”, the cooperative used to share the recipients’ assessment on a weekly basis using emoticons accompanied by summary evaluations (such as, “absenteeism”, “sickness simulation”) placed next to the image and name of each employee. This information was visible not only to the worker concerned but anyone who accessed the premises where the company notice board was placed, including external persons occasionally present on the premises, and provided a cash reward for the first three winners.
Inspections carried out by the Data Protection authority established the processing illegitimacy for violation of the fundamental principles of lawfulness, correctness, transparency and data minimisation. The Authority confirmed that the employer may lawfully process the information necessary and pertinent to the management of the employment relationship – including the data necessary to carry out an assessment of the work performance or exercise disciplinary power (in the manner and within the limits provided for by the sector’s regulations). However, the authority noted that the systematic provision of such information by posting it on the notice board allowed the processing of data to persons (such as other colleagues or third parties) who are not entitled to know information on disciplinary assessments and remarks.
In addition, the Authority confirmed that the collection of consent, in circumstances such as this case, cannot be considered a legal basis for legitimising the processing of personal data. This is because the disproportionateness between the employment relationship parties cannot presuppose consent given expressly, freely and specifically and referring to an identified processing. The consent given at the time of the approval of the members’ resolution, as claimed by the company, is “functionally different” from the consent to the processing carried out by the company for the assessment of the members’ actions.
For these reasons, the Authority confirmed that “[…] continuously submitting the assessments on the quality of the work carried out or on the performance correctness to the observation of colleagues, even if it is part of a public competition” infringes the workers’ personal dignity, freedom and privacy.
◊◊◊◊
The company appealed against the Authority’s decision first to the local court and then the Court of Cassation. In ruling no. 17911/2022, published on 1 June, the Court of Cassation rejected the appeal – confirming the Data Protection Authority’s arguments – and confirmed the principle according to which “the processing legitimacy presupposes a valid consent given expressly, freely and specifically, with reference to a clearly identified processing operation; this general principle is relevant and prevails in every relationship.”
Other related insights:
On 7 April 2022, in an injunction order issued against a hospital, the Italian Data Protection Authority (“Garante”) found that the data processing carried out as part of the management of its whistleblowing system was unlawful.
The Authority sanctioned the IT company, which was acting as a data processor, and managed the service for reporting alleged corrupt activities or unlawful conduct within the entity.
The Authority noted that under Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), the hospital in its capacity as Data Controller, failed to provide specific and prior information about personal data processing carried out following a report. This was in violation of the principle of “lawfulness, fairness and transparency”, which imposes on the data controller the obligation to provide data subjects specific information about the data processing in advance, by taking “appropriate measures” to reach recipients.
It emerged that the health authority failed (i) to trace the processing operations carried out in the Processing Register under Art. 30 of the GDPR and to carry out a preliminary privacy impact assessment.
The Authority stated that the processing of personal data using systems for acquiring and managing reports has risks for the rights and freedoms of the data subjects due to “the sensitivity of processed information, the “vulnerability” of the data subjects in the workplace, and the confidentiality regime of the whistleblower’s identity under the sector’s legislation.”
The Authority fined the hospital and the IT Company € 40,000 and gave the hospital a further 30 days to make its relationship with its supplier compliant with the relevant legislation.
◊◊◊◊
As specified in the communiqué shared by the Data Protection Authority, the investigation carried out, in this case, was part of “a series of inspections on the processing methods of data acquired through whistleblowing systems, particularly those most used in Italy by employers.”
Other related insights:
The Italian Data Protection Authority, last May 14 published a document on the Company Physician role regarding the implementation of vaccination plans for the activation of extraordinary anti-Covid-19 vaccination points, provided by the National Protocol signed on 6 April 2021.
In this document, the Data Protection Authority clarifies that the tasks assigned to the Company Physician assume the function of “general prevention measures“ to be implemented in compliance with safety at work regulations, personal data protection principles, safety protocols and updated instructions from the Ministry of Health.
The Company Physician must constantly cooperate with the employer and the health prevention and protection service in the:
Considering the ongoing emergency, the Company Physician should continue and intensify health monitoring by providing further medical examinations, for example, when employees return to work after the suspension of production activities, or if there is a gradual return of resources “to work premises.”
Recalling what has already been expressly clarified in the FAQ (“Frequently Asked Questions“) of 17 February, the Data Protection Authority reiterates that the employer must ensure that employees “are not assigned a work task without an assessment of suitability” considering “their skills and conditions concerning their health and safety” (art. 18, paragraph 1, letter c), Legislative Decree. no. 81/2008). As part of their health monitoring activities, the Company Physician is the only person entitled to process workers’ health data and check their suitability for the “specific task” (Articles 25, 39, paragraph 5, and 41, paragraph 4, Legislative Decree no. 81/2008).
The document states that compliance with the necessary allocation of roles and responsibilities between employer and physician must be ensured, including vaccination in the workplace. Although this originates from the dual need to contribute to the rapid implementation of the vaccination campaign nationally and increase safety levels in the workplace, it remains a “public health initiative.” “The general responsibility and supervision of this process is in the hands of the regional health service, through the local health authority.”