The Italian Data Protection Authority sanctioned the company Foodinho S.r.l., a Glovo Group company, to pay a fine of EUR 5 million for unlawfully processing the personal data of more than 35,000 riders through its digital platform.   

Following a complex investigation carried out ex officio by the Authority, it revealed that the company, which had already been sanctioned in 2021 for unlawful processing and violations of the provisions of the privacy legislation, was carrying out “numerous and serious violations” of the GDPR. 

Among others, the company:  

1. when de-activating or blocking the rider’s account, it automatically sent a single standard message without informing the recipient of the possibility of contesting the decision and requesting that the account be restored, 
2. carried out automated processing of riders’ personal data without having taken the measures required by the regulations for the use of automated systems. In fact, the rider was not provided with the possibility of exercising the right to obtain human intervention, to express his or her opinion and to contest the decision taken through the system (n.b. on this point also the so-called “Transparency Decree”), 
3. sent, without prior notice, the riders’ personal data, including their geographical location, to third-party companies. The geolocation data were collected and processed even when the rider was not working and even when the app was in the background or not active.  

In addition to the numerous violations of privacy regulations pointed out by the Italian Data Protection Authority and partially reported herein, it is worth mentioning that the Authority highlighted that in this case, the company “while carrying out an activity of systematic control of the work performed by the riders, through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems), […], did not comply with the provisions established by Article 4, paragraph 1, of Law no. 300/1970, as it did not verify that the tools used are attributable to the purposes strictly allowed by the law (organizational and production needs, work safety and protection of the environment, and protection of the environment) nor did it activate the guarantee procedure provided for in the event of the existence of one of the aforementioned purposes (collective agreement entered into with trade union representatives or, failing that, authorization by the Italian Labor Inspectorate)”. 

In other words, the company, in addition to implementing technical and organizational security measures aimed at eliminating breaches and ceasing unlawful processing of personal data, must also take appropriate measures to comply with the provisions of the Workers’ Statute on remote control of employees. 

Other related insights: 

• Company e-mail and metadata: the Italian Data Protection Authority updates the guideline document

The Court of Trieste, Employment Section, with order of 21 December 2023, no. 525/2023 has held that so-called “vulnerable” workers’ rights to work remotely cannot be “absolute” but must be balanced with the company’s organisational and production needs as envisaged by the employer.

In the present case, a “vulnerable” employee worked remotely five days a week, under an individual fixed-term agreement. At the end of the agreed term, the employer informed the employee that, due to changed business and organisational needs, she would have to work for three days a week in person and, for the remaining two days, remotely.

In the face of this, the worker complained about the incompatibility of her state of health with in-person work, arguing the the tasks assigned to her were absolutely compatible with remote working – also taking into account that in the last three years she had carried them out entirely remotely – and highlighting the unlawfulness of the employer’s conduct for breach of Article 2087 of the Italian Civil Code. 

The employer challenged the application and claimed that it was unfounded for alleged breach of the company’s freedom of organisation, protected by Article 41 of the Italian Constitution. The employer justified the refusal to allow the employee to work entirely remotely on the basis of proven organisational reasons and reiterated the need for her presence in the workplace for at least three days a week.

The Court highlighted that the right to remote working granted to “vulnerable” workers (see Article 90, paragraph 1, of Italian Decree-Law no. 34/2020) is not an absolute right but a right expressly subordinated to the compatibility of the worker’s tasks being carried out remotely.

The Court also acknowledged that the ways in which the employer exercised its power to organise the company appeared real and appropriate and that the possibility of working remotely, albeit partially, was never denied but rather partially granted following a balancing and re-evaluation of the parties’ mutual needs.

◊◊◊◊

In conclusion, it can be said that the assessment of the compatibility of remote working by vulnerable workers must be carried out on the basis of the organisational and production needs of the concerned organisation, involving, where necessary, an inevitable need to alternate between days in which the worker must work in-person and days when he/she can work remotely. This reading, among others, is consistent with the provisions of Article 18 of Italian Law no. 81/2017 which, in defining remote working, provides for that work should be provided “partly inside company premises and partly outside”.

Other related insights:

• DID YOU KNOW THAT… New extensions on remote working have been approved? – De Luca & Partners (delucapartners.it)
• Remote Working and jurisdiction – there must be objective connection with the company – De Luca & Partners (delucapartners.it)

On 4 May 2023, Italian Decree Law No 48/2023 (the ‘Employment Decree’ (‘Decreto Lavoro’)) containing ‘Urgent measures for social inclusion and access to the workplace’ was published in the Italian Official Gazette.

The Decree introduced important initiatives on employment law, social security and social assistance, with effect from 5 May 2023.

One of the main initiatives in the employment law field are changes to the permitted reasons for fixed-term employment contracts, with a strengthening of the role of collective bargaining.

The permitted reasons justifying a fixed-term contract of between 12 and 24 months, the extension for more than 12 months, or the renewal of a fixed-term contract are exclusively those provided for by the collective agreements concluded by the associations comparatively more representative at national level, or in the absence of such provisions and until 30 April 2024, the individual parties, for technical, organisational and production needs.

The Decree also simplifies the employer’s information obligations introduced by the ‘Transparency Decree’.

In contrast to the past, some of the information that the employer was required to provide in the employment contract or in a specific information notice can now be provided to employees simply by referring to the relevant legislation or collective bargaining agreement,  which may also be the company’s bargaining agreement, applied to the employment relationship. This information relates to, for example, probationary period duration, training, paid holidays and leave, notice of dismissal and resignation, salary components, working hours, overtime, social security and insurance institutions.

To simplify the obligation, and to ensure uniformity in the employer’s communications, the employer will be required to deliver or make available to staff, including through publication on the website, national, regional and company collective bargaining agreements, as well as any company regulations applicable to the employment relationship. 

The employer’s information obligations on the use of automated decision-making and monitoring systems have also been reduced, thus further simplifying these information obligations.

Further measures introduced by the Decree concern:

• amendment to the health and safety at work regulations, with particular reference to the appointment obligations and the obligations to be fulfilled by the occupational doctor for the issue of the fitness for work certificate, as well as the introduction of further employer training obligations in the event of use of equipment that requires special knowledge;
• the possibility for companies with more than 1,000 employees that have signed group expansion contracts by 31 December 2022 and that are not yet concluded, to enter into a supplementary agreement at ministerial level until 31 December 2023;
• the possibility of requesting a further Extraordinary Wage Guarantee Fund (Cassa Integrazione Guadagni Straordinaria, ‘CIGS’) period, until 31 December 2023, by way of derogation from the maximum duration limits, for companies that, in 2022, have activated a reorganisation and restructuring plan and that, due to the prolonged unavailability of company premises, have not been able to complete them.

The Decree also provided a series of measures relating to social security and assistance, aimed above all at supporting youth employment, promoting the permanent integration into the labour market of beneficiaries of the Inclusion Allowance and reducing the ‘tax wedge’ (cuneo fiscale).

Other related insights:
Transparency Decree: new obligations for the employer

As is well known, on 23 February 2023 the European Commission requested its employees and collaborators to uninstall the TikTok social network application from their business and personal electronic devices. This request was accompanied by the notice that, for those who had not uninstalled the social network by 15 March, it would no longer be possible to access other company applications such as the e-mail box or Skype services.
The decision taken by the European entity derives from a need to protect the data and information of those who work for it as well as from the need to increase IT security.

Could a private sector employer in Italy take the same decision?
In an attempt to provide an answer to this complex question, it is first of all necessary to distinguish between business and personal devices. If electronic tools, including mobile phones, are provided by the employer they are company equipment and, as such, the employer has the ability to implement a certain level of ‘control’ over them.

In fact, through the identification and adoption of internal policies defining rules for the correct use of the work tools with which its employees are equipped, the employer may introduce rules to prevent the improper use of the assigned tool and prohibit its use for personal purposes rather than prohibiting the installation of applications not connected to work activities on the device.

In the event of assignment of company tools, it is therefore highly recommended to implement internal policies and regulations that govern their correct use by assignees. In fact these aspects have across-the-board consequences related to the management of the employment relationship. Just think, for example, of topics relating to (i) employment law which also include aspects relating to disciplinary sanctions that can be adopted in the event of a breach of company rules as well as the correct exercise of control powers by the employer, (ii) the protection of personal data, both of the employees themselves and of the data they process due to their duties as well as (iii) health and safety and the risks to which the employees who use them could be exposed.

However, different conclusions can be reached on the subject of personal devices. Since these are, in fact, the employee’s own tools, the employer can limit, or even possibly exclude, the use of personal mobile phones during the workday without, however, entering into the merits of what can or cannot be installed on them.

Lastly, the use of electronic instruments, whether personal or business, exposes corporate assets to the risk of accidental loss, theft and dissemination. Therefore, employers must take care to adopt all appropriate measures to ensure sufficiently high levels of safety in full compliance with all applicable regulations in such circumstances.

On the basis of the considerations set out above, which in any case merit further investigation, it does not appear possible for an Italian employer to intervene directly on the personal electronic devices of its employees in the same way as the European Commission. However, defining, adopting and updating policies over time that regulate the use of work tools or the use of personal devices – during, for example, rest times during the working day – appears to be a fundamental measure that companies should consider in the broader definition of the strategic plan for the protection of both corporate assets and the parties that make up the reference organisation.

By judgement no. 15644 of 23 November 2022, the Administrative Court of Lazio clarified, among other things, that the employer is the only person entitled to install audiovisual systems that may enable remote control of the workers’ activity. The case originated from the request of a company providing transport services for others, which, according to the contract stipulated, should have installed video recording systems on its vehicles and make the images available to the client. Systems so devised, the decision states, would have been controlled by persons other than the employer, in contrast with the provisions of the applicable legislation.  The Court notes that the reasons that justify the installation of the tools required to achieve such purposes, as indicated by Art. 4 of Law no. 300/1970 (the “Workers’ Charter”), i.e., (i) the protection of the company’s assets, (ii) the purpose of security and safety of personnel and (iii) the proper compliance with organisational and production needs, the Court notes, can only be referred to the employer.