“The employer cannot access the employee’s or collaborator’s e-mail or use software to store a copy of the messages. Such processing of personal data not only constitutes a breach of the data protection laws but also amounts to an unlawful control activity over the employee”.
This has been stated by the Italian Data Protection Authority, which sanctioned a company with a fine of EUR 80,000, with decision no. 472 of 17 July 2024, published in the institutional newsletter published on 22 October 2024.
The case originated from a complaint submitted to the Authority by a former collaborator of a company, who reported that the company had maintained his email account active and accessible even after the termination of his collaboration.
The investigation revealed that the company had commissioned a forensic engineering firm to investigate the contents of the collaborator’s email using the “Mail Store” application installed on company’s laptops. During the collaboration, the company had backed up the email inbox and had retained both the content and access logs for the mailbox and the management system. The e-mails collected through the application had then been used in a legal proceeding brought against the complainant before the Court of Venice.
Furthermore, the company, based on the document titled “Equipment used by the worker to perform work activities and tools for recording access and attendance – modalities and limits of use”, attached to the notice given to the complainant as a collaborator and directed at the company’s employees, processed data from corporate e-mail accounts in violation of data protection regulations. The document informed that the company could access the emails of employees and collaborators for the purposes of business continuity, in case of absence or termination of the relationship, but did not mention the backup process or the corresponding retention period.
The Authority stated that the systematic retention of e-mails – in this case, communications were stored for three years following the termination of the collaboration – and the systematic retention of access logs for the e-mail and management system used by the employees were not compliant with the applicable laws. The retention was deemed disproportionate and unnecessary for achieving the company’s stated purposes of ensuring the security of the IT network and the continuity of the company’s business activities.
This also allowed the company to reconstruct the complainant’s activities in detail. The Authority noted that “even if, hypothetically, such processing were aimed at achieving one of the purposes explicitly indicated in Article 4, (1), of Law no. 300/1970, it appears that the company did not activate the guarantee procedure provided therein (agreement with the workers’ representatives or, failing that, authorization by the Labor Inspectorate)”.
Lastly, as far as the use of the data in a judicial context is concerned, the Authority recalled that processing carried out by accessing an employee’s e-mail judicial protection purposes refers to disputes already in progress and not to abstract and indeterminate hypotheses of protection, as in the case under review.
The Court of First Instance of Udine (Labour Section, order no. 504 of 2 August 2024) declared lawful the measure of suspension from work and remuneration, imposed by a company on an employee who had refused to sign the letter sent to the person responsible for processing personal data, in accordance with the applicable data protection law (please also refer to Ntpluslavoro of 26 September).
The Court of First Instance stated that, as a result of a circumstance caused by the employee’s will and, in any event, beyond its control, the company found itself in a situation in which it was obliged to suspend the employee’s services and remuneration. If it had not done so, it would have breached the rules of guarantee provided for by the data protection legislation and would inevitably entail the risk of incurring the sanctions provided for.
The employer entrusts the employee not only with adequate resources and tools to ensure the correct processing of personal data, but also with the responsibility to process such data with confidentiality, fairness and diligence. While it is therefore true that the appointment of a designated person is unilateral in nature, since it is an act emanating from the employer, it is equally true that the employee’s failure to accept it, will have consequences for the management of the employment relationship, which will be felt at several levels:
Also because of these considerations, the Court of Udine stated that the refusal to accept the appointment as an authorized subject was sufficient to justify the adoption of the disciplinary measure of suspension from service and remuneration.
The specific case inevitably prompts the query as to what the effects and consequences are, or could be, for the employer who is faced with the hypothesis that an employee does not accept the assignment to a person authorized to process personal data or even expresses the intention to withdraw a previously provided acceptance.
Logically, but for the sake of completeness of the argument, it is also worth mentioning briefly, the question does not arise if the tasks assigned to an employee do not involve the processing of personal data. In the opinion of the author, the question does not arise for two reasons. On one hand, it would be illogical and unnecessary to authorize and instruct an employee who does not process personal data in performing his/her work activities. Article 29 of (EU) Regulation 2016/679 (the GDPR) and Article 2-quaterdecies of the Italian Legislative Decree no. 196/2003 provide that it is those who have “access to personal data” and not those who do not carry out any processing operations, who shall be instructed. On the other hand, the refusal of those who do not have access to personal data does not affect the performance of their daily work. Therefore, even in the latter case, no potentially relevant behaviour from a disciplinary standpoint would be identified.
Please continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.
Recently, the Italian Data Protection Authority (Autorità Garante) has returned to the issue of the use of biometric data in the context of managing employment relationships. “As things stand, current law does not allow the processing of employees’ biometric data for purposes of timekeeping”. This was reiterated by the IDPA in a ruling of 6 June 2024, in which it fined the employer, a dealership, EUR 120,000 for, among other things, unlawfully processing its employees’ biometric data.
The IDPA intervened following a complaint from an employee, who alleged:
With reference to the first ground of complaint, namely the processing of biometric data, the IDPA has again clarified that employers may not use biometric data. The current position is that there is no legal provision for the use of biometric data for attendance tracking, and at this point it should be remembered that even employee consent cannot be considered a suitable prerequisite for lawfulness. This is because of the asymmetry between the respective parties to the employment relationship.
On the other hand, with reference to the second ground of the complaint, the IDPA found that the company, through management software, had been collecting personal data related to the activities of employees for more than six years to prepare monthly reports to be sent to the parent company, containing aggregate data on the time spent by the workshops on the work performed. This activity had always been carried out without a proper legal basis and adequate disclosure, which, in the context of the employment relationship, are expressions of the principles of fairness and transparency.
It is worth mentioning that the latter activity could, among others, involve indirect remote monitoring of workers’ activities, which, as such, would require compliance with the safeguards provided by Article 4 of the Italian Workers’ Charter i.e., signing a union agreement or, failing that, obtaining authorisation from the National or Regional Labour Inspectorate.
Other related insights:
The Italian Data Protection Authority (‘IDPA’) recently returned to the issue of corporate email metadata retention by the employer. The order of 6 June 2024, entitled “Computer programs and services for the management of e-mail in the workplace and processing of metadata”, extends the retention period for metadata from 7 to 21 days. This new decision, no. 364 of 6 June 2024, arrives several weeks after the publication of a first version of the guidance document on metadata retention, which had given rise to confusion and discussions among professionals to the point of leading the IDPA to start a public consultation.
First of all, however, it is necessary to clarify the definition of “metadata”. This term does not mean information contained in the “body” of the email but rather the information relating to the sending, receiving and sorting the messages. This may include the email addresses of the sender and of the recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, depending on the email management system used, may also include the subject of the message sent or received.
As mentioned above, the IDPA’s guidelines have extended the retention period to 21 days, a time period which is, in any event, to be considered indicative.
Metadata retention beyond this time frame is only permitted if particular conditions making the extension necessary are satisfied and adequately proven.
Continue reading the full version at Economy Magazine.
“Ethical codes, management and control models, and sustainability certifications are meaningless when, for the sake of achieving the highest profit at the lowest possible cost, a production system is allowed to be created down the chain that is based on production with an exploited workforce”.
This is the conclusion of the Public Prosecutor at the Milan Prosecutor’s Office in his final considerations presented to the Court of Milan following investigations carried out by that office for the crime of unlawful intermediation and exploitation of labour in the supply chain of a well-known company operating in the fashion sector.
As a result of the investigations carried out, it emerged that the company used a work contract to appoint third-party companies to carry out the entire production process. However, these third parties only provided sampling of materials. The third-party companies, in turn, outsourced the actual production of the entire line to sub-suppliers who employed unlawful, non-EU labour, in breach of the regulations on occupational health and safety, working hours and minimum wages, all of which are indicators of serious exploitation of labour which however allowed costs to be reduced.
In light of all this, with a decree of 3 April 2024, the Court of Milan ordered, as a preventive and non-sanctioning measure, the judicial administration of the client company for a period of one year. Although it did not directly carry out the unlawful conduct, the Court found that the company never effectively monitored the production chain, “by verifying the real business capacity of the companies with which it entered into supply contracts and the actual production methods adopted by them, and that it had remained inactive even when it became aware of the outsourcing of production by the supplying companies and had failed to take any action”.
With the same decree, the Court ordered, among other things, that the judicial administration examine the structure of the company with particular reference to the organisation and management model drawn up under Italian Legislative Decree no. 231/2001 and specifically the provisions regulating the relationship with suppliers and production chain audits.
◊◊◊◊
In conclusion, also in the light of recent events, it is becoming increasingly evident how effective implementation of an Organisation and Management Model allows the company to not only achieve continued improvement in performance but also to comply with the applicable legal requirements. In addition, effective implementation inevitably entails the adoption of Models that are adapted to the company’s business and that prevent the risk of committing a criminal offence.
Although the adoption of Organisation and Management Models is ultimately discretionary, it is now obvious that they are tools that allow the company, on the one hand, to prevent the commission of offences and, on the other, to limit (if not exclude) its liability, avoiding serious consequences in terms of sanctions, financial repercussions and reputational damage.
Other related insights:
