“Violates the employer’s directives (even if implicit, but clear) the employee who, although in a hierarchically superior position to the holder of the access credentials to a company’s IT system, has them revealed in order to gain access without specific authorization: the protection of data through access credentials alone is sufficient to make such directives clear”. This has been established by the Supreme Court of Italy, Criminal Section V, no. 40295/2024.
An employee of a hotel in Chianciano Terme (Italy) had requested from another employee, directly subordinate to him, the access keys to the company’s IT system for the storage and promotional purposes of the customer database, which included about 90,000 individual records, accessing it for purposes unrelated to the mandate received. In the first two levels of judgment, was established the commission of the crime of «Unauthorized access to an IT or telematic system», under Article 615-ter, paragraph 1, of the Italian Penal Code.
The employee appealed to the Italian Supreme Court, claiming that it was not an abuse access, both because he had the power «in his capacity as director and superior manager of the employee» from whom he had requested for the credentials, «also for the purpose of supervising her work» and because until shortly before, he had a personal and direct access to those data.
The Supreme Court of Italy ruled that the offence of unauthorized access to IT systems (under Article 615-ter, paragraph 1, of the Italian Penal Code) also occurs in the case of a hierarchical superior using the access credentials provided by the employee.
The judges of the Italian Supreme Court did not find convincing the appellant’s argument that relied on his power to access any company location in order to carry out checks on those hierarchically subordinate to him. In the case of an IT system protected by credentials, the Court pointed out that «each authorized person has his/her own ‘key’ (i.e., the access credentials)». «This is because it is data which, quite simply, the owner considers should be protected, both by limiting access to those who are provided with such credentials and, at the same time, by ensuring that a digital trace is left of the individual access and of who carries them out ».
It is therefore incorrect to hold that the defendant «solely by virtue of his duties, automatically had the power to access data that, on the other hand, according to the employer’s discretionary assessment, were to remain available only to certain employees (even if subordinate to the appellant) »
Moreover, by doing so, the appellant made it «falsely appear that the access had been made by the employee who, imprudently, had revealed her credentials to him».
Other related insights:
Do you know that if you receive an email from an employee of your organization requesting you to update his or her bank details and informing you of the new bank account (IBAN) on which to credit their next salaries, it could be a fraud?
Some cyber criminals, by setting up a fake employee mailbox or directly hacking into an employee’s company mailbox, are increasingly sending fake messages to HR managers informing them that they have changed their bank account (IBAN). Reporting the new bank details, which are obviously controlled by the fraudster, they request that future salaries be accredited there.
How to protect your organization?
But that is not all. Please consider that improper processing of personal information exposes an organization to the risk of incurring one or more of the breaches set out in the privacy regulations.
Continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.
Compliance, Agency Contracts, and Privacy Management: A Growing Complexity
The law firm De Luca & Partners and HR Capital have recently highlighted significant issues in strategic areas such as contract management, regulatory compliance, and data protection. These areas, critical for Italian companies, are confronted with evolving regulations that demand increasing attention to avoid economic and reputational consequences.
A recent ruling by the Court of Rome reclassified the commercial collaboration agreements between a company and certain influencers—entrusted with promoting the company’s products through social media channels—as agency contracts. As a result, the company was ordered to pay the omitted contributions to Enasarco following the reclassification.
The reclassification of commercial contracts as agency contracts may also entail a significant economic impact for companies, including the obligation to pay the influencer/agent an end-of-contract indemnity, typically calculated based on the average annual compensation earned by the influencer/agent over the past five years. In light of this, companies would be well-advised to update their financial statements with targeted provisions and properly classify existing contracts to address any irregularities.
However, according to the firm’s name partners, Vincenzo De Luca and Vittorio De Luca, many companies have yet to grasp the urgency of adequately regulating contractual relationships.
Compliance with the genuineness requirements for subcontracting agreements is now under close scrutiny by authorities. The legislator has recently tightened the consequences for both clients and contractors in cases of “non-genuine” subcontracting, where irregular labor provision occurs, introducing criminal penalties as well.
To be deemed compliant, a subcontract must meet three key criteria:
The reintroduction of criminal penalties in March 2024 adds further pressure on companies to ensure the transparency and independence of subcontracting relationships.
As of October 1, 2024, the new “Credit License” system has come into force, requiring a series of formalities for those operating on construction sites or significant engineering projects within Italy. This certification, which includes documents such as the DURC (certification of compliance with social security contributions) and the DURF (tax compliance certification), is essential for compliance with workplace health and safety regulations.
Foreign companies operating in Italy must also meet these requirements unless they hold an equivalent certification issued by their home country. Lawyer Vittorio De Luca explains that the “Credit License” applies to foreign companies involved in real estate and infrastructure projects or in data center installations.
Privacy and personal data management have become critical focal points for Italian companies, particularly given the stringent penalties for GDPR violations, which can reach up to 4% of the global annual turnover.
Dr. Martina De Angeli notes that recent investigations by the Milan Public Prosecutor’s Office have revealed that weak IT security systems can lead to unauthorized intrusions with severe consequences. In addition to reporting any data breach within 72 hours—a very short timeframe from an operational perspective—companies must constantly monitor their systems, train staff, and implement continuous control and monitoring processes.
Continue reading the full version published on Global Legal Chronicle Italia
The revelations from the investigation conducted by the Milan Prosecutor’s Office and the investigative unit of the Carabinieri of Varese—exposing unlawful activities involving the acquisition of confidential, sensitive, and personal information—have dominated Italy’s political and public debate in recent hours. These developments call for serious reflection.
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has responded by establishing an interdepartmental task force to promptly identify appropriate actions and implement stronger protections for databases. This task force aims, among other objectives, to define adequate technical and organizational security measures for database access by authorized personnel, as well as for the operations performed by those responsible for their management and maintenance.
As we await further updates, here’s what companies need to know and do in similar situations:
It is essential to emphasize that, if a data breach has occurred, pre-existing measures were insufficient and must be reassessed and enhanced. This is a fundamental goal of the Data Breach procedure.
As highlighted earlier, recent developments should prompt reflection. Information and data are increasingly valuable assets, and ensuring their technical and organizational security is a critical priority for businesses. Companies must view investments in advanced, continually updated security measures as vital, not optional. These efforts ultimately benefit business performance and corporate reputation.
Press Review:
“The employer cannot access the employee’s or collaborator’s e-mail or use software to store a copy of the messages. Such processing of personal data not only constitutes a breach of the data protection laws but also amounts to an unlawful control activity over the employee”.
This has been stated by the Italian Data Protection Authority, which sanctioned a company with a fine of EUR 80,000, with decision no. 472 of 17 July 2024, published in the institutional newsletter published on 22 October 2024.
The case originated from a complaint submitted to the Authority by a former collaborator of a company, who reported that the company had maintained his email account active and accessible even after the termination of his collaboration.
The investigation revealed that the company had commissioned a forensic engineering firm to investigate the contents of the collaborator’s email using the “Mail Store” application installed on company’s laptops. During the collaboration, the company had backed up the email inbox and had retained both the content and access logs for the mailbox and the management system. The e-mails collected through the application had then been used in a legal proceeding brought against the complainant before the Court of Venice.
Furthermore, the company, based on the document titled “Equipment used by the worker to perform work activities and tools for recording access and attendance – modalities and limits of use”, attached to the notice given to the complainant as a collaborator and directed at the company’s employees, processed data from corporate e-mail accounts in violation of data protection regulations. The document informed that the company could access the emails of employees and collaborators for the purposes of business continuity, in case of absence or termination of the relationship, but did not mention the backup process or the corresponding retention period.
The Authority stated that the systematic retention of e-mails – in this case, communications were stored for three years following the termination of the collaboration – and the systematic retention of access logs for the e-mail and management system used by the employees were not compliant with the applicable laws. The retention was deemed disproportionate and unnecessary for achieving the company’s stated purposes of ensuring the security of the IT network and the continuity of the company’s business activities.
This also allowed the company to reconstruct the complainant’s activities in detail. The Authority noted that “even if, hypothetically, such processing were aimed at achieving one of the purposes explicitly indicated in Article 4, (1), of Law no. 300/1970, it appears that the company did not activate the guarantee procedure provided therein (agreement with the workers’ representatives or, failing that, authorization by the Labor Inspectorate)”.
Lastly, as far as the use of the data in a judicial context is concerned, the Authority recalled that processing carried out by accessing an employee’s e-mail judicial protection purposes refers to disputes already in progress and not to abstract and indeterminate hypotheses of protection, as in the case under review.
