With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.

The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.

To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:

• verify that the computer programs and services for e-mail management allow the basic settings to be changed, preventing the collection of metadata or limiting the retention period to a maximum of seven days, which can be extended by a further 48 hours under specific conditions;
• alternatively, carry out the guarantee procedures provided for in Article 4 of the Workers’ Charter, i.e. sign a trade union agreement or obtain an authorisation from the National or Area Labour Inspectorate. This is because extending the retention period beyond the seven/nine day time frame may lead to indirect remote control of the worker’s activity;
• in any event, the necessary transparency must be ensured in relation to workers, providing them in advance with specific information on the processing of personal data.

In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.

In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used. ​

Other related insights:

• Italian Court of Cassation: Defence checks on employee’s company e-mail
• Controls: company information found on former employee’s company PC can be used

Among the topics we explored at our Team Meeting this week was the area of employer checks carried out through investigative agencies, analysing Court of Cassation judgment of 11 October 2023, no. 28378. In that case a dismissal based on evidence collected by a private investigator who had not been indicated by name in the appointment document was declared null and void.

If you would like to learn more about this topic, contact us or request our slides here.

With Ruling of 14 September 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that the processing of data carried out by a company appointed to read gas, electricity and water meters (the ‘Company’) was unlawful, confirming that the employer has an obligation to provide a full response to requests to exercise the right of access, including by communicating geolocation data.

The facts of the case

The case arose from a complaint submitted to the DPA by three Company employees who had not received a satisfactory response to a request for access to their personal data collected through the company’s smartphone, on which a geolocation system had been installed that allowed workers to identify the route to take to reach the meters to be dealt with.

In particular, the employees asked for the information used to process mileage reimbursements and the monthly hourly wage, as well as the procedure for establishing the remuneration due to verify the accuracy of their pay slip.

The DPA, during the preliminary investigation, found that the Company had not provided an adequate response to the three workers’ request, despite the fact that the request was clear and detailed. In fact, it had not provided the employees with the data processed through the GPS system, but had limited itself to indicating the methods and purposes for which they were processed and to providing the privacy policy already signed by the concerned workers.

The outcome of the preliminary investigation

At the outcome of the preliminary investigation, the DPA found that the Company, in its capacity as Controller, carried out the processing in breach of:

• Article 15 of Regulation (EU) 2016/679 (the ‘GDPR’), for failing to provide, including through the attached documentation, a complete and exhaustive response with respect to what was requested through the requests. The exercise of the right of “access to personal data” must, in fact, allow effective access to any personal data processed, which is not a general description of the same, nor a mere reference to the categories of personal data processed by the controller (as also specified in “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023).

The Company should have provided all the data collected through the geolocation system, responding to the specific requests received from the three complainants;

• Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;

• Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The data subject’s right of access to his or her own data cannot be considered to be satisfied by mere reference to what is contained in the information notice, without any reference to the processing actually carried out.

The DPA’s decision

At the outcome of the preliminary investigation, the DPA clarified that, since the Company processed, among other things, data relating to the geolocation of smartphones provided to employees for the performance of their work, such processing “indirectly provided the geolocation of the complainants themselves”: for this reason, the Company should have provided a complete and exhaustive response to the requests to exercise the right of access, indicating, in particular, the data relating to the employees’ geolocation or explaining the reasons for any failure to comply with the requests received.

In light of all the above, the DPA fined the Company EUR 20,000, and also ordered the publication of the Ruling on its website.

Other related insights:

• European Court rules that employee tracking through company car geolocator is lawful (Norme e Tributi Plus Diritto, 23 January 2023 – Alberto De Luca, Claudia Cerbone)
• Italian Data Protection Authority: employee has right to access report of investigative agency appointed by employer

With Ruling dated 6 July 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that data processing carried out by a public utility service company (the “Company”) was unlawful. The DPA ruled that an employer has an obligation to allow a worker to access all his or her personal data, including data contained in a report produced by an investigative agency appointed by the employer to collect information about the worker and used by the Company for disciplinary purposes.

The facts

The matter originates from a complaint submitted to the DPA by an employee who did not receive a full response to multiple requests for access to his personal data submitted to the employer Company after receiving a disciplinary complaint. The disciplinary complaint was followed by the dismissal of the worker, and contained “specific references” to conduct unrelated to the actual work activity and which therefore suggested potential monitoring “contrary to the regulations in force (condotta non iure) and detrimental to the personal legal status of others protected by law (condotta contra ius) and, consequently leading to data collected being unusable”.

The Company justified the denial of access to the personal data processed by arguing that the requests presented by the worker were too general and that he should have indicated in detail the information he wanted to access.

Furthermore, it emerged that the employee only learned of the existence and content of the investigative report when the Company entered an appearance in the proceedings appealing the dismissal before the competent judicial authorities.

The outcome of the preliminary investigation

At the time of the investigation, the DPA found that the Company, in its capacity as data Controller, carried out processing in breach of:

• Article 15 of Regulation (EU) 2016/679 (the “GDPR”), as it made the response to the access request presented by the worker conditional on the detailed indication of the documents and information he wanted to access. The request to exercise the right of access, a right recognised to all data subjects in relation to the processing of personal data by the article in question, must be understood in general terms, including all personal data concerning the data subject, as also specified in the “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023). Furthermore, the DPA reiterates that, if the data are not collected directly from the data subject, the data Controller must indicate their origin.

In this case, the Company should have provided all the data collected with the investigative report, considering that it also contained information relating to the worker but which had not been mentioned in the disciplinary complaint;

• Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;

• Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The Company, in the response provided to the worker, had not in fact specified the origin of the personal data used for the disciplinary complaint.

The DPA’s decision

For all the reasons set out above, the DPA found the processing carried out by the Company in relation to Articles 5, paragraph 1, letter (a), 12 and 15 of the GDPR to be unlawful. It reiterated that “unless otherwise explicitly requested by the data subject, the request to exercise the right of access is understood in general terms, including all personal data concerning them”. The DPA therefore, ordered the employer Company to pay an administrative fine of EUR 10,000 and also ordered the publication of the Ruling on its website.

Other related insights:

• Ascertainment of breaches of discipline by private detectives
• The right to have access to the records throughout the disciplinary procedure

The National Labour Inspectorate (Ispettorato Nazionale del Lavoro, ‘INL’), in note No 2572 of 14 April 2023, provided operational guidelines for the issuance of authorisations for video surveillance systems and instruments which enable remote control of workers within the meaning of Article 4 of the Workers’ Charter (Italian Law No 300/1970). As set out in the operational note, the guidelines are based on application experience and operational problems that have emerged over time, including in the light of the technological evolution of the instruments that can be adopted, while also taking into account the guidelines of the Italian Data Protection Authority (Garante per la protezione dei dati personali).

The INL has, among other things, specified that:

• the installation of an audio-visual system or other instruments which may enable remote control of workers must necessarily and as a priority be preceded by a collective agreement with the workplace unions (Rappresentanza Sindacale Aziendale/Rappresentanza Sindacale Unitaria, ‘RSA/RSU’). The authorisation procedure, in fact, appears to be only contingent and subsequent to failure to agree with the unions and is conditional on proving the absence of the RSA/RSU;
• the installation of such instruments cannot be justified by any consent, even informed consent, of the individual workers concerned. In this case, installation would not only be unlawful but also criminally sanctioned;
• undertakings with several production units located within the competence of the same INL area office may submit only one authorisation application;
• companies located in several provinces, as an alternative to concluding individual agreements with the RSA/RSU, may conclude a single agreement with the trade unions that are comparatively more representative at national level;
• Article 4 of Italian Law No 300/1970 applies to companies where there are workers: (i) in the case of establishing a new company that at the time of the application has no workers but plans to employ staff as soon as the business activity starts, it may submit the authorisation application indicating the number of workers that there will be when the activity starts; (ii) in the event that a company already in operation with a plant legitimately installed and functioning but without workers, intends to employ personnel, it may submit an application but must – at the same time – certify the decommissioning of the plant, which will be put into operation only after the authorisation measure, if any.

The note also clarifies how geolocalisation systems can be used. The INL, expressly referring to the conclusions that the Italian Data Protection Authority has over time provided on the subject, refers to the Authority’s requirements for the configuration of these systems. The systems, in fact, must:

• exclude continuous monitoring of the worker;
• allow authorised persons to view the location only when strictly necessary in relation to the purposes pursued;
• allow the device to be deactivated during breaks and outside working hours;
• process by pseudonymising personal data;
• provide for the storage of collected data only when necessary and with retention times proportionate to the purposes pursued.

The INL also clarifies that the procedure imposed by Article 4 of Law No 300/1970 also applies to the types of work to which the protections given to subordinate employment relationships are extended by law. This includes collaborations that take the form of predominantly personal, continuous services organised through an employer (etero organizzate), even if organised through platforms, including digital ones.

Other related insights:
Video surveillance: the repetition of the procedure following a change in the ownership structure is unnecessary

Video surveillance: note of the Ministry of Labour no. 1241 dated 1 June 2016