Recently, the Italian Data Protection Authority (Autorità Garante) has returned to the issue of the use of biometric data in the context of managing employment relationships. “As things stand, current law does not allow the processing of employees’ biometric data for purposes of timekeeping”. This was reiterated by the IDPA in a ruling of 6 June 2024, in which it fined the employer, a dealership, EUR 120,000 for, among other things, unlawfully processing its employees’ biometric data.
The IDPA intervened following a complaint from an employee, who alleged:
With reference to the first ground of complaint, namely the processing of biometric data, the IDPA has again clarified that employers may not use biometric data. The current position is that there is no legal provision for the use of biometric data for attendance tracking, and at this point it should be remembered that even employee consent cannot be considered a suitable prerequisite for lawfulness. This is because of the asymmetry between the respective parties to the employment relationship.
On the other hand, with reference to the second ground of the complaint, the IDPA found that the company, through management software, had been collecting personal data related to the activities of employees for more than six years to prepare monthly reports to be sent to the parent company, containing aggregate data on the time spent by the workshops on the work performed. This activity had always been carried out without a proper legal basis and adequate disclosure, which, in the context of the employment relationship, are expressions of the principles of fairness and transparency.
It is worth mentioning that the latter activity could, among others, involve indirect remote monitoring of workers’ activities, which, as such, would require compliance with the safeguards provided by Article 4 of the Italian Workers’ Charter i.e., signing a union agreement or, failing that, obtaining authorisation from the National or Regional Labour Inspectorate.
Other related insights:
The Italian Data Protection Authority (‘IDPA’) recently returned to the issue of corporate email metadata retention by the employer. The order of 6 June 2024, entitled “Computer programs and services for the management of e-mail in the workplace and processing of metadata”, extends the retention period for metadata from 7 to 21 days. This new decision, no. 364 of 6 June 2024, arrives several weeks after the publication of a first version of the guidance document on metadata retention, which had given rise to confusion and discussions among professionals to the point of leading the IDPA to start a public consultation.
First of all, however, it is necessary to clarify the definition of “metadata”. This term does not mean information contained in the “body” of the email but rather the information relating to the sending, receiving and sorting the messages. This may include the email addresses of the sender and of the recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, depending on the email management system used, may also include the subject of the message sent or received.
As mentioned above, the IDPA’s guidelines have extended the retention period to 21 days, a time period which is, in any event, to be considered indicative.
Metadata retention beyond this time frame is only permitted if particular conditions making the extension necessary are satisfied and adequately proven.
Continue reading the full version at Economy Magazine.
“Ethical codes, management and control models, and sustainability certifications are meaningless when, for the sake of achieving the highest profit at the lowest possible cost, a production system is allowed to be created down the chain that is based on production with an exploited workforce”.
This is the conclusion of the Public Prosecutor at the Milan Prosecutor’s Office in his final considerations presented to the Court of Milan following investigations carried out by that office for the crime of unlawful intermediation and exploitation of labour in the supply chain of a well-known company operating in the fashion sector.
As a result of the investigations carried out, it emerged that the company used a work contract to appoint third-party companies to carry out the entire production process. However, these third parties only provided sampling of materials. The third-party companies, in turn, outsourced the actual production of the entire line to sub-suppliers who employed unlawful, non-EU labour, in breach of the regulations on occupational health and safety, working hours and minimum wages, all of which are indicators of serious exploitation of labour which however allowed costs to be reduced.
In light of all this, with a decree of 3 April 2024, the Court of Milan ordered, as a preventive and non-sanctioning measure, the judicial administration of the client company for a period of one year. Although it did not directly carry out the unlawful conduct, the Court found that the company never effectively monitored the production chain, “by verifying the real business capacity of the companies with which it entered into supply contracts and the actual production methods adopted by them, and that it had remained inactive even when it became aware of the outsourcing of production by the supplying companies and had failed to take any action”.
With the same decree, the Court ordered, among other things, that the judicial administration examine the structure of the company with particular reference to the organisation and management model drawn up under Italian Legislative Decree no. 231/2001 and specifically the provisions regulating the relationship with suppliers and production chain audits.
◊◊◊◊
In conclusion, also in the light of recent events, it is becoming increasingly evident how effective implementation of an Organisation and Management Model allows the company to not only achieve continued improvement in performance but also to comply with the applicable legal requirements. In addition, effective implementation inevitably entails the adoption of Models that are adapted to the company’s business and that prevent the risk of committing a criminal offence.
Although the adoption of Organisation and Management Models is ultimately discretionary, it is now obvious that they are tools that allow the company, on the one hand, to prevent the commission of offences and, on the other, to limit (if not exclude) its liability, avoiding serious consequences in terms of sanctions, financial repercussions and reputational damage.
Other related insights:
With order no. 364 of 6 June 2024 called “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the IDPA has returned to the topic of company e-mail metadata retention.
“Metadata” does not mean information contained in the “body” of the email but rather the information relating to the sending, receiving and sorting the messages. This may include the email addresses of the sender and of the recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, depending on the email management system used, may also include the subject of the message sent or received.
With respect to the IDPA’s guidelines before the public consultation, the guidelines of 6 June 2019 extended the retention period to 21 days.
This retention period is merely “indicative”.
Retention for longer is only permitted if specific conditions that make the extension necessary are satisfied and are adequately proven.
Applying the principle of accountability, it is therefore up to each employer to adopt all technical and organisational measures to ensure compliance with the principle of purpose limitation, selective accessibility by only authorised and adequately trained individuals and the tracking of access carried out.
These requirements must be met while keeping in mind that generalised metadata collection and retention can lead to indirect remote control of workers’ activities and, in this case, the safeguards provided for by Article 4 of the Workers’ Charter apply i.e., it is necessary to enter into a union agreement or, failing that, obtain authorisation from the National or Local Labour Inspectorate.
Please contact our Privacy Focus Team for further information.
Data has become the new oil and its role is likely to grow further as digital becomes more central to our lives. This has important implications for privacy, as Vittorio De Luca, founder of the law firm De Luca & Partners, points out. “the EU legislator has intervened significantly in this area over the last few years. However, at corporate level the position is divided into companies that have implemented and structured real internal compliance models and over time have managed to change the culture and sensitivity of all those who make up the organisation, while others continue to consider data protection as a company cost rather than an investment”, he points out.
Personal data protection legislation and employment law are now closely linked, not only with regard to the processing of human resources data. “Increasingly, we are assisting companies in how to correctly manage requests for access to documents and personal files that are – legitimately – submitted by employees as part of disciplinary proceedings against them”, he points out. “In addition to the consequences on the employment law front, a data subject (in this case, the worker) has always the right to make a report to the Italian Data Protection Authority”, explains Mr De Luca.
Continue reading the full version published in La Repubblica.
Other related insights: