Protection also extends to shareholders, apprentices, the self-employed, and consultants.

Wide-ranging whistleblowing protection. In addition to their current employees and collaborators, private sector companies must also provide protection to employed workers, apprentices, self-employed workers, freelancers and consultants, volunteers and trainees (including unpaid ones), shareholders, those exercising administrative, management, control, supervisory or representative functions (including if those functions are exercised on a de facto basis) and all persons working under the supervision and direction of contractors, subcontractors and suppliers. This is provided for by Italian Legislative Decree No 24/2023 in which the Italian legislator implemented Directive (EU) 2019/1937 (the so-called Whistleblowing Directive). The provisions will be effective from 15 July 2023 or from 17 December thereafter for companies with an average number of employees of up to 249, as well as for companies that have adopted the organisational model required by Italian Legislative Decree No 231. The purpose of the provision is to oblige companies and other organisations covered by the regulation to activate computer tools to enable the reporting of breaches of regulatory provisions. The legislator, including the EU legislator, intended to protect potential whistleblowers. Protection must also be guaranteed even when the employment relationship has not yet been established, if the information was acquired during the selection process or in any case during the pre-contractual phase, during the probationary period or after termination of the relationship if the information on possible breaches was acquired during the course of the relationship. The protection measures for whistleblowers are also aimed at ‘facilitators’ (i.e. those who assist the worker in the reporting process), persons who work in the same work context as the whistleblowers and who are related to them by a stable emotional or familial relationship up to the fourth degree, work colleagues of the whistleblower who work in the same work context and who have a long-standing and ongoing relationship, or entities owned by and entities that work in the same context as these persons. Between now and the entry into force of the decree, recipient companies will have to i) identify and approve appropriate procedures to regulate the reporting process, ii) activate the aforementioned computerised reporting channels, iii) implement what is necessary to ensure protection and confidentiality for the reporting parties, and iv) provide for and regulate remedial initiatives in the event of reported breaches. This is without neglecting seemingly insignificant details, such as the finalisation and posting of the disciplinary code, which is often missing, incomplete or inadequately completed.

With an Order dated 11 January 2023, the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed on a company the payment of an administrative fine equal to EUR 5,000 for having kept active and read the contents of the email account of a collaborator.

The facts

During some negotiations aimed at defining the acquisition of a cooperative company, a company agreed that a representative of the latter should collaborate, using the name of the purchasing company, in the promotion of a common supplier on the occasion of a trade fair.

A company email account was then activated for the collaborator in order to allow her to communicate with potential customers met at the event.

A few months later, the negotiations between the two companies were interrupted and the complainant requested the deactivation of the email account assigned to her. In order not to lose the contacts of potential new customers collected during the event, the company kept the account active and set up a system for forwarding incoming communications to the sales manager’s email, deactivating the complainant’s email address only after (approximately) six months from activation.

The outcome of the investigation by the Authority

The Authority first of all noted that the company has not complied with its obligation to inform the complainant about the processing of data carried out on her email account as instead required by Article 13 of Regulation (EU) 2016/679 (the ‘Regulation’). This obligation, the Authority recalls, also applies in the context of any pre-contractual negotiations as an expression of the principles of fairness and transparency (see Article 5 of the Regulation).

In the present case, the company:

1. processed personal data in the absence of a legitimation criterion to the extent that it has (i) viewed, without an appropriate legal basis, the correspondence received and sent to the account during collaboration with the complainant and (ii) set up, at the end of the collaboration, an automatic email forwarding system to a different company account;
2. did not achieve an adequate balancing of ‘the interests at stake’: on the one hand, in fact, the need for the company to continue its economic activities is recognized and on the other, the right to privacy of the data subject (namely the complainant). In this regard, the order reads, ‘the (legitimate) purpose of not losing useful contacts for one’s commercial activity, […], could have been pursued with less invasive processing activities and, therefore, compliant with data protection regulations, with respect to that carried out in the present case’;
3. did not comply with the obligation to facilitate the exercise of the rights of the data subject to the extent that it has not provided a suitable response to the request for cancellation – the so-called ‘right to be forgotten’ – submitted several times by the complainant.

◊◊◊◊

That said, the Authority recalls that: ‘[…] the legitimate interest in processing personal data to defend one’s legal claim [can]not lead to an a priori cancellation of the right to the protection of personal data recognized to the data subjects […]’.

The order in question also recalls a well-established orientation of the Authority according to which an adequate balancing of the interests as mentioned in letter b) above is achieved by activating an automatic response system with which the sender is provided with alternative addresses through which to contact the company, data controller, without accessing incoming communications, as instead done in the case in question in breach, among others, of the principle of data minimization (see Article 5 of the Regulation).

Other related insights:

Employers who keep the former employee’s email account active commits an offence

Company e-mail account and data processing (Legal – Le Fonti, N. 24 May 2018, Vittorio De Luca)

With a decision of 10 November 2022, the Italian Data Protection Authority (l’Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed a fine of EUR 20,000 on an Italian company for monitoring employee attendance by reading fingerprints. The Authority reiterated that ‘the processing of biometric data in the workplace is allowed only if necessary to fulfil obligations and exercise the employer’s rights provided for by a legal provision and with appropriate safeguards’.

The case arose following a report made to the Authority by a trade union organisation that complained about the introduction by the company, the employer, of a stamping system that used a biometric terminal to monitor access and attendance of employees and collaborators within its facilities. The union also challenged the fact that the system had been introduced even though the company had been asked to adopt ‘less invasive means’ that did not involve the processing of biometric data of the data subjects.

The company defended itself by stating that the system adopted was intended to facilitate the registration of entry and exit times for data subjects and represented a ‘more streamlined and faster’ tool than the one previously used, which recorded attendance through a personal identification badge.

After carrying out its preliminary investigation, the Authority held, among other things, that the processing of biometric personal data carried out by the company was unlawful for (i) having carried out processing in the absence of an appropriate lawful basis: the Authority, in fact, reaffirmed that the processing of biometric data in the workplace is allowed only if it is provided for by a national or European law; (ii) not having provided the data subjects with adequate information, thus infringing the fundamental principles on the subject such as those of lawfulness, fairness and transparency; (iii) not having updated the Record of Processing Activities which, in the version presented to the Authority, did not record any processing of employee biometric data, thus also infringing the principle of accountability; (iv) having processed a category of special data for the sole purpose of simplifying employment relationship management activities.

For all these reasons, therefore, the Authority sanctioned the company, ordering it not only to pay the above-mentioned administrative fine for the above-mentioned infringements but also ordering the publication of the decision on its institutional website.

In conclusion, while in the work context monitoring employees’ attendance is necessary to verify compliance with working hours as well as for the employer to fulfil specific obligations and exercise specific rights, for the processing of biometric data of employees to be lawful, it must be based on a legislative provision and cannot be based on the collection of the data subjects’ consent ‘in the light of the asymmetry between the respective parties to the employment relationship and the resulting, if any, need to ascertain from time to time and in concrete terms the effective freedom of expression of will of the employee’.

Other related insights:

• The requirements relative to the processing of special categories of data have been issued
• Data Processing Register and Impact Assessment: clarifications provided by the Data Protection Authority

The draft legislative decree to transpose the EU directive on whistleblowing has been approved. As the fight against corruption and the protection of whistleblowers progresses this year, those who decide to report wrongdoing, whether in the public or private sector, will be able to do so relying on greater protection. In early December, the government approved the draft legislative decree transposing Directive [(EU) 2019/1937] on whistleblowing.  All that remains to be done is publication in the Italian Official Gazette, after which companies with more than 250 employees will have four months to comply with the new rules, while those with between 50 and 250 employees will have until 17 December 2023. This transposition is late, as the deadline was set for 17 December 2021, but Italy is not the only country to be late with compliance. The EU directive introduces important measures regarding preventing and combating corruption and prepares minimum standards for whistleblower protection; it applies to both the public and private sectors and provides legal protection to a large number of potential whistleblowers. It also establishes appropriate measures to ensure the protection of whistleblowers from retaliation and requires the creation of mechanisms to facilitate whistleblowing. ‘Since 2017, in Italy, the rules on whistleblowing in the private sector have been regulated exclusively by Italian Law No 179 of 2017, which introduced the possibility of establishing specific protection systems for those who report wrongdoing, better known by the English term “whistleblowers”’, explains Vittorio De Luca, managing partner of De Luca&Partners, ‘Compared to the national regulatory framework outlined by the 2017 law, the new legislation extends the obligation to establish a whistleblowing channel to all private sector companies with more than 50 employees. It can be established after hearing from the trade union representatives or organisations.’ The decree (and before it the EU directive) is expressly aimed at protecting those who report breaches of EU law in areas such as public procurement, services, financial products and markets, money laundering, environmental protection, public health and consumer protection. It requires that appropriate arrangements be identified so that the protection and confidentiality of whistleblowers is guaranteed, as well as, for workers, protection from any form of retaliation. ‘Under thedecree, retaliation constitutes, by way of example, a change in duties, dismissal, change of workplace, reduction in salary, change in working hours the non-renewal and early termination of a fixed-term employment contract,’ De Luca concludes. ‘Companies will therefore have to set up internal and external reporting channels by implementing management procedures that ensure the confidentiality of both the whistleblowers and the personal data, including storage, which will have to be carried out in accordance with the legislation on the protection of personal data now represented by Regulation (EU) 2016/679, better known as the GDPR’

Fonte: Repubblica Album Speciale Lavoro

It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.

The preliminary investigation

The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.

The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.

The Italian DPA’s Order

On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:

• in breach of the principles of ‘lawfulness, fairness and transparency’, employees had not been provided with information on the processing of personal data in accordance with Articles 12 and 13 of the GDPR. And, as the Italian DPA noted, the fulfilment of the information obligations ‘constitutes a specific precondition for the lawful use of the data collected through technological tools, by the employer, including for all purposes related to the employment relationship (Article 4, paragraph 3, of Italian Law No 300/1970)’;
• given that ‘the generalised collection and extensive retention of e-mail metadata […] are not instrumental to the “employee’s work performance”, such data processing may entail an – albeit indirect – remote monitoring of the employees’ activities. Therefore, the employer breached not only the existing data protection legislation but also the regulations on remote monitoring of employees;
• the processing and monitoring carried out enabled the employer to acquire information on the employees’ private lives or on matters that were not in any way relevant to the assessment of their professional suitability;
• the processing of the metadata was carried out in breach of principles of data protection law, namely the principles of retention limitation, of data protection by design and by default, as well as of the principle of accountability;
• the processing of metadata was carried out in the absence of a prior data protection impact assessment.

On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.

Other related insights:

An employer can monitor its employee’s corporate email account

Dismissal for just cause: monitoring the company chat without adequate information is unlawful