The National Labour Inspectorate (Ispettorato Nazionale del Lavoro, ‘INL’), in note No 2572 of 14 April 2023, provided operational guidelines for the issuance of authorisations for video surveillance systems and instruments which enable remote control of workers within the meaning of Article 4 of the Workers’ Charter (Italian Law No 300/1970). As set out in the operational note, the guidelines are based on application experience and operational problems that have emerged over time, including in the light of the technological evolution of the instruments that can be adopted, while also taking into account the guidelines of the Italian Data Protection Authority (Garante per la protezione dei dati personali).

The INL has, among other things, specified that:

• the installation of an audio-visual system or other instruments which may enable remote control of workers must necessarily and as a priority be preceded by a collective agreement with the workplace unions (Rappresentanza Sindacale Aziendale/Rappresentanza Sindacale Unitaria, ‘RSA/RSU’). The authorisation procedure, in fact, appears to be only contingent and subsequent to failure to agree with the unions and is conditional on proving the absence of the RSA/RSU;
• the installation of such instruments cannot be justified by any consent, even informed consent, of the individual workers concerned. In this case, installation would not only be unlawful but also criminally sanctioned;
• undertakings with several production units located within the competence of the same INL area office may submit only one authorisation application;
• companies located in several provinces, as an alternative to concluding individual agreements with the RSA/RSU, may conclude a single agreement with the trade unions that are comparatively more representative at national level;
• Article 4 of Italian Law No 300/1970 applies to companies where there are workers: (i) in the case of establishing a new company that at the time of the application has no workers but plans to employ staff as soon as the business activity starts, it may submit the authorisation application indicating the number of workers that there will be when the activity starts; (ii) in the event that a company already in operation with a plant legitimately installed and functioning but without workers, intends to employ personnel, it may submit an application but must – at the same time – certify the decommissioning of the plant, which will be put into operation only after the authorisation measure, if any.

The note also clarifies how geolocalisation systems can be used. The INL, expressly referring to the conclusions that the Italian Data Protection Authority has over time provided on the subject, refers to the Authority’s requirements for the configuration of these systems. The systems, in fact, must:

• exclude continuous monitoring of the worker;
• allow authorised persons to view the location only when strictly necessary in relation to the purposes pursued;
• allow the device to be deactivated during breaks and outside working hours;
• process by pseudonymising personal data;
• provide for the storage of collected data only when necessary and with retention times proportionate to the purposes pursued.

The INL also clarifies that the procedure imposed by Article 4 of Law No 300/1970 also applies to the types of work to which the protections given to subordinate employment relationships are extended by law. This includes collaborations that take the form of predominantly personal, continuous services organised through an employer (etero organizzate), even if organised through platforms, including digital ones.

Other related insights:
Video surveillance: the repetition of the procedure following a change in the ownership structure is unnecessary

Video surveillance: note of the Ministry of Labour no. 1241 dated 1 June 2016

Protection also extends to shareholders, apprentices, the self-employed, and consultants.

Wide-ranging whistleblowing protection. In addition to their current employees and collaborators, private sector companies must also provide protection to employed workers, apprentices, self-employed workers, freelancers and consultants, volunteers and trainees (including unpaid ones), shareholders, those exercising administrative, management, control, supervisory or representative functions (including if those functions are exercised on a de facto basis) and all persons working under the supervision and direction of contractors, subcontractors and suppliers. This is provided for by Italian Legislative Decree No 24/2023 in which the Italian legislator implemented Directive (EU) 2019/1937 (the so-called Whistleblowing Directive). The provisions will be effective from 15 July 2023 or from 17 December thereafter for companies with an average number of employees of up to 249, as well as for companies that have adopted the organisational model required by Italian Legislative Decree No 231. The purpose of the provision is to oblige companies and other organisations covered by the regulation to activate computer tools to enable the reporting of breaches of regulatory provisions. The legislator, including the EU legislator, intended to protect potential whistleblowers. Protection must also be guaranteed even when the employment relationship has not yet been established, if the information was acquired during the selection process or in any case during the pre-contractual phase, during the probationary period or after termination of the relationship if the information on possible breaches was acquired during the course of the relationship. The protection measures for whistleblowers are also aimed at ‘facilitators’ (i.e. those who assist the worker in the reporting process), persons who work in the same work context as the whistleblowers and who are related to them by a stable emotional or familial relationship up to the fourth degree, work colleagues of the whistleblower who work in the same work context and who have a long-standing and ongoing relationship, or entities owned by and entities that work in the same context as these persons. Between now and the entry into force of the decree, recipient companies will have to i) identify and approve appropriate procedures to regulate the reporting process, ii) activate the aforementioned computerised reporting channels, iii) implement what is necessary to ensure protection and confidentiality for the reporting parties, and iv) provide for and regulate remedial initiatives in the event of reported breaches. This is without neglecting seemingly insignificant details, such as the finalisation and posting of the disciplinary code, which is often missing, incomplete or inadequately completed.

With an Order dated 11 January 2023, the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed on a company the payment of an administrative fine equal to EUR 5,000 for having kept active and read the contents of the email account of a collaborator.

The facts

During some negotiations aimed at defining the acquisition of a cooperative company, a company agreed that a representative of the latter should collaborate, using the name of the purchasing company, in the promotion of a common supplier on the occasion of a trade fair.

A company email account was then activated for the collaborator in order to allow her to communicate with potential customers met at the event.

A few months later, the negotiations between the two companies were interrupted and the complainant requested the deactivation of the email account assigned to her. In order not to lose the contacts of potential new customers collected during the event, the company kept the account active and set up a system for forwarding incoming communications to the sales manager’s email, deactivating the complainant’s email address only after (approximately) six months from activation.

The outcome of the investigation by the Authority

The Authority first of all noted that the company has not complied with its obligation to inform the complainant about the processing of data carried out on her email account as instead required by Article 13 of Regulation (EU) 2016/679 (the ‘Regulation’). This obligation, the Authority recalls, also applies in the context of any pre-contractual negotiations as an expression of the principles of fairness and transparency (see Article 5 of the Regulation).

In the present case, the company:

1. processed personal data in the absence of a legitimation criterion to the extent that it has (i) viewed, without an appropriate legal basis, the correspondence received and sent to the account during collaboration with the complainant and (ii) set up, at the end of the collaboration, an automatic email forwarding system to a different company account;
2. did not achieve an adequate balancing of ‘the interests at stake’: on the one hand, in fact, the need for the company to continue its economic activities is recognized and on the other, the right to privacy of the data subject (namely the complainant). In this regard, the order reads, ‘the (legitimate) purpose of not losing useful contacts for one’s commercial activity, […], could have been pursued with less invasive processing activities and, therefore, compliant with data protection regulations, with respect to that carried out in the present case’;
3. did not comply with the obligation to facilitate the exercise of the rights of the data subject to the extent that it has not provided a suitable response to the request for cancellation – the so-called ‘right to be forgotten’ – submitted several times by the complainant.

◊◊◊◊

That said, the Authority recalls that: ‘[…] the legitimate interest in processing personal data to defend one’s legal claim [can]not lead to an a priori cancellation of the right to the protection of personal data recognized to the data subjects […]’.

The order in question also recalls a well-established orientation of the Authority according to which an adequate balancing of the interests as mentioned in letter b) above is achieved by activating an automatic response system with which the sender is provided with alternative addresses through which to contact the company, data controller, without accessing incoming communications, as instead done in the case in question in breach, among others, of the principle of data minimization (see Article 5 of the Regulation).

Other related insights:

Employers who keep the former employee’s email account active commits an offence

Company e-mail account and data processing (Legal – Le Fonti, N. 24 May 2018, Vittorio De Luca)

With a decision of 10 November 2022, the Italian Data Protection Authority (l’Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed a fine of EUR 20,000 on an Italian company for monitoring employee attendance by reading fingerprints. The Authority reiterated that ‘the processing of biometric data in the workplace is allowed only if necessary to fulfil obligations and exercise the employer’s rights provided for by a legal provision and with appropriate safeguards’.

The case arose following a report made to the Authority by a trade union organisation that complained about the introduction by the company, the employer, of a stamping system that used a biometric terminal to monitor access and attendance of employees and collaborators within its facilities. The union also challenged the fact that the system had been introduced even though the company had been asked to adopt ‘less invasive means’ that did not involve the processing of biometric data of the data subjects.

The company defended itself by stating that the system adopted was intended to facilitate the registration of entry and exit times for data subjects and represented a ‘more streamlined and faster’ tool than the one previously used, which recorded attendance through a personal identification badge.

After carrying out its preliminary investigation, the Authority held, among other things, that the processing of biometric personal data carried out by the company was unlawful for (i) having carried out processing in the absence of an appropriate lawful basis: the Authority, in fact, reaffirmed that the processing of biometric data in the workplace is allowed only if it is provided for by a national or European law; (ii) not having provided the data subjects with adequate information, thus infringing the fundamental principles on the subject such as those of lawfulness, fairness and transparency; (iii) not having updated the Record of Processing Activities which, in the version presented to the Authority, did not record any processing of employee biometric data, thus also infringing the principle of accountability; (iv) having processed a category of special data for the sole purpose of simplifying employment relationship management activities.

For all these reasons, therefore, the Authority sanctioned the company, ordering it not only to pay the above-mentioned administrative fine for the above-mentioned infringements but also ordering the publication of the decision on its institutional website.

In conclusion, while in the work context monitoring employees’ attendance is necessary to verify compliance with working hours as well as for the employer to fulfil specific obligations and exercise specific rights, for the processing of biometric data of employees to be lawful, it must be based on a legislative provision and cannot be based on the collection of the data subjects’ consent ‘in the light of the asymmetry between the respective parties to the employment relationship and the resulting, if any, need to ascertain from time to time and in concrete terms the effective freedom of expression of will of the employee’.

Other related insights:

• The requirements relative to the processing of special categories of data have been issued
• Data Processing Register and Impact Assessment: clarifications provided by the Data Protection Authority

The draft legislative decree to transpose the EU directive on whistleblowing has been approved. As the fight against corruption and the protection of whistleblowers progresses this year, those who decide to report wrongdoing, whether in the public or private sector, will be able to do so relying on greater protection. In early December, the government approved the draft legislative decree transposing Directive [(EU) 2019/1937] on whistleblowing.  All that remains to be done is publication in the Italian Official Gazette, after which companies with more than 250 employees will have four months to comply with the new rules, while those with between 50 and 250 employees will have until 17 December 2023. This transposition is late, as the deadline was set for 17 December 2021, but Italy is not the only country to be late with compliance. The EU directive introduces important measures regarding preventing and combating corruption and prepares minimum standards for whistleblower protection; it applies to both the public and private sectors and provides legal protection to a large number of potential whistleblowers. It also establishes appropriate measures to ensure the protection of whistleblowers from retaliation and requires the creation of mechanisms to facilitate whistleblowing. ‘Since 2017, in Italy, the rules on whistleblowing in the private sector have been regulated exclusively by Italian Law No 179 of 2017, which introduced the possibility of establishing specific protection systems for those who report wrongdoing, better known by the English term “whistleblowers”’, explains Vittorio De Luca, managing partner of De Luca&Partners, ‘Compared to the national regulatory framework outlined by the 2017 law, the new legislation extends the obligation to establish a whistleblowing channel to all private sector companies with more than 50 employees. It can be established after hearing from the trade union representatives or organisations.’ The decree (and before it the EU directive) is expressly aimed at protecting those who report breaches of EU law in areas such as public procurement, services, financial products and markets, money laundering, environmental protection, public health and consumer protection. It requires that appropriate arrangements be identified so that the protection and confidentiality of whistleblowers is guaranteed, as well as, for workers, protection from any form of retaliation. ‘Under thedecree, retaliation constitutes, by way of example, a change in duties, dismissal, change of workplace, reduction in salary, change in working hours the non-renewal and early termination of a fixed-term employment contract,’ De Luca concludes. ‘Companies will therefore have to set up internal and external reporting channels by implementing management procedures that ensure the confidentiality of both the whistleblowers and the personal data, including storage, which will have to be carried out in accordance with the legislation on the protection of personal data now represented by Regulation (EU) 2016/679, better known as the GDPR’

Fonte: Repubblica Album Speciale Lavoro