It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.

The preliminary investigation

The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.

The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.

The Italian DPA’s Order

On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:

• in breach of the principles of ‘lawfulness, fairness and transparency’, employees had not been provided with information on the processing of personal data in accordance with Articles 12 and 13 of the GDPR. And, as the Italian DPA noted, the fulfilment of the information obligations ‘constitutes a specific precondition for the lawful use of the data collected through technological tools, by the employer, including for all purposes related to the employment relationship (Article 4, paragraph 3, of Italian Law No 300/1970)’;
• given that ‘the generalised collection and extensive retention of e-mail metadata […] are not instrumental to the “employee’s work performance”, such data processing may entail an – albeit indirect – remote monitoring of the employees’ activities. Therefore, the employer breached not only the existing data protection legislation but also the regulations on remote monitoring of employees;
• the processing and monitoring carried out enabled the employer to acquire information on the employees’ private lives or on matters that were not in any way relevant to the assessment of their professional suitability;
• the processing of the metadata was carried out in breach of principles of data protection law, namely the principles of retention limitation, of data protection by design and by default, as well as of the principle of accountability;
• the processing of metadata was carried out in the absence of a prior data protection impact assessment.

On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.

Other related insights:

An employer can monitor its employee’s corporate email account

Dismissal for just cause: monitoring the company chat without adequate information is unlawful

In a press release dated 9 December 2022, the Italian Council of Ministers announced the approval of the draft Italian legislative decree transposing Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law. The new legislation extends the obligation to establish reporting channels to all private sector companies with more than 50 employees.

The main measures introduced provide, among other things, that:

• reports of breaches must relate to national or EU regulatory provisions that harm the public interest or the integrity of the private entity;
• in addition to employees who report breaches, the extension of protection was confirmed to collaborators, consultants, volunteers or trainees, shareholders and those with administrative, management, control, supervisory or representative functions, as well as to ‘probationary’ or former workers, if information on breaches was acquired in the course of the employment relationship;
• private sector companies will have to ensure internal and external reporting channels that ensure the confidentiality of whistle blowers and any processing of personal data will have to comply with Regulation (EU) 2016/679 (the ‘GDPR’);
• retaliation includes, but is not limited to, change of duties, dismissal, change of workplace, reduction of salary, change of working hours, non-renewal or early termination of a fixed-term employment contract;
• the application by Italian National Anti-Corruption Authority (Autorità Nazionale Anti-Corruzione, ‘ANAC’) of administrative fines of up to EUR 50,000.

Other related insights:
Whistleblowing: la nuova scadenza per il Governo italiano  

Il commento di Vittorio De Luca sul tema Whistleblowing e tutela della privacy

Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.

GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.

The Authority assessed the processing carried out using this tool and showed that website operators (such as the sanctioned company) use cookies transmitted to the user’s browser to collect information on how these interact with the website, individual pages, and services offered. The data collected consists of: unique online identifiers that allow the identification of the user’s browser or device while visiting the website, and the website operator (through the Google Account ID); address, website name and navigation data; IP address of the user’s device; information on the browser, operating system, screen resolution, language selected, and date and time of website visit.

This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.

The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.

For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.

At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.

◊◊◊◊

While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.

Other related insights:

• Cookies and other tracking tools: the new Data Protection Authority Guidelines
• Cookies and other tracking tools: the Guarantor launches a public consultation

Economic growth is slowing down, and it is feared that many companies will have to close in the months to come. However, structural changes that are taking place in society are leading to an increasing demand for professional profiles that are difficult to find on the market because training is evolving too slowly. Employment continues to be at the top of the political agenda, with possible reforms in search of a difficult balance between guaranteeing decent pay for everyone and the flexibility needed to avoid stifling market energies. The changes taking place do not only concern the dynamics of supply and demand and legislator choices, but case law rulings, which have played a key role. The latest example of this kind dates to a few weeks ago, with the Constitutional Court intervening on dismissal regulation (ruling no. 125/2022). Studio Legale De Luca & Partners managing partner Vittorio De Luca said: “Dismantling the reforming effort started by the legislator in 2012 continues,” referring to the Fornero law and the measures launched by the Renzi government. “Already in the past, two rulings have affected the contract with increasing protections, implementing the reform known as Jobs Act, declaring the illegitimacy of the automatic mechanism for determining the indemnity calculated based solely on seniority.” As for Art. 18 of the Workers’ Statute, the Constitutional Court intervened on the part concerning dismissals for justified objective reason.

Click here to read more.

The Italian Data Protection Authority (“Garante”), in its 28 April 2022 injunction of 28 April 2022, imposed on a company in charge of managing the municipal waste collection service for the Municipality of Taranto (the “Municipality”), a € 200,000 fine for having entrusted processing personal data to a sub-processor without having requested and obtained specific or general written authorisation from the Municipality – the data controller.
Following widespread waste abandonment within the area under its responsibility, the municipality entrusted an owned company the task to verify and contest any offences arising from the violation of the municipal regulations on waste disposal. The municipality and the company agreed on installing video surveillance systems at sites considered particularly sensitive, as they were the places where the illegal dumping of waste occurred more frequently.
From a report received by the Data Protection Authority, it emerged that the company disseminated, through the publication on its Facebook profile of videos and images, collected through the above video surveillance systems, from which the offending citizens were or could be identified.

Following the report received, the Authority opened a preliminary investigation which revealed that the company started processing in March 2012 under a municipal ordinance without the relationship regulated under the previous legislation.
Since November 2020, it had used a supplier (designated as data controller) for the collection of video surveillance images without the “prior specific or general written authorisation of the data controller (ed. the Municipality)” as required by art. 28 of the GDPR. In January 2022, the Municipality and the company signed an “agreement for the protection of personal data and appointment as an external data controller” under art. 28 of the GDPR. In that agreement, the Municipality specified that “upon its prior written authorisation, the company may make Municipality-owned personal data available to third parties (as sub-processors), to entrust them with part of the processing activities.”

Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore