With a decision of 10 November 2022, the Italian Data Protection Authority (l’Autorità Garante per la protezione dei dati personali, the ‘Authority’) imposed a fine of EUR 20,000 on an Italian company for monitoring employee attendance by reading fingerprints. The Authority reiterated that ‘the processing of biometric data in the workplace is allowed only if necessary to fulfil obligations and exercise the employer’s rights provided for by a legal provision and with appropriate safeguards’.

The case arose following a report made to the Authority by a trade union organisation that complained about the introduction by the company, the employer, of a stamping system that used a biometric terminal to monitor access and attendance of employees and collaborators within its facilities. The union also challenged the fact that the system had been introduced even though the company had been asked to adopt ‘less invasive means’ that did not involve the processing of biometric data of the data subjects.

The company defended itself by stating that the system adopted was intended to facilitate the registration of entry and exit times for data subjects and represented a ‘more streamlined and faster’ tool than the one previously used, which recorded attendance through a personal identification badge.

After carrying out its preliminary investigation, the Authority held, among other things, that the processing of biometric personal data carried out by the company was unlawful for (i) having carried out processing in the absence of an appropriate lawful basis: the Authority, in fact, reaffirmed that the processing of biometric data in the workplace is allowed only if it is provided for by a national or European law; (ii) not having provided the data subjects with adequate information, thus infringing the fundamental principles on the subject such as those of lawfulness, fairness and transparency; (iii) not having updated the Record of Processing Activities which, in the version presented to the Authority, did not record any processing of employee biometric data, thus also infringing the principle of accountability; (iv) having processed a category of special data for the sole purpose of simplifying employment relationship management activities.

For all these reasons, therefore, the Authority sanctioned the company, ordering it not only to pay the above-mentioned administrative fine for the above-mentioned infringements but also ordering the publication of the decision on its institutional website.

In conclusion, while in the work context monitoring employees’ attendance is necessary to verify compliance with working hours as well as for the employer to fulfil specific obligations and exercise specific rights, for the processing of biometric data of employees to be lawful, it must be based on a legislative provision and cannot be based on the collection of the data subjects’ consent ‘in the light of the asymmetry between the respective parties to the employment relationship and the resulting, if any, need to ascertain from time to time and in concrete terms the effective freedom of expression of will of the employee’.

Other related insights:

• The requirements relative to the processing of special categories of data have been issued
• Data Processing Register and Impact Assessment: clarifications provided by the Data Protection Authority

The draft legislative decree to transpose the EU directive on whistleblowing has been approved. As the fight against corruption and the protection of whistleblowers progresses this year, those who decide to report wrongdoing, whether in the public or private sector, will be able to do so relying on greater protection. In early December, the government approved the draft legislative decree transposing Directive [(EU) 2019/1937] on whistleblowing.  All that remains to be done is publication in the Italian Official Gazette, after which companies with more than 250 employees will have four months to comply with the new rules, while those with between 50 and 250 employees will have until 17 December 2023. This transposition is late, as the deadline was set for 17 December 2021, but Italy is not the only country to be late with compliance. The EU directive introduces important measures regarding preventing and combating corruption and prepares minimum standards for whistleblower protection; it applies to both the public and private sectors and provides legal protection to a large number of potential whistleblowers. It also establishes appropriate measures to ensure the protection of whistleblowers from retaliation and requires the creation of mechanisms to facilitate whistleblowing. ‘Since 2017, in Italy, the rules on whistleblowing in the private sector have been regulated exclusively by Italian Law No 179 of 2017, which introduced the possibility of establishing specific protection systems for those who report wrongdoing, better known by the English term “whistleblowers”’, explains Vittorio De Luca, managing partner of De Luca&Partners, ‘Compared to the national regulatory framework outlined by the 2017 law, the new legislation extends the obligation to establish a whistleblowing channel to all private sector companies with more than 50 employees. It can be established after hearing from the trade union representatives or organisations.’ The decree (and before it the EU directive) is expressly aimed at protecting those who report breaches of EU law in areas such as public procurement, services, financial products and markets, money laundering, environmental protection, public health and consumer protection. It requires that appropriate arrangements be identified so that the protection and confidentiality of whistleblowers is guaranteed, as well as, for workers, protection from any form of retaliation. ‘Under thedecree, retaliation constitutes, by way of example, a change in duties, dismissal, change of workplace, reduction in salary, change in working hours the non-renewal and early termination of a fixed-term employment contract,’ De Luca concludes. ‘Companies will therefore have to set up internal and external reporting channels by implementing management procedures that ensure the confidentiality of both the whistleblowers and the personal data, including storage, which will have to be carried out in accordance with the legislation on the protection of personal data now represented by Regulation (EU) 2016/679, better known as the GDPR’

Fonte: Repubblica Album Speciale Lavoro

It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.

The preliminary investigation

The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.

The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.

The Italian DPA’s Order

On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:

• in breach of the principles of ‘lawfulness, fairness and transparency’, employees had not been provided with information on the processing of personal data in accordance with Articles 12 and 13 of the GDPR. And, as the Italian DPA noted, the fulfilment of the information obligations ‘constitutes a specific precondition for the lawful use of the data collected through technological tools, by the employer, including for all purposes related to the employment relationship (Article 4, paragraph 3, of Italian Law No 300/1970)’;
• given that ‘the generalised collection and extensive retention of e-mail metadata […] are not instrumental to the “employee’s work performance”, such data processing may entail an – albeit indirect – remote monitoring of the employees’ activities. Therefore, the employer breached not only the existing data protection legislation but also the regulations on remote monitoring of employees;
• the processing and monitoring carried out enabled the employer to acquire information on the employees’ private lives or on matters that were not in any way relevant to the assessment of their professional suitability;
• the processing of the metadata was carried out in breach of principles of data protection law, namely the principles of retention limitation, of data protection by design and by default, as well as of the principle of accountability;
• the processing of metadata was carried out in the absence of a prior data protection impact assessment.

On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.

Other related insights:

An employer can monitor its employee’s corporate email account

Dismissal for just cause: monitoring the company chat without adequate information is unlawful

In a press release dated 9 December 2022, the Italian Council of Ministers announced the approval of the draft Italian legislative decree transposing Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law. The new legislation extends the obligation to establish reporting channels to all private sector companies with more than 50 employees.

The main measures introduced provide, among other things, that:

• reports of breaches must relate to national or EU regulatory provisions that harm the public interest or the integrity of the private entity;
• in addition to employees who report breaches, the extension of protection was confirmed to collaborators, consultants, volunteers or trainees, shareholders and those with administrative, management, control, supervisory or representative functions, as well as to ‘probationary’ or former workers, if information on breaches was acquired in the course of the employment relationship;
• private sector companies will have to ensure internal and external reporting channels that ensure the confidentiality of whistle blowers and any processing of personal data will have to comply with Regulation (EU) 2016/679 (the ‘GDPR’);
• retaliation includes, but is not limited to, change of duties, dismissal, change of workplace, reduction of salary, change of working hours, non-renewal or early termination of a fixed-term employment contract;
• the application by Italian National Anti-Corruption Authority (Autorità Nazionale Anti-Corruzione, ‘ANAC’) of administrative fines of up to EUR 50,000.

Other related insights:
Whistleblowing: la nuova scadenza per il Governo italiano  

Il commento di Vittorio De Luca sul tema Whistleblowing e tutela della privacy

Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.

GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.

The Authority assessed the processing carried out using this tool and showed that website operators (such as the sanctioned company) use cookies transmitted to the user’s browser to collect information on how these interact with the website, individual pages, and services offered. The data collected consists of: unique online identifiers that allow the identification of the user’s browser or device while visiting the website, and the website operator (through the Google Account ID); address, website name and navigation data; IP address of the user’s device; information on the browser, operating system, screen resolution, language selected, and date and time of website visit.

This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.

The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.

For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.

At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.

◊◊◊◊

While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.

Other related insights:

• Cookies and other tracking tools: the new Data Protection Authority Guidelines
• Cookies and other tracking tools: the Guarantor launches a public consultation