The Italian Data Protection Authority sanctioned the company Foodinho S.r.l., a Glovo Group company, to pay a fine of EUR 5 million for unlawfully processing the personal data of more than 35,000 riders through its digital platform.   

Following a complex investigation carried out ex officio by the Authority, it revealed that the company, which had already been sanctioned in 2021 for unlawful processing and violations of the provisions of the privacy legislation, was carrying out “numerous and serious violations” of the GDPR. 

Among others, the company:  

1. when de-activating or blocking the rider’s account, it automatically sent a single standard message without informing the recipient of the possibility of contesting the decision and requesting that the account be restored, 
2. carried out automated processing of riders’ personal data without having taken the measures required by the regulations for the use of automated systems. In fact, the rider was not provided with the possibility of exercising the right to obtain human intervention, to express his or her opinion and to contest the decision taken through the system (n.b. on this point also the so-called “Transparency Decree”), 
3. sent, without prior notice, the riders’ personal data, including their geographical location, to third-party companies. The geolocation data were collected and processed even when the rider was not working and even when the app was in the background or not active.  

In addition to the numerous violations of privacy regulations pointed out by the Italian Data Protection Authority and partially reported herein, it is worth mentioning that the Authority highlighted that in this case, the company “while carrying out an activity of systematic control of the work performed by the riders, through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems), […], did not comply with the provisions established by Article 4, paragraph 1, of Law no. 300/1970, as it did not verify that the tools used are attributable to the purposes strictly allowed by the law (organizational and production needs, work safety and protection of the environment, and protection of the environment) nor did it activate the guarantee procedure provided for in the event of the existence of one of the aforementioned purposes (collective agreement entered into with trade union representatives or, failing that, authorization by the Italian Labor Inspectorate)”. 

In other words, the company, in addition to implementing technical and organizational security measures aimed at eliminating breaches and ceasing unlawful processing of personal data, must also take appropriate measures to comply with the provisions of the Workers’ Statute on remote control of employees. 

Other related insights: 

• Company e-mail and metadata: the Italian Data Protection Authority updates the guideline document

Compliance, Agency Contracts, and Privacy Management: A Growing Complexity

The law firm De Luca & Partners and HR Capital have recently highlighted significant issues in strategic areas such as contract management, regulatory compliance, and data protection. These areas, critical for Italian companies, are confronted with evolving regulations that demand increasing attention to avoid economic and reputational consequences.

Agency Contracts for Influencers: New Economic and Regulatory Implications

A recent ruling by the Court of Rome reclassified the commercial collaboration agreements between a company and certain influencers—entrusted with promoting the company’s products through social media channels—as agency contracts. As a result, the company was ordered to pay the omitted contributions to Enasarco following the reclassification.

The reclassification of commercial contracts as agency contracts may also entail a significant economic impact for companies, including the obligation to pay the influencer/agent an end-of-contract indemnity, typically calculated based on the average annual compensation earned by the influencer/agent over the past five years. In light of this, companies would be well-advised to update their financial statements with targeted provisions and properly classify existing contracts to address any irregularities.

However, according to the firm’s name partners, Vincenzo De Luca and Vittorio De Luca, many companies have yet to grasp the urgency of adequately regulating contractual relationships.

Subcontracting and Genuineness Requirements: Criminal Risks for Irregularities

Compliance with the genuineness requirements for subcontracting agreements is now under close scrutiny by authorities. The legislator has recently tightened the consequences for both clients and contractors in cases of “non-genuine” subcontracting, where irregular labor provision occurs, introducing criminal penalties as well.

To be deemed compliant, a subcontract must meet three key criteria:

• Assumption of business risk by the contractor,
• Organization of the necessary resources by the contractor, and
• Autonomous management of personnel by the contractor, including effective direction of the workers involved.

The reintroduction of criminal penalties in March 2024 adds further pressure on companies to ensure the transparency and independence of subcontracting relationships.

Compliance and the New “Credit License”: A Requirement for Companies and Self-Employed Workers

As of October 1, 2024, the new “Credit License” system has come into force, requiring a series of formalities for those operating on construction sites or significant engineering projects within Italy. This certification, which includes documents such as the DURC (certification of compliance with social security contributions) and the DURF (tax compliance certification), is essential for compliance with workplace health and safety regulations.

Foreign companies operating in Italy must also meet these requirements unless they hold an equivalent certification issued by their home country. Lawyer Vittorio De Luca explains that the “Credit License” applies to foreign companies involved in real estate and infrastructure projects or in data center installations.

Privacy and Data Protection: The Severe Consequences of Violations

Privacy and personal data management have become critical focal points for Italian companies, particularly given the stringent penalties for GDPR violations, which can reach up to 4% of the global annual turnover.

Dr. Martina De Angeli notes that recent investigations by the Milan Public Prosecutor’s Office have revealed that weak IT security systems can lead to unauthorized intrusions with severe consequences. In addition to reporting any data breach within 72 hours—a very short timeframe from an operational perspective—companies must constantly monitor their systems, train staff, and implement continuous control and monitoring processes.

Continue reading the full version published on Global Legal Chronicle Italia

“The employer cannot access the employee’s or collaborator’s e-mail or use software to store a copy of the messages. Such processing of personal data not only constitutes a breach of the data protection laws but also amounts to an unlawful control activity over the employee”.

This has been stated by the Italian Data Protection Authority, which sanctioned a company with a fine of EUR 80,000, with decision no. 472 of 17 July 2024, published in the institutional newsletter published on 22 October 2024. 

The facts 

The case originated from a complaint submitted to the Authority by a former collaborator of a company, who reported that the company had maintained his email account active and accessible even after the termination of his collaboration. 

The investigation revealed that the company had commissioned a forensic engineering firm to investigate the contents of the collaborator’s email using the “Mail Store” application installed on company’s laptops. During the collaboration, the company had backed up the email inbox and had retained both the content and access logs for the mailbox and the management system. The e-mails collected through the application had then been used in a legal proceeding brought against the complainant before the Court of Venice. 

Furthermore, the company, based on the document titled “Equipment used by the worker to perform work activities and tools for recording access and attendance – modalities and limits of use”, attached to the notice given to the complainant as a collaborator and directed at the company’s employees, processed data from corporate e-mail accounts in violation of data protection regulations. The document informed that the company could access the emails of employees and collaborators for the purposes of business continuity, in case of absence or termination of the relationship, but did not mention the backup process or the corresponding retention period. 

The position of the Italian Data Protection Authority 

The Authority stated that the systematic retention of e-mails – in this case, communications were stored for three years following the termination of the collaboration – and the systematic retention of access logs for the e-mail and management system used by the employees were not compliant with the applicable laws. The retention was deemed disproportionate and unnecessary for achieving the company’s stated purposes of ensuring the security of the IT network and the continuity of the company’s business activities. 

This also allowed the company to reconstruct the complainant’s activities in detail. The Authority noted that “even if, hypothetically, such processing were aimed at achieving one of the purposes explicitly indicated in Article 4, (1), of Law no. 300/1970, it appears that the company did not activate the guarantee procedure provided therein (agreement with the workers’ representatives or, failing that, authorization by the Labor Inspectorate)”. 

Lastly, as far as the use of the data in a judicial context is concerned, the Authority recalled that processing carried out by accessing an employee’s e-mail judicial protection purposes refers to disputes already in progress and not to abstract and indeterminate  hypotheses  of protection, as in the case under review. 

Other related insights:

• Company e-mail and metadata: the Italian Data Protection Authority updates the guideline document (Economy Magazine, July 1, 2024 – Vittorio De Luca, Martina De Angeli)
  
• Italian Court of Cassation: Defence checks on employee’s company e-mail

The Court of First Instance of Udine (Labour Section, order no. 504 of 2 August 2024) declared lawful the measure of suspension from work and remuneration, imposed by a company on an employee who had refused to sign the letter sent to the person responsible for processing personal data, in accordance with the applicable data protection law (please also refer to Ntpluslavoro of 26 September).

The Court of First Instance stated that, as a result of a circumstance caused by the employee’s will and, in any event, beyond its control, the company found itself in a situation in which it was obliged to suspend the employee’s services and remuneration. If it had not done so, it would have breached the rules of guarantee provided for by the data protection legislation and would inevitably entail the risk of incurring the sanctions provided for.

The consequences of rejection

The employer entrusts the employee not only with adequate resources and tools to ensure the correct processing of personal data, but also with the responsibility to process such data with confidentiality, fairness and diligence. While it is therefore true that the appointment of a designated person is unilateral in nature, since it is an act emanating from the employer, it is equally true that the employee’s failure to accept it, will have consequences for the management of the employment relationship, which will be felt at several levels:

• breach of the general duty of loyalty and fairness in the execution of the work relationship,
• breach of contractual obligations,
• integration of disciplinary misconduct.

Also because of these considerations, the Court of Udine stated that the refusal to accept the appointment as an authorized subject was sufficient to justify the adoption of the disciplinary measure of suspension from service and remuneration.

The specific case inevitably prompts the query as to what the effects and consequences are, or could be, for the employer who is faced with the hypothesis that an employee does not accept the assignment to a person authorized to process personal data or even expresses the intention to withdraw a previously provided acceptance.

Logically, but for the sake of completeness of the argument, it is also worth mentioning briefly, the question does not arise if the tasks assigned to an employee do not involve the processing of personal data. In the opinion of the author, the question does not arise for two reasons. On one hand, it would be illogical and unnecessary to authorize and instruct an employee who does not process personal data in performing his/her work activities. Article 29 of (EU) Regulation 2016/679 (the GDPR) and Article 2-quaterdecies of the Italian Legislative Decree no. 196/2003 provide that it is those who have “access to personal data” and not those who do not carry out any processing operations, who shall be instructed. On the other hand, the refusal of those who do not have access to personal data does not affect the performance of their daily work. Therefore, even in the latter case, no potentially relevant behaviour from a disciplinary standpoint would be identified.

Please continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.

“The use of personal data is not subject to the obligation to inform and obtain the prior consent of the data controller when personal data are collected and processed in the context of legal proceedings”. This is “provided that the data are inherent to the area of business and litigation that justifies their collection, that they are not used for purposes other than those of justice for which they were collected, and that the authorizing measure is in place”.

This has been stated by the Court of Cassation, decision no. 24797/2024 of 16 September 2024.

In detail, a few employees – each in the context of their own dispute over matters relating to their employment relationship – had submitted to the court a recording of a conversation that had taken place some years earlier between one of their colleagues and some executives of the employer company. The recording was made without the knowledge or permission of the participants. The executives involved claimed the matter to the data protection authority, which rejected the claim on the assumptions that the recording, and thus the related processing of personal data, had been carried out for purposes related to contesting charges in the context of the employment relationship. At this point, the executives appealed to the ordinary courts.

In addition to the well-established national case-law on the subject, the Supreme Court also refers to the Court of Justice (EU) which, in its judgment of 2 March 2023, C-268/21 – Norra Stockholm Bygg AB v Per Nycander AB, made it clear that “where personal data of third parties are used in a case, it is for the national court to weigh, in full knowledge of the facts and in accordance with the principle of proportionality the interests concerned” and  “that assessment may, where appropriate, lead him to authorize the full or partial disclosure to the other party of the personal data thus disclosed to him if he considers that such disclosure does not go beyond what is necessary to ensure the effective enjoyment of the rights which individuals derive from Article 47 of the Charter”.

The Court of Cassation also remainds that “Articles 17 and 21 of the GDPR make it clear that, in the balancing of the interests involved, the right to defend oneself in court may be considered overriding over the rights of the data subject to the processing of personal data”.