The Court of First Instance of Udine (Labour Section, order no. 504 of 2 August 2024) declared lawful the measure of suspension from work and remuneration, imposed by a company on an employee who had refused to sign the letter sent to the person responsible for processing personal data, in accordance with the applicable data protection law (please also refer to Ntpluslavoro of 26 September).

The Court of First Instance stated that, as a result of a circumstance caused by the employee’s will and, in any event, beyond its control, the company found itself in a situation in which it was obliged to suspend the employee’s services and remuneration. If it had not done so, it would have breached the rules of guarantee provided for by the data protection legislation and would inevitably entail the risk of incurring the sanctions provided for.

The consequences of rejection

The employer entrusts the employee not only with adequate resources and tools to ensure the correct processing of personal data, but also with the responsibility to process such data with confidentiality, fairness and diligence. While it is therefore true that the appointment of a designated person is unilateral in nature, since it is an act emanating from the employer, it is equally true that the employee’s failure to accept it, will have consequences for the management of the employment relationship, which will be felt at several levels:

• breach of the general duty of loyalty and fairness in the execution of the work relationship,
• breach of contractual obligations,
• integration of disciplinary misconduct.

Also because of these considerations, the Court of Udine stated that the refusal to accept the appointment as an authorized subject was sufficient to justify the adoption of the disciplinary measure of suspension from service and remuneration.

The specific case inevitably prompts the query as to what the effects and consequences are, or could be, for the employer who is faced with the hypothesis that an employee does not accept the assignment to a person authorized to process personal data or even expresses the intention to withdraw a previously provided acceptance.

Logically, but for the sake of completeness of the argument, it is also worth mentioning briefly, the question does not arise if the tasks assigned to an employee do not involve the processing of personal data. In the opinion of the author, the question does not arise for two reasons. On one hand, it would be illogical and unnecessary to authorize and instruct an employee who does not process personal data in performing his/her work activities. Article 29 of (EU) Regulation 2016/679 (the GDPR) and Article 2-quaterdecies of the Italian Legislative Decree no. 196/2003 provide that it is those who have “access to personal data” and not those who do not carry out any processing operations, who shall be instructed. On the other hand, the refusal of those who do not have access to personal data does not affect the performance of their daily work. Therefore, even in the latter case, no potentially relevant behaviour from a disciplinary standpoint would be identified.

Please continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.

“The use of personal data is not subject to the obligation to inform and obtain the prior consent of the data controller when personal data are collected and processed in the context of legal proceedings”. This is “provided that the data are inherent to the area of business and litigation that justifies their collection, that they are not used for purposes other than those of justice for which they were collected, and that the authorizing measure is in place”.

This has been stated by the Court of Cassation, decision no. 24797/2024 of 16 September 2024.

In detail, a few employees – each in the context of their own dispute over matters relating to their employment relationship – had submitted to the court a recording of a conversation that had taken place some years earlier between one of their colleagues and some executives of the employer company. The recording was made without the knowledge or permission of the participants. The executives involved claimed the matter to the data protection authority, which rejected the claim on the assumptions that the recording, and thus the related processing of personal data, had been carried out for purposes related to contesting charges in the context of the employment relationship. At this point, the executives appealed to the ordinary courts.

In addition to the well-established national case-law on the subject, the Supreme Court also refers to the Court of Justice (EU) which, in its judgment of 2 March 2023, C-268/21 – Norra Stockholm Bygg AB v Per Nycander AB, made it clear that “where personal data of third parties are used in a case, it is for the national court to weigh, in full knowledge of the facts and in accordance with the principle of proportionality the interests concerned” and  “that assessment may, where appropriate, lead him to authorize the full or partial disclosure to the other party of the personal data thus disclosed to him if he considers that such disclosure does not go beyond what is necessary to ensure the effective enjoyment of the rights which individuals derive from Article 47 of the Charter”.

The Court of Cassation also remainds that “Articles 17 and 21 of the GDPR make it clear that, in the balancing of the interests involved, the right to defend oneself in court may be considered overriding over the rights of the data subject to the processing of personal data”.

Recently, the Italian Data Protection Authority (Autorità Garante) has returned to the issue of the use of biometric data in the context of managing employment relationships. “As things stand, current law does not allow the processing of employees’ biometric data for purposes of timekeeping”. This was reiterated by the IDPA in a ruling of 6 June 2024, in which it fined the employer, a dealership, EUR 120,000 for, among other things, unlawfully processing its employees’ biometric data.

The IDPA intervened following a complaint from an employee, who alleged:

• the unlawful processing of personal data through a biometric system installed at the employer company’s two production units and
• the use of management software with which each employee was required to record repair work performed on assigned vehicles, the time and manner in which the work was performed, and downtime with specific reasons.

With reference to the first ground of complaint, namely the processing of biometric data, the IDPA has again clarified that employers may not use biometric data. The current position is that there is no legal provision for the use of biometric data for attendance tracking, and at this point it should be remembered that even employee consent cannot be considered a suitable prerequisite for lawfulness. This is because of the asymmetry between the respective parties to the employment relationship.

On the other hand, with reference to the second ground of the complaint, the IDPA found that the company, through management software, had been collecting personal data related to the activities of employees for more than six years to prepare monthly reports to be sent to the parent company, containing aggregate data on the time spent by the workshops on the work performed. This activity had always been carried out without a proper legal basis and adequate disclosure, which, in the context of the employment relationship, are expressions of the principles of fairness and transparency.

It is worth mentioning that the latter activity could, among others, involve indirect remote monitoring of workers’ activities, which, as such, would require compliance with the safeguards provided by Article 4 of the Italian Workers’ Charter i.e., signing a union agreement or, failing that, obtaining authorisation from the National or Regional Labour Inspectorate.

Other related insights:

• Employee biometric data: fingerprinting is unlawful in the absence of specific requirements
• Employer monitoring: monitoring of employee e-mail metadata unlawful

Data has become the new oil and its role is likely to grow further as digital becomes more central to our lives. This has important implications for privacy, as Vittorio De Luca, founder of the law firm De Luca & Partners, points out. “the EU legislator has intervened significantly in this area over the last few years. However, at corporate level the position is divided into companies that have implemented and structured real internal compliance models and over time have managed to change the culture and sensitivity of all those who make up the organisation, while others continue to consider data protection as a company cost rather than an investment”, he points out.

Personal data protection legislation and employment law are now closely linked, not only with regard to the processing of human resources data. “Increasingly, we are assisting companies in how to correctly manage requests for access to documents and personal files that are – legitimately – submitted by employees as part of disciplinary proceedings against them”, he points out. “In addition to the consequences on the employment law front, a data subject (in this case, the worker) has always the right to make a report to the Italian Data Protection Authority”, explains Mr De Luca.

Continue reading the full version published in La Repubblica.

Other related insights:

• Dismissal unlawful if based on location data collected without adequate notice
• Artificial Intelligence and Human Resources: what challenges should an HR Manager prepare for?

The Italian Data Protection Authority (‘IDPA’), with a Ruling of 7 March 2024 [announced in the Newsletter of 3 May 2024] upheld a complaint filed by a worker who had asked her former employer company for access to her personal file to find out what information could have given rise to a disciplinary sanction against her.

The company had not given an adequate response to the request and had only provided an incomplete list of the documentation collected, omitting information which formed the basis of the disciplinary sanction which was then imposed. The omitted information was only provided to the worker after the start of the IDPA’s investigation.

In its note of reply, the company claimed that it had not provided the worker with the above-mentioned documentation in order to protect its right of defence in court as well as the confidentiality of the third parties involved. The company also alleged that the complainant lacked standing to access the information, since it had been requested at a time when the disciplinary proceedings could no longer be challenged.

The IDPA reiterated that the right of access recognised by Regulation (EU) 2016/679 (‘GDPR’) is intended to allow the data subject to exercise control over his or her personal data and to verify its accuracy. Consequently, this right cannot be denied or limited depending on the purpose of the request. In fact, according to the provisions of the GDPR, data subjects are not asked to indicate a reason or a particular need to justify their requests to exercise their rights, nor can the data controller verify the reasons for the request.

Therefore, access to personal data cannot be denied because the data requested could be used by the data subject to defend himself or herself in court in the event of dismissal.

“The jurisprudence has on several occasions reiterated that the right of access derives, in addition to the legislation on personal protection data, from the ‘respect for the principles of good faith and fairness incumbent on the parties to the employment relationship under Articles 1175 and 1375 of the Italian Civil Code. This is confirmed by the fact that, for some time, the relevant sector’s collective bargaining agreement has provided that the employer must keep, in a special personal file, all the deeds and documents produced by the entity or by the employee himself or herself, which relate to his or her professional development, the activity performed and the most significant facts concerning him or and that the employee has the right to freely view the deeds and documents included in his or her personal file’ (Italian Court of Cassation, 7 April 2016, no. 6775)”.

Based on the points set out above, the IDPA imposed a fine of EUR 20,000.00 on the company.

◊◊◊◊

Summary of the right of access:

• The right of access may be exercised by the data subject (i.e. the natural person to whom the data refer) or by his/her delegate.
• The request can be submitted directly to the Data Controller (aka, for example, the employer) or, if appointed, to the DPO.
• Through an access request, the data subject may request access to his or her personal data and obtain the following information: the purposes of the processing, the categories of data, the recipients or categories of recipients to whom the data are or will be disclosed, the period for which the data will be stored or the criteria used to determine it, the origin of the data, and whether there is an automated decision-making process, including profiling or transfers of his or her data outside the European Union.
• The request for access does not have to be justified by the applicant.
• The right to access personal data must not adversely affect the rights and freedoms of others.
• A response must be provided within 30 days (extendable by a further 30 days if the request is particularly complex which, in any case, must be justified).

Other related insights:

• The right to have access to the records throughout the disciplinary procedure
• Court of Cassation: right of access to personal records