With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.
The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.
To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:
In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.
In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used.
Other related insights:
Italian Legislative Decree no. 24/2023, which implements Directive (EU) 1937/2019 and introduces the new legal framework on whistleblowing has come into effect. Laws on whistleblowing have already been in force for some years in companies required to implement the 231 Models and detailed and specific provisions on procedure and sanctions now apply to all companies.
The term “whistleblowing’ refers to the activity of reporting breaches of national or EU regulatory provisions of which workers have become aware in the context of work. For companies with more than 250 employees, the obligation to adopt adequate reporting systems has been in force since 15 July 2023, while for small and medium-sized enterprises the obligation came into force on 17 December.
Conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity and that consist of breaches attributable to the specific cases listed in the decree must be reported.
A person who believes that the conditions for a report are met may use the following channels: (i) internal reporting; (ii) external reporting, if there is no mandatory activation of the internal reporting channel, or if this has already been done without follow-up, if the whistleblower has reasonable grounds to believe that the internal report would not be followed up or there would be a risk of retaliation or if the whistleblower has reasonable grounds to believe that the breach constitutes a danger to the public interest; (iii) public disclosure, if the whistleblower has already made an internal and/or external report without feedback, if there is reasonable ground to believe that the breach may constitute a danger to the public interest, or if there is reasonable ground to believe that the external report may involve the risk of retaliation or may be ineffective; (iv) complaint to the judicial authority, at any stage.
Internal channels must ensure the confidentiality of the reporting person, the content of the report, the facilitator and the person concerned. When establishing internal reporting channels, it is necessary to use suitable tools to receive reports both orally and in writing, as the whistleblower is guaranteed both methods.
In this regard, the Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione, ‘ANAC’) with resolution 311 of 12 July 2023 considered that ordinary e-mail and certified e-mail (PEC) did not guarantee confidentiality, and thus required the use of online platforms. As far as the paper report is concerned, the ANAC has requested that it be placed in two sealed envelopes (one with the identification data and the second with the actual report), then both envelopes should be inserted in a third sealed envelope with the external wording “confidential” for the manager of the report.
To implement the new regulatory obligation, companies must identify the channel in an organisation specific document; inform trade union representatives; make clear information available to the reporting person about the channel, procedures and conditions for making internal or external reports (e.g. via the website or platform page); guarantee the training of those who are entrusted with the management of the reporting channel and of all internal staff; adapt the 231 organisational model (if adopted) and put in place all the measures required under the regulations on the protection of personal data and the processing carried out to comply with it. Finally, companies will have to adopt a sanctioning system in the event of breach of the decree provisions.
In conclusion, under the regulatory framework that arises from Italian Legislative Decree no. 24/2023, companies and operators must pay great attention to the preparation of policies and organisational and management tools necessary for the implementation of legal obligations to ensure the protection and enhancement of each organisation’s ethical principles.
By judgment of 26 September 2023, no. 46188, the Italian Court of Cassation, Third Chamber, ruled on the components necessary for the offence referred to in Article 4 of Italian Law no. 300 of 1970 (the “Workers’ Charter”) stating that the installation of a video surveillance system without the authorisation required by law does not constitute an offence if there are no employees within the company premises and if the system does not imply effective monitoring of work activities.
The Court of Messina held the owner of a commercial establishment to be criminally liable for the offence referred to in Article 4 of Italian Law no. 300 of 1970 , ordering it to pay a fine of EUR 3,000 for having installed a video surveillance system inside its business premises in the absence, in this case, of authorisation from the Territorial Labour Inspectorate (Ispettorato Territoriale del Lavoro, “ITL”).
The owner appealed against this decision to the Italian Court of Cassation, on the ground, among others, of the breach of Article 4 of the Workers’ Charter arguing that the Court of first instance had not provided information on two central aspects of the offence, namely (i) whether the system was used to record images and (ii) whether employees were employed at the owner’s company.
The applicant stated that the system installed was closed-circuit, did not involve any image recording, and that its company had no staff.
In ruling on the case, the Italian Court of Cassation took the opportunity to briefly summarise the rules and principles in force regarding video surveillance and remote monitoring of workers.
First, it pointed out that the presence of employees in the place filmed by the video surveillance systems is “an essential requirement for the offence in dispute”, since the provision referred to in Article 4, paragraph 1, of the Workers’ Charter is specifically aimed at regulating the employer’s use of audio-visual systems – and other tools which may also enable remote monitoring – “of workers’ activities”.
Secondly, the Italian Court of Cassation noted that there is no breach of the legislation if a system, although installed in the absence of an agreement with the legitimate trade union representatives or an authorisation from the ITL, “is strictly for the purpose of protection of the company’s assets”, provided that (i) “its use does not imply significant monitoring of the ordinary performance of employees’ work activities” or (ii) “necessarily remains “confidential” to enable the investigation of serious unlawful conduct”.
However, the decision of the court of first instance did not clarify whether the conditions referred to in paragraphs (i) and (ii) above were fulfilled in the present case. Consequently, an assessment of the merits of those conditions required the Court to set aside the judgment and refer the judgment under appeal back to the same Court sitting in a different composition.
Other related insights:
Vittorio De Luca took part in the conference promoted by RSM Studio tributario e societario entitled: “The new whistleblowing law: small step forward or breakthrough?”.
In the course of his speech, Vittorio addressed the employment law aspects of the whistleblowing regulations: in particular, he examined the measures put in place to protect those who report unlawful acts that have come to their knowledge in the work context (so-called whistleblowers) by Italian Legislative Decree no. 24/2023, as well as the burdens and obligations imposed on companies to comply with the regulations in force and to be able to handle any reports received in the best possible way.
In particular, the following topics were addressed:
On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework ensuring that the United States of America guarantees an adequate level of protection of personal data comparable to that of the European Union.
The adequacy decision is one of the tools provided for by Regulation (EU) 2016/679 (the ‘Regulation’) to transfer personal data from the European Union to third countries that, upon prior assessment by the European Commission, offer ‘an adequate level of protection’, i.e. a level of protection of personal data equivalent to that guaranteed within the EU.
The consequence is that personal data can be transferred securely and can be managed in the same way as data transmissions that take place within Europe.
What does the new EU-US Data Privacy Framework entail?
The EU-US Data Privacy Framework is structured around a self-certification mechanism whereby US companies undertake to comply with a number of personal data protection obligations, including, but not limited to, compliance with the principles of purpose limitation, data minimisation and retention, as well as specific obligations regarding data security and data sharing with third parties.
The organisations’ undertakings will be renewed on an annual basis and are subject to checks and monitoring by the U.S. Department of Commerce, which will process certification applications and periodically verify compliance with the requirements by participating companies.
European citizens will benefit from several independent and impartial remedies in the event that their data is processed in a non-compliant manner, including the newly established Data Protection Review Court (DPRC).
US law will provide a number of safeguards, including limiting access to personal data by public authorities to what is necessary and proportionate to protect national security or to enforce criminal law.
In any case, the Data Privacy Framework will be subject to periodic revisions by the European Commission together with representatives of the European data protection authorities and the competent US authorities. The first review will take place within one year of the entry into force of the adequacy decision.
The other instruments provided for by the Regulation
It is worth remembering that in addition to the adequacy decision, the Regulation also provides for other tools to ensure the correct transfer of data outside the European Union, including:
◊◊◊◊
As most recently pointed out in the information note of the European Data Protection Board (EDPB) of 18 July 2023, all the protections provided by the US government in the field of national security apply to all transfers of personal data made to companies in the United States, regardless of the transfer mechanisms used. Therefore, these guarantees also serve to facilitate the use of the other instruments provided for by the Regulation.
Other related insights:
