For proper whistleblowing management, it is essential to pay due attention to the protection of the personal data processed.

In achieving the necessary balance between the whistleblower’s need for confidentiality, the need to ascertain the wrongdoing and the whistleblower’s right to defence and cross-examination, the adoption of appropriate measures to ensure the protection and security of personal information is a key factor in achieving this balance.

Vittorio De Luca, Managing Partner of Studio De Luca & Partners commented: “The recent measure adopted by the Data Protection Authority is only the latest of the measures adopted on the subject which, as the Authority pointed out, is part of a broader inspection plan dedicated to verifying the utmost respect for the protection of personal data during the management of unlawful conduct reports. Without prejudice to this, proper management of the “whistleblowing system” is part of an effective corporate compliance strategy. Implementing organisation, management and control systems built based on the results of a preliminary risk analysis makes it possible to reduce the risk of offences being committed and the risk of incurring the heavy penalties provided for by applicable legislation. It is necessary to adopt corporate procedures and appropriate technical and organisational measures for the protection and security of the information of those involved without neglecting the importance of awareness-raising and training users of these systems and those in charge of managing and verifying the reports made. Reaching a high level of awareness and culture among corporates must be one of the first objectives to be achieved.”

In the last few days, Italian online services and sites, including the websites of the Senate and the Ministry of Defence, have suffered a cyber-attack from a group of Russian cybercriminals. Vittorio De Luca, from Studio De Luca & Partners said:

“Cyber-attacks are a daily occurrence and no one can consider themselves safe. Attacks on institutions cause a stir, but for years hundreds of companies suffered daily attacks from cybercriminals. These attacks have a considerable impact on productivity and lead to data theft, service disruption and image damage. Robust cyber security is essential to protect a company’s knowledge assets and ensure business continuity. GDPR requires small and large companies to conduct a survey of their cyber risk exposure and the impact they could have on their business. An “incident” response plan must be prepared, security policies and measures to protect the IT system must be adopted. There must be periodic audits. It is essential to raise employee awareness on cyber security through training sessions, so that they can recognise and deal with the various threats. Protection from cyber-attacks takes place in two phases – prevention and protection.  If there is a successful attack, companies must inform the data protection authority, and initiate a data breach procedure within 72 hours of becoming aware of the violation.” 

In the Official Gazette no. 246 of 14 October 2021, the Decree of the President of the Council of Ministers of 12 October 2021 (the “Prime Ministerial Decree” or the “Decree“) was published.

The Prime Ministerial Decree, supplementing and updating the first Decree of 17 June, sets out the verification methods carried out by public and private employers, from 15 October, on the Covid-19 “Green Pass” held by employees.

The Decree explains the new Green Pass verification functions, which complement the “VerificaC-19” app already used to access places where it is mandatory to exhibit the certificate.

In the private sector, daily and automated verification of Green Pass possession can take place through:

  • SDK (Software Development Kit): an app development package that enables the integration of the Green Pass QR code reading and verification system into physical access control systems, including attendance or temperature detection systems. The SDK offers the same functionality as the “VerificaC19” app;
  • INPS Portal: provided only for employers with more than 50 employees, it allows an asynchronous interaction between the INPS Institutional Portal and the DGC National Platform. The INPS Portal – using its channels and information on employers and workers – acts as an intermediary with the DGC National Platform checking the Green Pass for those workers whose tax codes are included in the list. A designated checker can view the certificate validity of all or part of the employees. Pending the issuance and possible updating of the Green Pass by the DGC National Platform, interested parties can still use the paper or digital documents issued by public and private health facilities, pharmacies, analysis laboratories, general practitioners and pediatricians who attest or report one of the conditions for its issuance.

The checks only concern the staff in service for whom access to the workplace is provided on the day on which the verification is carried out, excluding employees absent for different reasons (e.g. holidays, illness, leave) or are  remote working.

Checking must be started at the employer’s request and made available only to authorised personnel on the employer’s behalf.

If the check’s outcome does not result in possession of a valid Green Pass, the employee may request a new verification of their certificate when accessing the workplace through the “Verifica C-19” app.

Finally, the Decree provides important clarifications on personal data protection. It specifies that when carrying out checks, the employer

  • shall not collect holder’s personal data;
  • only process the data within the limits of what is relevant and for the operations necessary to carry out the checks;
  • shall not store the certification two-dimensional bar code (QR Code), nor extract, consult, record or process for purposes other than those required, the information gathered from the QR code reading and provided because of the checks;
  • shall inform the recipients of the checks about the processing of their personal data under Art. 13 and 14 of Regulation (EU) 2016/679.

Please note that the Data Protection Authority has expressed a favourable opinion on the new Prime Ministerial Decree’s guidelines, [web. doc. no. 9707431], confirming its compliance with personal data protection regulations.

Other related insights:

The Court of Venezia, in its ruling no. 494/2021, stated that a company that suffered a cyber-attack and was forced to pay a ransom to recover stolen data can fire an employee who has repeatedly surfed on unsafe sites for private purposes and put internal security at risk.

Facts of the case

The worker employed by a company operating as a shipping agency was dismissed for just cause, following a legitimate disciplinary procedure, for having improperly used a company personal computer.

The charges brought by the company against the employee were twofold:

  1. having carried out activities outside of work during working hours, consulting personal e-mail, viewing photos and repeatedly and prolonged surfing on the internet on information websites, booking travel and shows and even on pornographic websites. This was in breach of Company Regulations, jeopardising the security of the computer system and taking time away from work (even on days when he had requested authorisation to work overtime);
  2. having prepared and transmitted to third parties statements in the company’s name by misusing the company’s letterhead and stamp during working hours.

The employee challenged the company’s termination because it was retaliatory and discriminatory, with the sole aim of ousting him as a union representative (RSA) and therefore considered an “inconvenient employee.” The employee claimed that the misconduct was not attributable to him since the computer assigned to him did not have a password and any person could have accessed it.

The employer took legal action, rejecting the employee’s claims and emphasising the entirely causal nature of the discovery of the data since it emerged as a result of the necessary checks carried out following a hacking of its computer systems and the spread of the ransomware virus.

The Court’s decision

The Court of Venice – confirming the decision of the Judge in the summary stage of the proceedings – declared that there was just cause for termination and, consequently, the dismissal was lawful.

The Judge pointed out that the allegations against the employee had been acquired by the company under art. 4 of the Workers’ Statute. Under the above Article, the employer may legitimately acquire information from the company tools assigned to employees and use them for all purposes related to the employment relationship (including disciplinary purposes). This is on the condition that employees have been given adequate information on how to use such tools and control methods, under the Privacy Code. The company had adopted a Regulation on the use of the tools provided. Since its adoption, it had been posted on the notice board and published in a folder on the server accessible to all employees.

The Judge observed that even without considering the actual adoption of the regulation (which is the subject of censure by the employee), what mattered was the numerous and perpetual use for obvious (and not disputed) personal purposes of the computer, such that the disciplinary value of the facts existed.

Finally, the Judge rejected the employee’s complaint about the failure to place a personal password on the computer. According to the Judge, its improper use was undoubtedly attributable to the employee in question since he had: visited his account, booked trips in his name, used personal USB keys, visited social networks linked to him, etc.

In the Court’s opinion, the charges brought against the employee and legitimately acquired by the company became actual and were so severe as to justify his immediate dismissal.

In an internal letter of the director general sent by e-mail to the directors of the system’s local and sectoral associations, Confindustria expressed its favourable opinion on the Covid-19 green certificate (better known as green pass) to access workplaces.

According to the position taken by Confindustria, the presentation of the green certificate should be part of the obligations of diligence, fairness and good faith on which the employment relationship is based. Consequently, the employer, where possible, could assign the non-vaccinated worker to tasks other than those typically carried out and pay them accordingly. If this is impossible, the employer should be allowed not to admit the employee to work, with the suspension of pay if they are removed from the company.

Together with the safety protocol updated on 6 April and the protocol on vaccination in the workplace signed on the same date, such an initiative aims to protect workers’ health and safety and the production process. Among other things, the proposal would be justified given the serious concern about a possible third pandemic wave that could lead to a new work shutdown and the consequent need for yet another extension of the Covid-19 social safety nets.

However, legally, this has several critical issues.

First, as for individual rights, it is necessary to consider Article 32 of the Constitution on the “right to health”, which represents a kaleidoscope of multiple forms of health protection.  The article in question firstly states that “the Republic shall protect health as a fundamental right of the individual and in the interest of the community”, and then specifies that “no one may be obliged to undergo a given medical treatment except by provision of law”.

This constitutional provision protects health as a fundamental right of the individual and as an interest of the community. It allows the imposition of medical treatment if intended, as specified by the Constitutional Court, “to preserve the state of health of the person subject to it, and the state of health of others” (see ruling no. 5/2018 of the Constitutional Court).

Continue reading the full version published in Guida al Lavoro of Il Sole 24 Ore.