In the Official Gazette no. 246 of 14 October 2021, the Decree of the President of the Council of Ministers of 12 October 2021 (the “Prime Ministerial Decree” or the “Decree“) was published.

The Prime Ministerial Decree, supplementing and updating the first Decree of 17 June, sets out the verification methods carried out by public and private employers, from 15 October, on the Covid-19 “Green Pass” held by employees.

The Decree explains the new Green Pass verification functions, which complement the “VerificaC-19” app already used to access places where it is mandatory to exhibit the certificate.

In the private sector, daily and automated verification of Green Pass possession can take place through:

• SDK (Software Development Kit): an app development package that enables the integration of the Green Pass QR code reading and verification system into physical access control systems, including attendance or temperature detection systems. The SDK offers the same functionality as the “VerificaC19” app;
• INPS Portal: provided only for employers with more than 50 employees, it allows an asynchronous interaction between the INPS Institutional Portal and the DGC National Platform. The INPS Portal – using its channels and information on employers and workers – acts as an intermediary with the DGC National Platform checking the Green Pass for those workers whose tax codes are included in the list. A designated checker can view the certificate validity of all or part of the employees. Pending the issuance and possible updating of the Green Pass by the DGC National Platform, interested parties can still use the paper or digital documents issued by public and private health facilities, pharmacies, analysis laboratories, general practitioners and pediatricians who attest or report one of the conditions for its issuance.

The checks only concern the staff in service for whom access to the workplace is provided on the day on which the verification is carried out, excluding employees absent for different reasons (e.g. holidays, illness, leave) or are  remote working.

Checking must be started at the employer’s request and made available only to authorised personnel on the employer’s behalf.

If the check’s outcome does not result in possession of a valid Green Pass, the employee may request a new verification of their certificate when accessing the workplace through the “Verifica C-19” app.

Finally, the Decree provides important clarifications on personal data protection. It specifies that when carrying out checks, the employer

• shall not collect holder’s personal data;
• only process the data within the limits of what is relevant and for the operations necessary to carry out the checks;
• shall not store the certification two-dimensional bar code (QR Code), nor extract, consult, record or process for purposes other than those required, the information gathered from the QR code reading and provided because of the checks;
• shall inform the recipients of the checks about the processing of their personal data under Art. 13 and 14 of Regulation (EU) 2016/679.

Please note that the Data Protection Authority has expressed a favourable opinion on the new Prime Ministerial Decree’s guidelines, [web. doc. no. 9707431], confirming its compliance with personal data protection regulations.

Other related insights:

• Compulsory “Covid-19 Green pass” for employees
• DID YOU KNOW THAT… The Decree extending the Green Pass obligation to private employment has been published in the Official Gazette?

The Court of Venezia, in its ruling no. 494/2021, stated that a company that suffered a cyber-attack and was forced to pay a ransom to recover stolen data can fire an employee who has repeatedly surfed on unsafe sites for private purposes and put internal security at risk.

Facts of the case

The worker employed by a company operating as a shipping agency was dismissed for just cause, following a legitimate disciplinary procedure, for having improperly used a company personal computer.

The charges brought by the company against the employee were twofold:

1. having carried out activities outside of work during working hours, consulting personal e-mail, viewing photos and repeatedly and prolonged surfing on the internet on information websites, booking travel and shows and even on pornographic websites. This was in breach of Company Regulations, jeopardising the security of the computer system and taking time away from work (even on days when he had requested authorisation to work overtime);
2. having prepared and transmitted to third parties statements in the company’s name by misusing the company’s letterhead and stamp during working hours.

The employee challenged the company’s termination because it was retaliatory and discriminatory, with the sole aim of ousting him as a union representative (RSA) and therefore considered an “inconvenient employee.” The employee claimed that the misconduct was not attributable to him since the computer assigned to him did not have a password and any person could have accessed it.

The employer took legal action, rejecting the employee’s claims and emphasising the entirely causal nature of the discovery of the data since it emerged as a result of the necessary checks carried out following a hacking of its computer systems and the spread of the ransomware virus.

The Court’s decision

The Court of Venice – confirming the decision of the Judge in the summary stage of the proceedings – declared that there was just cause for termination and, consequently, the dismissal was lawful.

The Judge pointed out that the allegations against the employee had been acquired by the company under art. 4 of the Workers’ Statute. Under the above Article, the employer may legitimately acquire information from the company tools assigned to employees and use them for all purposes related to the employment relationship (including disciplinary purposes). This is on the condition that employees have been given adequate information on how to use such tools and control methods, under the Privacy Code. The company had adopted a Regulation on the use of the tools provided. Since its adoption, it had been posted on the notice board and published in a folder on the server accessible to all employees.

The Judge observed that even without considering the actual adoption of the regulation (which is the subject of censure by the employee), what mattered was the numerous and perpetual use for obvious (and not disputed) personal purposes of the computer, such that the disciplinary value of the facts existed.

Finally, the Judge rejected the employee’s complaint about the failure to place a personal password on the computer. According to the Judge, its improper use was undoubtedly attributable to the employee in question since he had: visited his account, booked trips in his name, used personal USB keys, visited social networks linked to him, etc.

In the Court’s opinion, the charges brought against the employee and legitimately acquired by the company became actual and were so severe as to justify his immediate dismissal.

In an internal letter of the director general sent by e-mail to the directors of the system’s local and sectoral associations, Confindustria expressed its favourable opinion on the Covid-19 green certificate (better known as green pass) to access workplaces.

According to the position taken by Confindustria, the presentation of the green certificate should be part of the obligations of diligence, fairness and good faith on which the employment relationship is based. Consequently, the employer, where possible, could assign the non-vaccinated worker to tasks other than those typically carried out and pay them accordingly. If this is impossible, the employer should be allowed not to admit the employee to work, with the suspension of pay if they are removed from the company.

Together with the safety protocol updated on 6 April and the protocol on vaccination in the workplace signed on the same date, such an initiative aims to protect workers’ health and safety and the production process. Among other things, the proposal would be justified given the serious concern about a possible third pandemic wave that could lead to a new work shutdown and the consequent need for yet another extension of the Covid-19 social safety nets.

However, legally, this has several critical issues.

First, as for individual rights, it is necessary to consider Article 32 of the Constitution on the “right to health”, which represents a kaleidoscope of multiple forms of health protection.  The article in question firstly states that “the Republic shall protect health as a fundamental right of the individual and in the interest of the community”, and then specifies that “no one may be obliged to undergo a given medical treatment except by provision of law”.

This constitutional provision protects health as a fundamental right of the individual and as an interest of the community. It allows the imposition of medical treatment if intended, as specified by the Constitutional Court, “to preserve the state of health of the person subject to it, and the state of health of others” (see ruling no. 5/2018 of the Constitutional Court).

Continue reading the full version published in Guida al Lavoro of Il Sole 24 Ore.

Vittorio De Luca of De Luca & Partners said the Confindustria proposal to allow employers to require the green pass to access workplaces and carry out related activities was “appropriate” to open the health passport debate on the protection of workers’ health and production. However, it will have to overcome some significant critical issues. “How is it possible that the employer cannot ask employees if they have been vaccinated when instead we show the vaccination passport to go even to the restaurant or the airport?”

Legally, the Data Protection Authority, has expressed a negative opinion on the possibility of employers asking their employees to provide information on their vaccination status or copies of documents certifying vaccination.

De Luca continued: “There is then a problem of limitation of constitutional personal freedoms and rights such as health and work. Health is protected as a fundamental right of the individual and as an interest of the community. Work must be “actual” (art. 4, paragraph 1, of the Constitution) and it is inconceivable that it is reserved only for workers who have been vaccinated.

Unless there is a legal provision, which at the moment I think can hardly be approved.

Even the solution of changing the temporary assignment to different tasks or remote working has limited practical use.

Think of a worker who is unlikely to work remotely or be assigned to different tasks that do not require access to company premises. Even if we do not consider the critical aspects mentioned above, we cannot overlook that such an initiative could indirectly entail the imposition of a medical treatment, which is hardly compatible with the principle of art. 32 of the Constitution, according to which health treatments (such as vaccination) can only be made compulsory by law.”

That said, in the face of the various critical issues, “a decisive legislative measure that can balance the various constitutional rights with the principle of reasonableness, is desirable.”

Source: Norme & Tributi Plus Diritto de Il Sole 24 ore

Sundar Pichai, CEO of Google, has recently announced that the company intends to permanently integrate remote working into its working practices,  albeit with a hybrid approach, e.g. three days in the office and two days remotely.

These statements highlight the growing interest in remote working, a system that many companies were forced to try out for the first time during the lockdown and which has now become a real revolution. In many cases, it has become a structural choice due to its undoubted advantages, from a better work-life balance to reducing the stress of travelling to work.

A NEW NORMALITY

At present, according to INAPP (National Institute for Public Policy Analysis) data, 54% of employees in large companies work wholly or partly on a remote basis; furthermore, according to an analysis conducted by the Milan Polytechnic Observatory and Randstad Research, remote working may involve 3 to 5 million workers in the coming months. The path should be the one traced by the CEO of Google: according to a recent study by Fondirigenti, people will prefer to split the week in two or to alternate days in the office and remote work, so as not to sacrifice social relations and physical interaction with their colleagues. According to Vittorio De Luca, managing partner of the De Luca & Partners law firm, specialised in labour law and GDPR (General Data Protection Regulation), “in the near future, remoteworking policies will become more and more a rule and no longer just an exception”. remoteworking policies have also been promoted by the law: the Riaperture Decree has extended until 31 July the possibility for employers to use this instrument with a unilateral act, i.e. without having to sign an individual agreement. This deadline should be extended until 31 December also for the private sector, thus aligning it with what is already in place for the public administration. “However,” De Luca points out, “at the end of the emergency period it will be appropriate and necessary to regulate the relationship between the parties involved, i.e. employers on the one hand and workers (remote workers) on the other hand.”

THE PROBLEMS TO BE SOLVED

Remote working was first introduced in the Italian system by Law 81/2017. Remote working, says De Luca, is defined in the law “as a new and flexible way of organising employment, with no exact definition of the place and time of work, providing that the activity can take place partly inside the company’s premises and partly outside, without a fixed location, though in compliance with the limits on maximum daily and weekly working time established by law and by the applicable national collective agreement. In order for this to happen”, he adds, “an agreement, strictly in writing (for the purposes of proof and administrative regularity), must be entered into by the company and the worker”. And it is precisely the release from spatial and temporal limits, notes the expert, “which, if not regulated in advance, might have negative consequences for both the employee and the employer, from both a professional/work and a social/personal point of view”.

“Indeed, remote working has made the time profile of the service not essential, placing the objectives and performances of the resources concerned at the centre”, explains De Luca. So that “it is of primary importance for employers to be able to check and assess the results of remote workers”, whilst also determining “the forms of exercise of the employer’s power, paying attention to the manner, purpose and content of the same”. There follows the need, he concludes, to “introduce agreements, accompanied by internal procedures and regulations, which govern these aspects, also instructing the worker on the use of work equipment and on company security and personal data protection”.