An order of the Court of Cassation recognises that an employer may use security camera footage for disciplinary purposes

Employers may use security camera footage for disciplinary purposes. This has been confirmed by the Court of Cassation in Order of 23 March 2023, No 8375.

Remote control of workers’ activities

As is now well known, Article 4 of the Italian Workers’ Charter states that audio-visual equipment – or in any case instruments which may enable remote control of workers’ activities (which also includes video surveillance systems) – may be used by the employer exclusively for the following purposes

• organisational and production needs,
• safety at work,
• the protection of company assets.

These instruments may be installed subject to a collective agreement with the trade unions and in any case may not be installed to monitor the employees’ work.

Use of video footage for disciplinary purposes

If the objective of Article 4 of the Workers’ Charter is to protect the worker from remote monitoring of his or her work performance, why has the Court of Cassation held that recordings can be used as the basis for a disciplinary complaint?

Continue reading the full version published in Wired

Human error is the data controller’s responsibility The Italian Data Protection Authority (“Garante”), in its 28 April 2022 injunction imposed a € 50,000 fine on the National Institute for Insurance against Accidents at Work (“INAIL” or the “Institute”) after three computer incidents. These incidents allowed users to access data relating to others.
INAIL, in its capacity as data controller, had notified the Data Protection Authority under art. 33 of the EU Regulation on personal data protection (the “Regulation”), three personal data breaches that occurred between 2019 and 2020. These breaches concerned the online service “Sportello Virtuale Lavoratori” (Virtual Workers’ Desk), which allows employees who have suffered an accident or are victims of occupational illnesses to view the progress of their files and measures issued by the Institute. The investigation initiated by the Data Protection Authority revealed that the “Sportello Virtuale Lavoratori” allowed some workers to accidentally consult the files of other workers and view personal information (e.g. first name, surname) and data relating to their health status (“sensitive data”). It was verified that one of the three reported violations was caused by a “human error” which, as stated in the order, “is
the data controller’s responsibility.”

Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore.

For proper whistleblowing management, it is essential to pay due attention to the protection of the personal data processed.

In achieving the necessary balance between the whistleblower’s need for confidentiality, the need to ascertain the wrongdoing and the whistleblower’s right to defence and cross-examination, the adoption of appropriate measures to ensure the protection and security of personal information is a key factor in achieving this balance.

Vittorio De Luca, Managing Partner of Studio De Luca & Partners commented: “The recent measure adopted by the Data Protection Authority is only the latest of the measures adopted on the subject which, as the Authority pointed out, is part of a broader inspection plan dedicated to verifying the utmost respect for the protection of personal data during the management of unlawful conduct reports. Without prejudice to this, proper management of the “whistleblowing system” is part of an effective corporate compliance strategy. Implementing organisation, management and control systems built based on the results of a preliminary risk analysis makes it possible to reduce the risk of offences being committed and the risk of incurring the heavy penalties provided for by applicable legislation. It is necessary to adopt corporate procedures and appropriate technical and organisational measures for the protection and security of the information of those involved without neglecting the importance of awareness-raising and training users of these systems and those in charge of managing and verifying the reports made. Reaching a high level of awareness and culture among corporates must be one of the first objectives to be achieved.”

In the last few days, Italian online services and sites, including the websites of the Senate and the Ministry of Defence, have suffered a cyber-attack from a group of Russian cybercriminals. Vittorio De Luca, from Studio De Luca & Partners said:

“Cyber-attacks are a daily occurrence and no one can consider themselves safe. Attacks on institutions cause a stir, but for years hundreds of companies suffered daily attacks from cybercriminals. These attacks have a considerable impact on productivity and lead to data theft, service disruption and image damage. Robust cyber security is essential to protect a company’s knowledge assets and ensure business continuity. GDPR requires small and large companies to conduct a survey of their cyber risk exposure and the impact they could have on their business. An “incident” response plan must be prepared, security policies and measures to protect the IT system must be adopted. There must be periodic audits. It is essential to raise employee awareness on cyber security through training sessions, so that they can recognise and deal with the various threats. Protection from cyber-attacks takes place in two phases – prevention and protection.  If there is a successful attack, companies must inform the data protection authority, and initiate a data breach procedure within 72 hours of becoming aware of the violation.” 

In the Official Gazette no. 246 of 14 October 2021, the Decree of the President of the Council of Ministers of 12 October 2021 (the “Prime Ministerial Decree” or the “Decree“) was published.

The Prime Ministerial Decree, supplementing and updating the first Decree of 17 June, sets out the verification methods carried out by public and private employers, from 15 October, on the Covid-19 “Green Pass” held by employees.

The Decree explains the new Green Pass verification functions, which complement the “VerificaC-19” app already used to access places where it is mandatory to exhibit the certificate.

In the private sector, daily and automated verification of Green Pass possession can take place through:

• SDK (Software Development Kit): an app development package that enables the integration of the Green Pass QR code reading and verification system into physical access control systems, including attendance or temperature detection systems. The SDK offers the same functionality as the “VerificaC19” app;
• INPS Portal: provided only for employers with more than 50 employees, it allows an asynchronous interaction between the INPS Institutional Portal and the DGC National Platform. The INPS Portal – using its channels and information on employers and workers – acts as an intermediary with the DGC National Platform checking the Green Pass for those workers whose tax codes are included in the list. A designated checker can view the certificate validity of all or part of the employees. Pending the issuance and possible updating of the Green Pass by the DGC National Platform, interested parties can still use the paper or digital documents issued by public and private health facilities, pharmacies, analysis laboratories, general practitioners and pediatricians who attest or report one of the conditions for its issuance.

The checks only concern the staff in service for whom access to the workplace is provided on the day on which the verification is carried out, excluding employees absent for different reasons (e.g. holidays, illness, leave) or are  remote working.

Checking must be started at the employer’s request and made available only to authorised personnel on the employer’s behalf.

If the check’s outcome does not result in possession of a valid Green Pass, the employee may request a new verification of their certificate when accessing the workplace through the “Verifica C-19” app.

Finally, the Decree provides important clarifications on personal data protection. It specifies that when carrying out checks, the employer

• shall not collect holder’s personal data;
• only process the data within the limits of what is relevant and for the operations necessary to carry out the checks;
• shall not store the certification two-dimensional bar code (QR Code), nor extract, consult, record or process for purposes other than those required, the information gathered from the QR code reading and provided because of the checks;
• shall inform the recipients of the checks about the processing of their personal data under Art. 13 and 14 of Regulation (EU) 2016/679.

Please note that the Data Protection Authority has expressed a favourable opinion on the new Prime Ministerial Decree’s guidelines, [web. doc. no. 9707431], confirming its compliance with personal data protection regulations.

Other related insights:

• Compulsory “Covid-19 Green pass” for employees
• DID YOU KNOW THAT… The Decree extending the Green Pass obligation to private employment has been published in the Official Gazette?