By judgment of 26 September 2023, no. 46188, the Italian Court of Cassation, Third Chamber, ruled on the components necessary for the offence referred to in Article 4 of Italian Law no. 300 of 1970 (the “Workers’ Charter”) stating that the installation of a video surveillance system without the authorisation required by law does not constitute an offence if there are no employees within the company premises and if the system does not imply effective monitoring of work activities.

The facts of the case

The Court of Messina held the owner of a commercial establishment to be criminally liable for the offence referred to in Article 4 of Italian Law no. 300 of 1970 , ordering it to pay a fine of EUR 3,000 for having installed a video surveillance system inside its business premises in the absence, in this case, of authorisation from the Territorial Labour Inspectorate (Ispettorato Territoriale del Lavoro, “ITL”).

The owner appealed against this decision to the Italian Court of Cassation, on the ground, among others, of the breach of Article 4 of the Workers’ Charter arguing that the Court of first instance had not provided information on two central aspects of the offence, namely (i) whether the system was used to record images and (ii) whether employees were employed at the owner’s company.

The applicant stated that the system installed was closed-circuit, did not involve any image recording, and that its company had no staff.

The Italian Court of Cassation’s decision

In ruling on the case, the Italian Court of Cassation took the opportunity to briefly summarise the rules and principles in force regarding video surveillance and remote monitoring of workers.

First, it pointed out that the presence of employees in the place filmed by the video surveillance systems is “an essential requirement for the offence in dispute”, since the provision referred to in Article 4, paragraph 1, of the Workers’ Charter is specifically aimed at regulating the employer’s use of audio-visual systems – and other tools which may also enable remote monitoring – “of workers’ activities”.

Secondly, the Italian Court of Cassation noted that there is no breach of the legislation if a system, although installed in the absence of an agreement with the legitimate trade union representatives or an authorisation from the ITL, “is strictly for the purpose of protection of the company’s assets”, provided that (i) “its use does not imply significant monitoring of the ordinary performance of employeeswork activities” or (ii) “necessarily remains “confidential” to enable the investigation of serious unlawful conduct”.

However, the decision of the court of first instance did not clarify whether the conditions referred to in paragraphs (i) and (ii) above were fulfilled in the present case. Consequently, an assessment of the merits of those conditions required the Court to set aside the judgment and refer the judgment under appeal back to the same Court sitting in a different composition.

Other related insights:

On 5 December last, the Data Protection Supervisory Authority (the “Authority”) developed FAQ (“Frequently Asked Questions”) on personal data processing carried out by public and private entities using video surveillance systems.

The Authority’s clarifications take account of what was introduced by Regulation (EU) 2016/679 on personal data protection (known as “GDPR”) and by the Guidelines adopted by the European Data Protection Board (“EDPB”) on the point.

The FAQ clarify, firstly, that (i) processing carried out using video surveillance systems must be performed in respect of the principle of minimisation, in relation to the choice of recording methods and the positioning of the system, and (ii) the data processed must be pertinent and not excessive with respect to the purposes pursued.

Based upon the principle of accountability, it is the duty of each Controller to carry out assessments of the lawfulness and proportionality of processing, considering the context and respective purposes, as well as the risk to the rights and freedoms of the data subjects.

In the Authority’s opinion, each Controller must assess if the requirements are in place to carry out a data protection impact assessment (“DPIA”) before commencing the processing.

In relation to the privacy notice to be provided to the data subjects, the FAQ specify that the simplified model (warning sign), developed by the EDPB and disseminated with its Guidelines, may be adopted. The sign must contain (i) contact details of the Controller and, where present, Data Protection Officer (DPO); (ii) storage period of information collected and (iii) purposes of processing carried out. The sign must be positioned before the surveilled area, so that the data subjects can see which area is covered by a video camera, and must refer to a complete privacy notice containing all information indicated in Article 13 of the GDPR, including indications on the methods of acknowledgement.

The Authority also reiterates that the recorded images should be erased after a few days (24/48 hours) and that the longer the storage period, the more detailed the analysis on the legitimacy of the purpose and the actual need for longer storage must be.

Finally, it is noted that video surveillance systems can only be installed in workplaces for organisational and production requirements, for workplace safety and protection of company property, in respect of the guarantees envisaged by Article 4 of Italian Law no. 300/1970.

◊◊◊◊

In conclusion, the FAQ, available on the Authority’s website (www.garanteprivacy.it), contain indications on the necessary requirements in order for personal data processing carried out using video surveillance systems to be lawful.

The FAQ supersede, albeit partially, the previous “Measure on video surveillance dated 8 April 2010”, adjusting the provisions contained therein to what was introduced by the GDPR and by the EDPB Guidelines.

Other insights related:

EDPB: Preliminary version of Guidelines 3/2019 on video surveillance