With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.
The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.
To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:
In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.
In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used.
Other related insights:
Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.
GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.
The Authority assessed the processing carried out using this tool and showed that website operators (such as the sanctioned company) use cookies transmitted to the user’s browser to collect information on how these interact with the website, individual pages, and services offered. The data collected consists of: unique online identifiers that allow the identification of the user’s browser or device while visiting the website, and the website operator (through the Google Account ID); address, website name and navigation data; IP address of the user’s device; information on the browser, operating system, screen resolution, language selected, and date and time of website visit.
This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.
The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.
For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.
At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.
◊◊◊◊
While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.
Other related insights:
Following a report by a group of worker-members of a cooperative, the Data Protection Authority (“Garante”) established the unlawfulness of certain processing operations carried out through the publication of information on the assessment of their work, on the company notice board.
As part of a “contest with prizes for worker-members, entitled “Guardiamoci in faccia…soci!” (Let’s look at each other…members!) to incentivise the most deserving members and […] discouraging inefficiencies”, the cooperative used to share the recipients’ assessment on a weekly basis using emoticons accompanied by summary evaluations (such as, “absenteeism”, “sickness simulation”) placed next to the image and name of each employee. This information was visible not only to the worker concerned but anyone who accessed the premises where the company notice board was placed, including external persons occasionally present on the premises, and provided a cash reward for the first three winners.
Inspections carried out by the Data Protection authority established the processing illegitimacy for violation of the fundamental principles of lawfulness, correctness, transparency and data minimisation. The Authority confirmed that the employer may lawfully process the information necessary and pertinent to the management of the employment relationship – including the data necessary to carry out an assessment of the work performance or exercise disciplinary power (in the manner and within the limits provided for by the sector’s regulations). However, the authority noted that the systematic provision of such information by posting it on the notice board allowed the processing of data to persons (such as other colleagues or third parties) who are not entitled to know information on disciplinary assessments and remarks.
In addition, the Authority confirmed that the collection of consent, in circumstances such as this case, cannot be considered a legal basis for legitimising the processing of personal data. This is because the disproportionateness between the employment relationship parties cannot presuppose consent given expressly, freely and specifically and referring to an identified processing. The consent given at the time of the approval of the members’ resolution, as claimed by the company, is “functionally different” from the consent to the processing carried out by the company for the assessment of the members’ actions.
For these reasons, the Authority confirmed that “[…] continuously submitting the assessments on the quality of the work carried out or on the performance correctness to the observation of colleagues, even if it is part of a public competition” infringes the workers’ personal dignity, freedom and privacy.
◊◊◊◊
The company appealed against the Authority’s decision first to the local court and then the Court of Cassation. In ruling no. 17911/2022, published on 1 June, the Court of Cassation rejected the appeal – confirming the Data Protection Authority’s arguments – and confirmed the principle according to which “the processing legitimacy presupposes a valid consent given expressly, freely and specifically, with reference to a clearly identified processing operation; this general principle is relevant and prevails in every relationship.”
Other related insights:
On 7 April 2022, in an injunction order issued against a hospital, the Italian Data Protection Authority (“Garante”) found that the data processing carried out as part of the management of its whistleblowing system was unlawful.
The Authority sanctioned the IT company, which was acting as a data processor, and managed the service for reporting alleged corrupt activities or unlawful conduct within the entity.
The Authority noted that under Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), the hospital in its capacity as Data Controller, failed to provide specific and prior information about personal data processing carried out following a report. This was in violation of the principle of “lawfulness, fairness and transparency”, which imposes on the data controller the obligation to provide data subjects specific information about the data processing in advance, by taking “appropriate measures” to reach recipients.
It emerged that the health authority failed (i) to trace the processing operations carried out in the Processing Register under Art. 30 of the GDPR and to carry out a preliminary privacy impact assessment.
The Authority stated that the processing of personal data using systems for acquiring and managing reports has risks for the rights and freedoms of the data subjects due to “the sensitivity of processed information, the “vulnerability” of the data subjects in the workplace, and the confidentiality regime of the whistleblower’s identity under the sector’s legislation.”
The Authority fined the hospital and the IT Company € 40,000 and gave the hospital a further 30 days to make its relationship with its supplier compliant with the relevant legislation.
◊◊◊◊
As specified in the communiqué shared by the Data Protection Authority, the investigation carried out, in this case, was part of “a series of inspections on the processing methods of data acquired through whistleblowing systems, particularly those most used in Italy by employers.”
Other related insights:
The Italian Data Protection Authority, last May 14 published a document on the Company Physician role regarding the implementation of vaccination plans for the activation of extraordinary anti-Covid-19 vaccination points, provided by the National Protocol signed on 6 April 2021.
In this document, the Data Protection Authority clarifies that the tasks assigned to the Company Physician assume the function of “general prevention measures“ to be implemented in compliance with safety at work regulations, personal data protection principles, safety protocols and updated instructions from the Ministry of Health.
The Company Physician must constantly cooperate with the employer and the health prevention and protection service in the:
Considering the ongoing emergency, the Company Physician should continue and intensify health monitoring by providing further medical examinations, for example, when employees return to work after the suspension of production activities, or if there is a gradual return of resources “to work premises.”
Recalling what has already been expressly clarified in the FAQ (“Frequently Asked Questions“) of 17 February, the Data Protection Authority reiterates that the employer must ensure that employees “are not assigned a work task without an assessment of suitability” considering “their skills and conditions concerning their health and safety” (art. 18, paragraph 1, letter c), Legislative Decree. no. 81/2008). As part of their health monitoring activities, the Company Physician is the only person entitled to process workers’ health data and check their suitability for the “specific task” (Articles 25, 39, paragraph 5, and 41, paragraph 4, Legislative Decree no. 81/2008).
The document states that compliance with the necessary allocation of roles and responsibilities between employer and physician must be ensured, including vaccination in the workplace. Although this originates from the dual need to contribute to the rapid implementation of the vaccination campaign nationally and increase safety levels in the workplace, it remains a “public health initiative.” “The general responsibility and supervision of this process is in the hands of the regional health service, through the local health authority.”
In its 15 April 2021 injunction order, the Italian Data Protection Authority fined a company operating in the manufacturing sector for failing to punctually and adequately inform the employees about the features of a computer system. In doing so, the company unlawfully processed workers’ data beyond the limits set by the authorisation of the local labour inspectorate and the purposes indicated in the provided policies.
The Data Protection Authority intervened following the complaint lodged by the FIOM CGIL, on behalf of some workers, requesting the adoption of an investigation and compliance measure against the employer company. It was alleged that the company’s system required a personal password on the workstation before starting work, which made it possible to store the data of individual workers relating to stoppages and production throughout the working day. Since the data collected relates to the work of individual employees following authentication with the password, the company, in the union’s opinion, collected data through this system and for purposes other than those outlined in the privacy policy.
As a result of the investigation carried out by the Data Protection Authority, it emerged that the computer system coexisted with the previous work organisation method, based on the completion of paper forms in which the names of employees were revealed in plain text. The forms were stored and recorded on the software, but without any form of separation, thus contradicting the privacy policies on the system functioning and the authorisation issued by the Labour Inspectorate, which had expressly prohibited using the data collected for disciplinary purposes. It had emerged that the data collected through this tool had been used to verify the truthfulness of the statements made by an employee during disciplinary proceedings initiated against them.
In addition, it emerged that there were irregularities in the retention periods of the data collected and processed, which, according to the company’s statement, should have been commensurate with what was necessary for the “monitoring/evaluating production cycles.”
In the light of the information gathered, the Data Protection Authority ordered the definitive limitation of the processing operations carried out using the data collected through this system, ordering the company (i) to bring its organisation and processing operations in line with Regulation (EU) 2016/679, including by updating the privacy policy provided to the employees concerned, (ii) adopt appropriate measures to segregate the data collected using paper forms and software and (iii) pay €40,000 as a financial penalty for the violations found.
Other related insights:
The FAQ(s) aim to support employers in the correct application of existing legislation resulting from the combination of personal data protection applicable law, workplace health and safety applicable law and emergency regulations.
On 17 February 2021, the Italian Data Protection Authority (the “Authority”) published on its institutional website some FAQ(s) (“Frequently Asked Questions”) concerning the processing of data related to Covid-19 vaccination in the work context.
First of all, the Authority clarified that the employer is not among the persons entitled to request employees to provide information on their vaccination status or, in any case, a copy of the documents proving that they have been vaccinated against Covid-19.
According to the Authority, such processing of personal health data by the employer would not be permitted either by the emergency provisions in force nor by the applicable legislation on health and safety in the workplace, currently contained in the “Consolidated Law on Health and Safety at Work” (“Legislative Decree No. 81/2008.
The FAQ(s) clarify that in the employment context not even the consent of the employee him- or herself legitimises such data processing; consent, in this case, cannot constitute a valid condition of lawfulness. This is because of the imbalance and lack of equality in the relationship between the employer, the Data Controller, and the employee (the data subject), whereby the latter’s expression of consent cannot be guaranteed to be freely given (on this point, see recital 43 of (EU) Regulation 2016/679 on the protection of personal data).
Continue reading the full version published in Norme & Tributi Plus Diritto de Il Sole 24 Ore.
On 23 June 2020, the Italian Data Protection Authority (“Garante“) published the “2019 Annual Report” (the “Report“) listing activities carried out during the previous calendar year.
With the publication of the Report, the Data Protection Authority has confirmed what had already been stated in the note ref. no. 7797, dated 27 February 2019, concerning the subjective qualification of the Company Physician (as defined by art. 38 of Legislative Decree 81/2008, the “Decree”)
It is necessary to make a brief introduction to better understand the issue.
Article 4 of the (EU) Personal Data Protection Regulation (the “Regulation“) defines the Data Controller as (i) “the individual or legal person, public authority, service or other body which, individually or jointly with others, determines the personal data processing purposes and means” and the Data Processor as (ii) “the individual or legal person, public authority, service or other body which processes personal data on behalf of the data controller.”
Since the first interpretations and applications of the Regulation, the legal theory opened a debate on the Company Physician’s correct subjective qualification for data processing carried out during the functions and tasks assigned by the Decree.
Part of the theory suggested that the Company Physician was a Data Processor (under art. 28 of the Regulation), and the employer was the sole Data Controller which has the task of determining the purposes and means of the processing carried out by the professional. This theory was based on the relationship between the employer and the Company Physician was regulated by a contract by which the latter was expressly authorised by the employer to carry out employee personal data processing (including data belonging to special categories, formerly “sensitive” data).
Conversely, a different part of the theory stated the Company Physician was an independent Data Controller, as the processing purposes were established by the Decree and not by the employer.
This latter idea was expressly confirmed by the Data Protection Authority, which qualifies the Company Physician as an independent Data Controller. The type of processing carried out by the professional (for example, health monitoring or preparing health records) is their prerogative and not the employer’s.
In terms of sanctions, according to the Data Protection Authority, the regulatory framework makes a precise distinction between the employer and Company Physician’s responsibilities.
Others Insights related: