The Regional Administrative Court (i.e. “Tribunale Amministrativo Regionale,” or “TAR”) of Tuscany recently annulled the denial issued by the local labor inspectorate (i.e. “Ispettorato Territoriale del Lavoro” or “ITL”) concerning a company’s request to install additional surveillance cameras at the perimeter of its industrial site. The Court clarified that even outdoor areas where work activities occur only occasionally or intermittently still qualify as “workplaces” under Italian law.
The case originated from a request submitted by a company to the competent ITL — as provided by Article 4 of the Italian Worker Statute (Law 300/70) — whereby the company approached the Public Administration after failing to reach an agreement with the corporate trade union representatives. Specifically, the company’s request outlined that, despite the presence of an existing surveillance system installed along the perimeter of the corporate premises, there was still a need to install an additional nine cameras. These cameras were to be placed in a peripheral area of the industrial facility to monitor the proper disposal of waste in designated unloading areas — areas that were also used by external parties — in order to prevent risks to worker safety, fire hazards, environmental damage, and to protect the company’s assets.
The ITL’s denial was based on its classification of the areas as “workplaces” and the perceived disproportion of the measure, which was deemed inappropriate in relation to the risks involved.
The Court found the company’s appeal to be valid for the following reasons:
Other related insights:
Managing employee surveillance is a sensitive issue, especially with the rise of new technologies. Recent rulings from Italy’s Court of Cassation have clarified the legal boundaries surrounding this practice.
The role of Investigative Agencies
Employers may use private investigators to check potential employee misconduct, such as unapproved absences or misuse of leave. However, these investigations must be focused, proportional, and lawful, ensuring they do not interfere with an employee’s work duties.
Monitoring company devices
Employers may need to access employees’ devices, such as emails or laptops, especially when there is reasonable suspicion of misconduct. The Italian Supreme Court has recently clarified that checking an employee’s email is only permitted when there is concrete suspicion, and such checks must not be arbitrary or excessive.
Balancing business needs and employee privacy
It is essential to strike a balance between business needs and employee privacy. Surveillance must be justified, proportionate, and never indiscriminate. Employers must ensure they follow legal guidelines to avoid misuse of the information collected.
Best practices
By following these principles, employers can protect their business interests while respecting employee privacy.
Continue reading the full version published on Agenda Digitale.
In its judgment of December 19, 2024, case C-65/23, the Court of Justice of the European Union ruled that (i) the provisions of national collective labor agreements must comply with data protection regulations and that:(ii) ”Should the national court seized of the matter conclude, following its review, that certain provisions of the collective agreement […] do not comply with the conditions and limits set forth by the GDPR, it would be required not to apply such provisions […].”
The case originates from a claim filed by a German employee, who claimed that the company he worked for was unlawfully processing his personal data. In particular, the company used a SAP software for accounting purposes and the personal data entered in it was transferred to a server located in the United States of America. The company defended itself by claiming that the processing of personal data carried out was lawful because it complied with the provisions of the collective agreements applied in the company.
The employee therefore brought the case before the territorially competent national courts, seeking: (i) access to his personal data, (ii) the deletion of data concerning him and (iii) the recognition of compensation.
The German national judges, called upon to decide the case, raised questions about the scope of the applicability of Article 88 of the GDPR. Article 88 of the GDPR provides that “Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context […]”.
In its ruling, the Court of Justice clarified that when the provisions of a national collective agreement regulate the processing of personal data in the workplace, they must comply with the fundamental principles of the GDPR. The effect must be to bind its addressees (employers and trade unions) to ensure compliance with the principles of lawfulness, fairness, and transparency of the processing, the requirements for lawful consent, and the rules regarding the processing of special categories of personal data.
This means that if a judge were to determine that the provisions of a collective agreement regulating one or more personal data processing activities in the workplace violate the conditions and limits set by the applicable sectoral legislation, the judge would be required to disapply the non-compliant provisions, without the discretion available to the parties to the agreement in determining the “necessary” nature of a personal data processing activity preventing the court from exercising full judicial review in this regard.
Other related insights:
Do you know that if you receive an email from an employee of your organization requesting you to update his or her bank details and informing you of the new bank account (IBAN) on which to credit their next salaries, it could be a fraud?
Some cyber criminals, by setting up a fake employee mailbox or directly hacking into an employee’s company mailbox, are increasingly sending fake messages to HR managers informing them that they have changed their bank account (IBAN). Reporting the new bank details, which are obviously controlled by the fraudster, they request that future salaries be accredited there.
How to protect your organization?
But that is not all. Please consider that improper processing of personal information exposes an organization to the risk of incurring one or more of the breaches set out in the privacy regulations.
Continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.
The Italian Data Protection Authority sanctioned the company Foodinho S.r.l., a Glovo Group company, to pay a fine of EUR 5 million for unlawfully processing the personal data of more than 35,000 riders through its digital platform.
Following a complex investigation carried out ex officio by the Authority, it revealed that the company, which had already been sanctioned in 2021 for unlawful processing and violations of the provisions of the privacy legislation, was carrying out “numerous and serious violations” of the GDPR.
Among others, the company:
In addition to the numerous violations of privacy regulations pointed out by the Italian Data Protection Authority and partially reported herein, it is worth mentioning that the Authority highlighted that in this case, the company “while carrying out an activity of systematic control of the work performed by the riders, through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems), […], did not comply with the provisions established by Article 4, paragraph 1, of Law no. 300/1970, as it did not verify that the tools used are attributable to the purposes strictly allowed by the law (organizational and production needs, work safety and protection of the environment, and protection of the environment) nor did it activate the guarantee procedure provided for in the event of the existence of one of the aforementioned purposes (collective agreement entered into with trade union representatives or, failing that, authorization by the Italian Labor Inspectorate)”.
In other words, the company, in addition to implementing technical and organizational security measures aimed at eliminating breaches and ceasing unlawful processing of personal data, must also take appropriate measures to comply with the provisions of the Workers’ Statute on remote control of employees.
Other related insights:
Compliance, Agency Contracts, and Privacy Management: A Growing Complexity
The law firm De Luca & Partners and HR Capital have recently highlighted significant issues in strategic areas such as contract management, regulatory compliance, and data protection. These areas, critical for Italian companies, are confronted with evolving regulations that demand increasing attention to avoid economic and reputational consequences.
A recent ruling by the Court of Rome reclassified the commercial collaboration agreements between a company and certain influencers—entrusted with promoting the company’s products through social media channels—as agency contracts. As a result, the company was ordered to pay the omitted contributions to Enasarco following the reclassification.
The reclassification of commercial contracts as agency contracts may also entail a significant economic impact for companies, including the obligation to pay the influencer/agent an end-of-contract indemnity, typically calculated based on the average annual compensation earned by the influencer/agent over the past five years. In light of this, companies would be well-advised to update their financial statements with targeted provisions and properly classify existing contracts to address any irregularities.
However, according to the firm’s name partners, Vincenzo De Luca and Vittorio De Luca, many companies have yet to grasp the urgency of adequately regulating contractual relationships.
Compliance with the genuineness requirements for subcontracting agreements is now under close scrutiny by authorities. The legislator has recently tightened the consequences for both clients and contractors in cases of “non-genuine” subcontracting, where irregular labor provision occurs, introducing criminal penalties as well.
To be deemed compliant, a subcontract must meet three key criteria:
The reintroduction of criminal penalties in March 2024 adds further pressure on companies to ensure the transparency and independence of subcontracting relationships.
As of October 1, 2024, the new “Credit License” system has come into force, requiring a series of formalities for those operating on construction sites or significant engineering projects within Italy. This certification, which includes documents such as the DURC (certification of compliance with social security contributions) and the DURF (tax compliance certification), is essential for compliance with workplace health and safety regulations.
Foreign companies operating in Italy must also meet these requirements unless they hold an equivalent certification issued by their home country. Lawyer Vittorio De Luca explains that the “Credit License” applies to foreign companies involved in real estate and infrastructure projects or in data center installations.
Privacy and personal data management have become critical focal points for Italian companies, particularly given the stringent penalties for GDPR violations, which can reach up to 4% of the global annual turnover.
Dr. Martina De Angeli notes that recent investigations by the Milan Public Prosecutor’s Office have revealed that weak IT security systems can lead to unauthorized intrusions with severe consequences. In addition to reporting any data breach within 72 hours—a very short timeframe from an operational perspective—companies must constantly monitor their systems, train staff, and implement continuous control and monitoring processes.
Continue reading the full version published on Global Legal Chronicle Italia
“The employer cannot access the employee’s or collaborator’s e-mail or use software to store a copy of the messages. Such processing of personal data not only constitutes a breach of the data protection laws but also amounts to an unlawful control activity over the employee”.
This has been stated by the Italian Data Protection Authority, which sanctioned a company with a fine of EUR 80,000, with decision no. 472 of 17 July 2024, published in the institutional newsletter published on 22 October 2024.
The case originated from a complaint submitted to the Authority by a former collaborator of a company, who reported that the company had maintained his email account active and accessible even after the termination of his collaboration.
The investigation revealed that the company had commissioned a forensic engineering firm to investigate the contents of the collaborator’s email using the “Mail Store” application installed on company’s laptops. During the collaboration, the company had backed up the email inbox and had retained both the content and access logs for the mailbox and the management system. The e-mails collected through the application had then been used in a legal proceeding brought against the complainant before the Court of Venice.
Furthermore, the company, based on the document titled “Equipment used by the worker to perform work activities and tools for recording access and attendance – modalities and limits of use”, attached to the notice given to the complainant as a collaborator and directed at the company’s employees, processed data from corporate e-mail accounts in violation of data protection regulations. The document informed that the company could access the emails of employees and collaborators for the purposes of business continuity, in case of absence or termination of the relationship, but did not mention the backup process or the corresponding retention period.
The Authority stated that the systematic retention of e-mails – in this case, communications were stored for three years following the termination of the collaboration – and the systematic retention of access logs for the e-mail and management system used by the employees were not compliant with the applicable laws. The retention was deemed disproportionate and unnecessary for achieving the company’s stated purposes of ensuring the security of the IT network and the continuity of the company’s business activities.
This also allowed the company to reconstruct the complainant’s activities in detail. The Authority noted that “even if, hypothetically, such processing were aimed at achieving one of the purposes explicitly indicated in Article 4, (1), of Law no. 300/1970, it appears that the company did not activate the guarantee procedure provided therein (agreement with the workers’ representatives or, failing that, authorization by the Labor Inspectorate)”.
Lastly, as far as the use of the data in a judicial context is concerned, the Authority recalled that processing carried out by accessing an employee’s e-mail judicial protection purposes refers to disputes already in progress and not to abstract and indeterminate hypotheses of protection, as in the case under review.
The Court of First Instance of Udine (Labour Section, order no. 504 of 2 August 2024) declared lawful the measure of suspension from work and remuneration, imposed by a company on an employee who had refused to sign the letter sent to the person responsible for processing personal data, in accordance with the applicable data protection law (please also refer to Ntpluslavoro of 26 September).
The Court of First Instance stated that, as a result of a circumstance caused by the employee’s will and, in any event, beyond its control, the company found itself in a situation in which it was obliged to suspend the employee’s services and remuneration. If it had not done so, it would have breached the rules of guarantee provided for by the data protection legislation and would inevitably entail the risk of incurring the sanctions provided for.
The employer entrusts the employee not only with adequate resources and tools to ensure the correct processing of personal data, but also with the responsibility to process such data with confidentiality, fairness and diligence. While it is therefore true that the appointment of a designated person is unilateral in nature, since it is an act emanating from the employer, it is equally true that the employee’s failure to accept it, will have consequences for the management of the employment relationship, which will be felt at several levels:
Also because of these considerations, the Court of Udine stated that the refusal to accept the appointment as an authorized subject was sufficient to justify the adoption of the disciplinary measure of suspension from service and remuneration.
The specific case inevitably prompts the query as to what the effects and consequences are, or could be, for the employer who is faced with the hypothesis that an employee does not accept the assignment to a person authorized to process personal data or even expresses the intention to withdraw a previously provided acceptance.
Logically, but for the sake of completeness of the argument, it is also worth mentioning briefly, the question does not arise if the tasks assigned to an employee do not involve the processing of personal data. In the opinion of the author, the question does not arise for two reasons. On one hand, it would be illogical and unnecessary to authorize and instruct an employee who does not process personal data in performing his/her work activities. Article 29 of (EU) Regulation 2016/679 (the GDPR) and Article 2-quaterdecies of the Italian Legislative Decree no. 196/2003 provide that it is those who have “access to personal data” and not those who do not carry out any processing operations, who shall be instructed. On the other hand, the refusal of those who do not have access to personal data does not affect the performance of their daily work. Therefore, even in the latter case, no potentially relevant behaviour from a disciplinary standpoint would be identified.
Please continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.