With Ruling No. 25732 of September 22, 2021, the Supreme Court of Cassation confirmed the survival of what are known as “defensive controls” after the reform of Section 4 of Law No. 300/1970 (known as the “Workers’ Statute”) regarding remote controls, deeming them lawful under certain conditions.
After it had been determined that a virus had spread throughout a company’s network, an employer (a Foundation) accessed the computer of an employee and found a downloaded file in the download folder on the employee’s hard disk that had been responsible for spreading the virus to the company’s network. The virus encrypted files on various network disks, making them unreadable and, therefore, unusable.
During the inspection, the employee was found to have accessed certain sites for long periods of time for personal reasons during working hours, evidence of a substantial interruption of work.
In view of this, the employee was dismissed for disciplinary reasons (for “just cause”).
The employee appealed to the Italian Data Protection Authority (the “Garante”), claiming that the employer had acquired the data it used as the basis of the disciplinary complaint that led to the employee’s dismissal in an unlawful manner.
With an order dated October 12, 2016, the Garante upheld the employee’s claim and ordered the employer to refrain from processing further the data acquired from the browser history on the company computer used by the claimant and relating to the period covered by the controls, “except for the mere storage of the same for the purposes of their possible acquisition by the courts.”
On March 28, 2018, the Court of Rome confirmed this order.
The Court of Appeals of Rome, however, rejected the employee’s appeal, ruling that there had been no violation of Section 4 of the Workers’ Statute, given that inspection of the company computer was necessary in order to verify the origin of the virus that had infected the Foundation’s computer system.
The employee then filed an appeal with the Court of Cassation.
COURT OF CASSATION DECISION
In its ruling, the Supreme Court of Cassation first addressed the issue of the compatibility of what are commonly known as “defensive controls,” as defined by case law prior to the amendment of Section 4 of the Workers’ Statute pursuant to Legislative Decree No. 151/2015, with the post-reform regulatory framework.
According to pre-reform case law, the purpose of “defensive controls” was to uncover unlawful or prohibited conduct on the part of employees who were not covered under the scope of application of the aforementioned Section 4, provided that they were not designed to verify the performance of their duties but rather to safeguard company assets.
There was doubt as to the survival of such controls in a post-reform scenario, because the new Section 4 of the Workers’ Statute admits the exercise of such controls for the “protection of company assets” provided that the signing of an agreement with work councils or the authorization of the local Labor Inspectorate (ITL) is obtained by the employer and that the employee is given adequate information on how to use the tools and how the controls on such tools may be carried out by the employer, in compliance with the Data Protection rules.
In order to settle the matter, i.e., to determine whether “defensive controls” as outlined by case law should continue to be considered out of the scope of Section 4, the court distinguished between defensive controls in a broad sense and those in a narrow sense:
- controls in a broad sense are those carried out in defense of the company’s assets that concern all employees in the performance of their work. These must be carried out in compliance with the provisions of Section 4 of the Workers’ Statute;
- defensive controls in a narrow sense are those aimed at specifically ascertaining unlawful conduct ascribable to individual employees on the basis of concrete evidence.
The latter, according to the court, fall outside the scope of application of Section 4, as they are defensive controls relating to extraordinary and exceptional events arising from the need to establish and punish serious misconduct committed by a single employee.
Accordingly, this means that if an employer suspects that an employee is committing an offense, the employer may perform remote controls using technological tools without following the strict procedures set forth in the Workers’ Statute.
The court also set forth the characteristics a “defensive control” must exhibit in order to be deemed lawful.
In particular, “defensive controls” in a narrow sense should:
- be targeted, e., triggered by the need to ascertain the suspected unlawful conduct of the employee;
- be implemented ex post, e. ,following the unlawful conduct of one or more workers of which the employer has concrete evidence or a well-founded suspicion. The court points out that a control can only be called ex-post when the employer proceeds to collect information after it has established a well-founded suspicion of the commission of unlawful conduct by the worker.
- not rely upon analysis of information acquired in violation of the provisions of Section 4. It is not permissible, therefore, to examine information acquired ex ante and kept for a long time without interruption.
In light of the above, the Court of Cassation stated that the Court of Appeals had erred in failing to check whether the defensive controls carried out by the employer related exclusively to computer data collected after the onset of “well-founded suspicion.”
In conclusion, the Supreme Court of Cassation stated the following principle of law: “technological controls carried out by the employer aimed at protecting assets unrelated to the employment relationship or to avoid misconduct, in the presence of a well-founded suspicion of commission of an offense, are allowed, provided that a proper balance is struck between the needs of protection of interests and business assets, related to freedom of economic initiative, and the essential protection of the dignity and privacy of the worker, and as long as the control relates to data acquired after suspicion arose. In the absence of the above conditions, the verification of admissibility for disciplinary purposes of the data collected by the employer will be conducted in accordance with Section 4 of the Workers’ Statute”.
 The ruling is available at the following link: https://www.cortedicassazione.it/cassazione-resources/resources/cms/documents/25732_09_2021_no-index.pdf.
 The order is available at the following link: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/5867780.