RELEVANT LEGISLATION ON REMOTE MONITORING
Indeed, the abovementioned Section 4 (1) of Law No. 300/70 establishes that “audiovisual systems and other instruments which allow remote monitoring of employees may be used exclusively for organizational and productive needs, for work safety, and for the protection of company assets and may be installed subject to a collective agreement signed by a unitary union representation or by company union representatives,” or “in the absence of an agreement, the systems and instruments referred to in the previous sentence may be installed subject to authorization by the local Labor Inspectorate or, alternatively, in the case of companies with production units located in areas that fall under the oversight of more than one local Labor Inspectorate, the Ministry of Labor and Social Policies.”
Paragraph 3 adds that “the information collected pursuant to paragraphs 1 and 2 may be used for all purposes connected with the employment relationship on the condition that the worker is given adequate information regarding the methods for using the instruments and carrying out oversight and in compliance with the provisions of Legislative Decree No. 196/03.”
Moreover, section 13 of EU Regulation No. 2016/679 (“GDPR”) states that the data controller (i.e., the employer) is required to provide in advance all information relating to the essential characteristics of the processing in application of the general principle of transparency.
The latter is an aspect often underestimated by employers, but it needs to be carefully assessed, as evidenced by a recent injunction order of the Italian Data Protection Authority (the Garante) sanctioning a company for failing to inform employees in advance about the purpose of processing collected data.[1]
ORDER OF THE GARANTE: THE CASE AND THE INVESTIGATIONS
On April 15, 2021, the Italian Data Protection Authority, with injunction order No. 136/2021, fined a company operating in the manufacturing sector EUR 40,000 for failing to inform employees punctually and adequately about the use of a computer system. In failing to do so, the company unlawfully processed workers’ data beyond the limits set by the authorization received from the Local Labor Inspectorate (ITL) and the purposes indicated in the privacy notice concerning protection of personal data.
In the course of the proceedings before the Garante, following a complaint filed by a trade union, it emerged that the data collected by the system described above, including data relating to employees’ production, could be traced back to identifiable employees using additional information available to the employer.
The system, which required an employee to enter an individual password on a workstation before starting production, made it possible to collect the disaggregated data of individual workers relating to stoppages and production throughout the workday and for purposes other than those stated in the information drafted by the company regarding the equipment.
In particular, the company: (i) declared as the purpose of data processing that of “preventing theft and/or access to confidential data,” when, in fact, the purpose pursued was “verifying a criminal event”; (ii) failed to inform its employees properly about the characteristics of the system used; (iii) used the data for disciplinary purposes, despite the fact that this had been expressly prohibited by the ITL; (iv) supported the system using the previous working method based on the compilation of paper documents where the names of the employees were visible; and (v) violated data storage regulations, in that it did not inform employees that the data collected were traceable to them for two years.
SANCTIONS IMPOSED BY THE GARANTE
Therefore, the Garante deemed the data processing unlawful, as the failure to inform the data subjects about significant features of the system was in violation of Section 13 of the GDPR, given that the employee was not clearly informed of how the data was collected and used.
In light of the above, the Garante ordered processing operations carried out using the data collected unlawfully through this system definitively blocked and required the company to (i) bring its organization and processing operations in line with Regulation (EU) 2016/679, including by updating the privacy policy provided to employees and by detailing all the features of the system; (ii) adopt appropriate measures to segregate the data collected; and (iii) pay EUR 40,000 as a financial penalty for violations.
CONCLUSIONS
In conclusion, this case shows that employers should not see providing information to employees as a mere formality. Honoring this commitment is even more important at a time like this, when so many people are working from home due to the pandemic. If employers intend to adopt any kind of software or tool to protect the company’s assets that might, even indirectly, allow them to monitor the activities of their employees, they should be reminded of the importance and necessity of complying with every requirement imposed by the relevant legislation.
[1] The injunction order is available at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9586936 .