Remote monitoring
Monitoring attendance
Information gathered
Comment
A series of labour law reforms were recently passed by Parliament, including Decree-Law 151/2015, which amends Section 4 of the Workers' Statute (Law 300/1970).
Under Section 4(1), audiovisual equipment and other tools that facilitate the remote monitoring of employees may be used exclusively for:
- organisational and production needs;
- workplace safety; and
- the protection of corporate assets.
The general ban on monitoring employee activity through equipment designed for that purpose (eg, keyloggers to monitor employee efficiency at data entry) has been removed. However, this principle remains in the wording of Section 4(1). 'Exclusively' implies that unintentional monitoring – that is, indirect monitoring resulting from the use of audiovisual equipment meant for "organisational and production needs... safety in the workplace and the protection of corporate assets" – is allowed if it complies with the law. It is unclear whether application software (not operating systems) that aims to protect monitoring systems falls under this category.
The Supreme Court has ruled that:
"software that enables the monitoring of email and access to the Internet is inevitably monitoring equipment when, because of its characteristics, it allows the employer to remotely and continuously monitor the performance of work and whether that work is done carefully and properly."(1)
Section 4(1) applies when a personal computer, smartphone or network server is transformed through application software into a tool used exclusively to collect data that monitors the performance of workers. It also confirms a procedure of co-determination between employers and trade union representatives for the installation and use of remote monitoring equipment. The amendments regulate this procedure for companies with production plants in different locations and provide for agreements between businesses and the largest national trade unions. In the event of non-agreement, a company may apply directly to the Ministry of Labour for authorisation.
This approach was previously proposed by the Ministry of Labour and is reasonable, as it is unfeasible for an enterprise with multiple plants to negotiate an agreement in each location and risk being partially blocked by the different positions of unions or the local labour offices.
Section 4(2) provides that Section 4(1) does not apply to tools used to carry out work or monitor workplace access and attendance. Turnstiles operated by magnetic readers or radio-frequency identification (RFID), barriers opened with remote RFID cards, smartphones, laptops and portable bar codes are all tools that facilitate remote monitoring. The use of smart devices as work tools does not imply that the operating system which makes them work necessarily involves remote monitoring.
The same principle applies to monitoring employees' entry to and exit from the workplace. Section 171 of the Personal Data Protection Code (Decree-Law 196/2003) confirms that "breach of the provisions… of Article 4, first and second paragraph shall be punished, as provided for by Section 38 of Act no. 300 of 20 May 1970". Section 4(2) prohibits employers from transforming a work tool into an instrument used exclusively for monitoring employees.
Section 4(3) provides that information gathered pursuant to Section 4(1) and (2) can be used for any purpose relating to employment, provided that employees are given adequate information on how the work tools in question are used and how checks are carried out, and that this activity complies with the Personal Data Protection Code and the relevant data protection rules.
This provision modifies the previous interpretation that any data collected could not be used for disciplinary purposes, even when its use was linked to unlawful criminal behaviour by a worker. It has now been clarified that data obtained through the appropriate use of a work tool can be used to check for improper use or the fulfilment of employee obligations.
Corporate policies and rules governing the use of work tools also define the lawful scope of employee monitoring. However, this does not resolve the issues raised regarding emails in the corporate domain that contain private data.
The revision of Section 4 enhances the consistency of rules protecting a company's technological assets and confirms the legislature's favourable view of technological innovation. However, the reference to data protection creates significant monitoring issues where a company introduces a 'bring your own device' policy. In that case, the employee is the owner of the device and the logic of safeguarding its corporate use cannot apply.(2)
For further information on this topic please contact Andrea Stanchi at Stanchi Studio Legale by telephone (+39 02 546 9522) or email ([email protected]).
Endnotes
(1) Court of Cassation 4375/2010.
(2) For further information please see Stanchi Studio Legale's ILO OnDemand update "Bring your own device".
