We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
26 July 2019
Following the amendments to the Jobs Act (Legislative Decree 81/2015), the general prohibition set out in Article 4 of Law 300/1970 on the "use of audiovisual devices and other equipment to remotely monitor workers' activities" has given way to a list of conditions that allow the installation (and use) of instruments to monitor employee performance.
Although previously permitted by trade union agreements or administrative authorisation, it is now possible to install tools that allow employee performance to be monitored (albeit in an ancillary way), provided that it is:
However, such agreements and authorisations are not required when employees are monitored using instruments that they use to perform their work.
With a view to balancing private sector interests and the protection of individual rights (the right to dignity and confidentiality above all), in 2015 the legislature decided that personal data collected using the abovementioned methods can be used "for all purposes relating to an employment relationship", including disciplinary purposes, only after employers have provided employees with the relevant information drawn up in accordance with data protection rules (ie, the Privacy Code and the EU General Data Protection Regulation) regarding the scope and purpose of data processing.
If this obligation is not fulfilled, any personal data collected will be deemed unusable and cannot be invoked in court to support a claim of an employee's non-fulfilment of their duties (eg, the Court of Rome's judgment of 3 September 2018).
However, case law regarding the application of Article 4 of Law 300/1970 before the Jobs Act was introduced shows that not all remote monitoring of employees was subject to the strict and categorical prohibition now provided by Article 4 (eg, so-called 'defensive monitoring'). Although this general prohibition covered monitoring employee performance, the remote monitoring of employee conduct required to guard against illegal conduct which could be damaging to the company's assets or pose a danger to the safety of the work environment was allowed (eg, the Supreme Court of Cassation's Decisions 4746/2002 and 10955/2015, respectively, on the non-professional use of a company telephone network and monitoring performed through a fake Facebook account).
A recent court decision established what type of remote monitoring of employees is permitted in light of the changes under the Jobs Act, even in the absence of providing data protection information as required by Article 4 of Law 300/1970.
The case concerned a company's dismissal of an employee who, through her access to databases which she used in her job as a call centre employee, repeatedly verified the data traffic of users for purposes which did not correspond to actual business needs.
To proceed with the dismissal, the company (after having been alerted by another employee) checked the employee's access to the company's registration system and discovered more than fifty illegal or unjustified operations.
The employee's defence focused not on contesting her behaviour, but rather on stressing the lack of adequate information provided under the Privacy Code and Article 4 of Law 300/1970 regarding the database software and the possibility of remote monitoring. According to the employee, this fact alone was enough to prevent the use of said data and therefore make her dismissal illegitimate.
The company countered that the database software warned operators of the possible traceability of their activities and given that "unauthorised access to a computer system" is a crime under Italian criminal law (Article 615ter of the Criminal Code), it argued that any monitoring of employees should relate to defensive monitoring, which aims to combat illegal conduct. This type of monitoring is legitimate even in the absence of the abovementioned adequate information requirement.(1)
The indisputable criminal element of the employee's alleged conduct, which was capable of harming the interests of the company and the data subjects concerned, was the starting point of the court's decision.
The employee's alleged violation of the rights of third parties led the court to believe that the employer's monitoring of employees had not been – or, at least, not only – focused on checking employee performance, but rather on carrying out defensive monitoring in the context of the changes to the Job Act.
However, the most notable aspect of the decision was the argument that the judge used regarding data protection guaranteed to individuals, which was borrowed in full from Article 8 of the European Convention on Human Rights (ECHR).
The court observed that the "right to respect for private and family life" referred to in Article 8(1) of the ECHR is not an absolute right – rather, as provided in the second paragraph of the same provision, it may be subject to limitations in horizontal relations where they are provided:
The court considered that these conditions had been met. The employee monitoring had been carried out not only to protect the company's interests, but also to protect users' data (ie, the protection of customer data).
Therefore, defensive monitoring of employees must be considered admissible by the domestic courts and the European Court of Human Rights (Köpke c Germany, 420/07), whose rulings have made it possible to fill the gaps in formal legislative data by providing an interpretation in line with the data protection rights of individual users and company needs.
In light of these considerations, the court found that a balance must be struck between the interests at stake in accordance with Article 8 of the ECHR (ie, the dismissed employee's right to confidentiality on the one hand and the company's interests on the other). Based on these grounds, the court found that the employee's dismissal had been legitimate.
For further information on this topic please contact Luca Daffra at Ichino Brugnatelli e Associati by telephone (+39 (0)2 48193249) or email (email@example.com). The Ichino Brugnatelli e Associati website can be accessed at www.ichinobrugnatelli.it.
(1) For further information please see "Emailing confidential data to colleagues may be criminal offence".
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.