A recent Supreme Court decision found that an employee who copies computer data stored on a company laptop entrusted to them for work purposes and subsequently returns the computer with said data deleted and the hard drive formatted is guilty of embezzlement pursuant to Article 646 of the Criminal Code.
Employers must ensure that the technical-organisational measures and software that they use are adequate to protect whistleblowers' confidentiality. The data protection authority recently reiterated this point when it fined a major university in Rome for failing to prevent the data of two people who had notified the university of possible data violations from being accessible online.
The directors of a credit company placed under extraordinary administration for serious irregularities learned that an employee had covertly given the company's former general manager some confidential company documents, which he had had no reason to access. The employee was subject to internal disciplinary proceedings and dismissed for a serious breach of the obligation of loyalty to her employer, but challenged her dismissal in court.
Following the General Data Protection Regulation's (GDPR's) entry into force, the legislature asked the Data Protection Authority to review and update the so-called 'general authorisations' that it issued to allow the processing of sensitive data in the absence of the data subject's consent. Drawing on Article 9 of the GDPR, the Data Protection Authority subsequently issued Provision 146/2019, which sets out the requirements for processing special categories of data in employment relationships.
A recent Supreme Court of Cassation decision examined whether there were justified objective reasons for an employer to dismiss an employee following his refusal to reduce his hours in the wake of a company reorganisation to reduce labour costs and increase productivity. The court examined previous case law in this regard, reassessed the parameters of justified objective reasons for dismissal and set out the scope of judicial examinations of such a dismissal's legitimacy.
With a view to balancing private sector interests and the protection of individual rights, in 2015 the legislature decided that personal data collected through the remote monitoring of employees can be used for disciplinary purposes if employers provide employees with information regarding the scope and purpose of said processing. A recent case established what type of remote monitoring is permitted in the absence of providing the required data protection information.
A client company recently sued a leading Italian bank, arguing that the interest rate swap contracts concluded between the parties should be declared null and void because, among other things, no master agreement had been executed and the contracts had allegedly been concluded in violation of the bank's general duties of correctness and delay. However, the bank rejected the claims based on the preliminary argument that the limitation period for taking action had already elapsed.
The Court of Cassation recently rejected a bank's appeal and found that its employee had been entitled to access evaluation documents which had led to disciplinary measures being taken against him. Although the case concerned the regulation of access to personal data under the now rescinded Privacy Code, the decision sets out principles which remain valid under the EU General Data Protection Regulation and further strengthen the rights of data subjects with regard to how their data is processed.
The Milan Court of Appeals recently rejected an appeal against a Milan Court of First Instance judgment concerning an interest rate swap derivative contract. The complainant had asked the first-instance court for a statement of nullity regarding the contract, claiming that its purpose could not be determined and that no adequate risk exposure information had been provided. However, the first-instance court confirmed existing case law and excluded any reason for nullity of the contract.
The Criminal Court of Cassation recently confirmed a Milan Court of Appeal judgment which found that an employee who had emailed confidential data to a colleague who was not authorised to access said information had committed the crime of unauthorised access to a computer system under Article 615ter of the Criminal Code. The decision confirms that employers, as data controllers, must take appropriate security measures to ensure the integrity of information systems and data.