by Rocco Panetta, Marta Fraioli, Chiara Pisano, Annalisa Alfano
On an annual basis, our firm updates the ‘Italy – Employment’ note for Data Guidance.
It’s an in-depth legal study on data protection and privacy impacts in the employment context (e.g. video surveillance, employee monitoring), updated to the latest legislative changes (e.g. whistleblowing).
- 1. Governing Texts
- 2. Telephone
- 2.1. What are the rules for recording telephone conversations?
- 2.2. For which purposes may an employer carry out this type of monitoring?
- 2.3. Is prior notification/approval with the data protection authority required?
- 2.4. Is prior notification/approval/consultation from works’ councils required?
- 2.5. Is consent required from employees? If so, how should consent be sought?
- 2.6. Is consent required from other parties to the call? If so, how should consent be sought?
- 2.7. Is there a legal requirement for employers to have a written policy in place governing telephone monitoring?
- 2.8. Are there any exemptions to the legal requirements which govern this type of monitoring?
- 2.9. What are the retention requirements applicable to data collected through telephone monitoring?
- 3. CCTV
- 3.1. What are the rules for CCTV surveillance?
- 3.2. For which purposes may an employer carry out this type of monitoring?
- 3.3. Is prior notification/approval with the data protection authority required?
- 3.4. Is prior notification/approval/consultation from works’ councils required?
- 3.5. Is consent required from employees? If so, how should consent be sought?
- 3.6. Is there a legal requirement for employers to have a written policy in place governing CCTV surveillance?
- 3.7. Are there any exemptions?
- 3.8. What are the retention requirements applicable to data collected through CCTV surveillance?
- 4. Email
- 4.1. What are the rules regarding monitoring of employees’ emails?
- 4.2. For which purposes may an employer carry out this type of monitoring?
- 4.3. Is prior notification/approval with the data protection authority required?
- 4.4. Is notification/approval/consultation with works’ council required?
- 4.5. Is consent required from employees? If so, how should consent be sought?
- 4.6. Is there a legal requirement for employers to have a written policy in place governing email monitoring?
- 4.7. Are there any exemptions to the legal requirements which govern this type of monitoring?
- 4.8. What are the retention requirements applicable to data collected through email monitoring?
- 5. Biometrics
- 5.1. What are the rules regarding biometric monitoring?
- 5.2. For which purposes may an employer carry out this type of monitoring?
- 5.3. Is prior notification/approval with the data protection authority required?
- 5.4. Is notification/approval/consultation with works’ council required?
- 5.5. Is consent required from employees? If so, how should consent be sought?
- 5.6. Is there a legal requirement for employers to have a written policy in place governing biometric monitoring?
- 5.7. Are there any exemptions to the legal requirements which govern this type of monitoring?
- 5.8. What are the retention requirements applicable to data collected for biometric monitoring?
- 6. Device Monitoring
- 6.1. What are the rules regarding company-owned device monitoring?
- 6.2. For which purposes may an employer carry out this type of monitoring?
- 6.3. Is prior notification/approval with the data protection authority required?
- 6.4. Is notification/approval/consultation with works’ council required?
- 6.5. Is consent required from employees? If so, how should consent be sought?
- 6.6. Is there a legal requirement for employers to have a written policy in place governing company-owned device monitoring?
- 6.7. Are there any exemptions to the legal requirements which govern this type of monitoring?
- 6.8. What are the retention requirements applicable to data collected from the company-owned devices?
- 7. Covert Surveillance
- 8. Employees’ Access Rights
- 9. Penalties
1. Governing Texts
1.1. Legislation relevant to employee monitoring
In Italy, there are many laws and regulations concerning the monitoring of employees’ activities. Such regulatory provisions were issued with the general aim to protect the dignity and privacy of each employee in the workplace environment. In this respect, Article 4 of the Workers’ Statute, Law No. 300/1970 (only available in Italian here) (‘the Workers’ Statute’) can be considered the main norm, as it prescribes correct procedures for the lawful installation, set-up, and use of remote devices for monitoring employees’ activities.
Nonetheless, technological developments have nudged the Italian legislator to rethink the discipline set forth by Article 4 of the Workers’ Statute, with the purpose of simplifying the authorisation for privacy-compliant use of monitoring and surveillance tools while strictly guaranteeing employees’ constitutional rights. Throughout 2015 and early 2016, the Italian Government (‘Government’) introduced such changes within ongoing labour reform, adopting a series of sector-specific legislative decrees (only available in Italian here) (‘the Jobs Act’), aiming to reshape previous laws and regulations, including provisions on employee monitoring. In particular, Article 23 of Legislative Decree No. 151/2015 (only available in Italian here), amended Article 4 of the Workers’ Statute by deleting the obsolete general prohibition of using surveillance tools for employee monitoring purposes, although keeping previous limitations, such as the obligation to consult with unions or national and local works councils and filing a mandatory authorisation request.
With regard to the relevant legal basis in the context of employee monitoring, the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), prescribes, inter alia, that processing activities shall be considered lawful when they are necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data to (Article 5(1)(f) of GDPR).
Moreover, according to the Ethical Rules related to the processing of personal data performed to conduct defensive investigations or to enforce and protect a right in court (only available in Italian here) (‘the Rules’), it is possible to process personal data without the data subjects’ consent only where such processing is aimed at carrying out defensive investigation useful for evaluating whether to start legal action in the event of employment contract breaches or the performance of illicit activities by the employees. The Rules were adopted by the Italian data protection authority (‘the Garante’), according to Article 20(4) of the Legislative Decree No. 101/2018, Provisions for the Adaptation of the National Legislation to the Provisions of the GDPR (only available in Italian here), which has greatly modified the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (‘the Code’).
It shall also be mentioned that the Government has recently adopted Legislative Decree No. 104 of 27 June 2022 (only available in Italian here) (‘Transparency Decree’) by which significant new obligations in relation to the information the employer shall communicate to its employees were introduced, potentially leading to overlaps with the GDPR.
More specifically, Article 4 of the Transparency Decree amends Legislative Decree No. 152 of 26 May 1997 (only available in Italian here) (‘theWork Decree’) by introducing a new Article 1-bis to the Work Decree, which obliges employers and public and private contractors to properly inform workers when using automated decision-making or automated monitoring.
…
