Written by 15:43 Data Guidance, Media

Italy: an in-depth legal study on data protection and privacy impacts in the Employee Monitoring context

Rocco Panetta, Marta Fraioli, Chiara Pisano and Annalisa Alfano comment on Data Guidance on data protection and privacy impacts in the Employee Monitoring context

OneTrust DataGuidance

by Rocco Panetta, Marta Fraioli, Chiara Pisano, Annalisa Alfano

On an annual basis, our firm updates the ‘Italy – Employment’ note for Data Guidance.
It’s an in-depth legal study on data protection and privacy impacts in the employment context (e.g. video surveillance, employee monitoring), updated to the latest legislative changes (e.g. whistleblowing).

1. Governing Texts

1.1. Legislation relevant to employee monitoring

In Italy, there are many laws and regulations concerning the monitoring of employees’ activities. Such regulatory provisions were issued with the general aim to protect the dignity and privacy of each employee in the workplace environment. In this respect, Article 4 of the Workers’ Statute, Law No. 300/1970 (only available in Italian here) (‘the Workers’ Statute’) can be considered the main norm, as it prescribes correct procedures for the lawful installation, set-up, and use of remote devices for monitoring employees’ activities.

Nonetheless, technological developments have nudged the Italian legislator to rethink the discipline set forth by Article 4 of the Workers’ Statute, with the purpose of simplifying the authorisation for privacy-compliant use of monitoring and surveillance tools while strictly guaranteeing employees’ constitutional rights. Throughout 2015 and early 2016, the Italian Government (‘Government’) introduced such changes within ongoing labour reform, adopting a series of sector-specific legislative decrees (only available in Italian here) (‘the Jobs Act’), aiming to reshape previous laws and regulations, including provisions on employee monitoring. In particular, Article 23 of Legislative Decree No. 151/2015 (only available in Italian here), amended Article 4 of the Workers’ Statute by deleting the obsolete general prohibition of using surveillance tools for employee monitoring purposes, although keeping previous limitations, such as the obligation to consult with unions or national and local works councils and filing a mandatory authorisation request.

With regard to the relevant legal basis in the context of employee monitoring, the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), prescribes, inter alia, that processing activities shall be considered lawful when they are necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data to (Article 5(1)(f) of GDPR).

Moreover, according to the Ethical Rules related to the processing of personal data performed to conduct defensive investigations or to enforce and protect a right in court (only available in Italian here) (‘the Rules’), it is possible to process personal data without the data subjects’ consent only where such processing is aimed at carrying out defensive investigation useful for evaluating whether to start legal action in the event of employment contract breaches or the performance of illicit activities by the employees. The Rules were adopted by the Italian data protection authority (‘the Garante’), according to Article 20(4) of the Legislative Decree No. 101/2018, Provisions for the Adaptation of the National Legislation to the Provisions of the GDPR (only available in Italian here), which has greatly modified the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (‘the Code’).

It shall also be mentioned that the Government has recently adopted Legislative Decree No. 104 of 27 June 2022 (only available in Italian here) (‘Transparency Decree’) by which significant new obligations in relation to the information the employer shall communicate to its employees were introduced, potentially leading to overlaps with the GDPR.

More specifically, Article 4 of the Transparency Decree amends Legislative Decree No. 152 of 26 May 1997 (only available in Italian here) (‘theWork Decree’) by introducing a new Article 1-bis to the Work Decree, which obliges employers and public and private contractors to properly inform workers when using automated decision-making or automated monitoring.

Read the whole article on One Trus | Data Guidance