Background information/scenario

Since the publication of the Guidelines Applying to the Use of E-Mails and the Internet in the Employment Context, the Italian Data Protection Authority (“Garante”) has had more than one opportunity to state its view on the controls of IT devices provided to employees to perform their job. In the case at stake, a dismissed employee sued his previous employer after becoming aware that his private e-mails, texts and personal belongings were controlled and stored without his knowledge, using a third party established in the US not appointed as data processor.

Main issues

The decision at stake is worth exploring because it delivers further details on the measures employers (acting as data controllers) shall implement in order to fairly process their employees’ e-mails and text in computers/laptops and smartphones (“Devices”) when both private and professional use is allowed.

Practical implications

In order to be compliant, employers must be sure to have previously informed employees (though information notices and/or Policies on the use of Devices) on the following matters.

Regarding the processing and control of e-mail accounts:

  • the purposes and modalities of processing of e-mails;
  • the types of e-mails which may be retained for the purposes of business continuity, the period of retention, the reasons behind such period (10 years were deemed unreasonable also in light of extensive controls of the performance of employees);
  • the existence and the content of the procedure for disabling the e-mail accounts following a dismissal (both inbox and outbox shall be completely disabled; automatic replies shall state the disabling, asking senders to contact a different company’s account;
  • the potential processing of personal data between the disabling and the deletion of the account;
  • the existence and the content of the procedure allowing system administrators to access data for maintenance, together with the information that their activity will be logged;
  • the existence of third parties (i.e. external IT companies, geo-location system providers) who may process data on behalf of the employer (processors);
  • the existence of an IT policy which states the permitted professional uses of devices so to avoid employees’ expectation of confidentiality (According to the Court of Cassation 2016/18302, permitting a [marginal] personal use of company devices, combined with the possibility of control of employee performance does itself constitute an unfair processing of employees’ data);

Regarding the processing of smartphone data:

  • the existence of potential processing of smartphone data for limiting additional expenses, together with other requirements set forth by Section 13 of the Italian Personal Data Protection Code;
  • the specifications of processing (meaning whether there is remote collection, modification, storage, erasure) of data contained in smartphone, together with the description of procedures to safeguard the employee’s dignity (again, if smartphones are intended for both for personal and business purposes the control of employees’ performance via such devices would be deemed as an illicit processing of employees’ data, including sensitive data).

The Garante concluded its decision adding a final duty: in order to the safeguard the dignity of employees, employers shall implement procedures allowing dismissed or transferred employees to assist in the control of documents and belongings collocated in their previous office).

Practical advice: employers must ensure they have IT policies and information notices consistent with these requirements. After this decision, employers may want to consider refraining from allowing employees to use company tools for private purposes.