The Italian Government has recently issued a new set of rules aimed at redesigning the legal framework regarding the remote monitoring in the workplace.
Even if the general principles reflect the old provisions of the Workers Bill (Law No.300/1970), these new rules introduce important practical changes (in particular, with regard to electronic devices assigned to the employees for the performance of their working activity), that certainly reduce the labor law compliance burdens for the employers, but, at the same time, involve new data privacy issues that the companies shall have to cope with.
Pursuant to the recent decree issued by the Government - in accordance with the former provisions - in principle, the implementation of audiovisual systems and other devices (indirectly) aimed at monitoring the working activities of the employees is allowed solely as far as such systems are needed also for (i) organizational reasons, (ii) productive reasons, (iii) work safety reasons or (iv) to protect business assets.
Although, in principle, before implementing such monitoring systems, it is still required a prior agreement with the trade unions or a prior authorization of the Local Labor Office, one of the most important novelties introduced by the new piece of legislation is the exemption from the above mentioned fulfilments (prior agreement or authorization) with regard to (i) devices used by the employees in order to provide their working activities (e.g. personal computer, notebook, smartphone, etc.) and (ii) badges (or other tools) used in order to record accesses to and exits from the workplace.
Such an exemption has however a price to be paid by the employer, in terms of privacy compliance duties.
In deed, the workers shall be provided by the employer with a comprehensive privacy notice on the modalities whereby the monitoring systems will be used by the company, in accordance with the Italian Data Protection Code. In particular, it will be on the employer to explain the purposes of possible controls and the modalities whereby such controls could be carried out.
Therefore, the employer - in order to avoid possible risks - shall have to give full transparency on the possible controls on the employees, in compliance with the general principles set out by the Italian Data Protection Code.
But this is not the only side effect concerning the privacy fulfilments.
In Italy, according to the Italian Data Protection Code, in order to start a data processing relying on the legitimate interest of the data controller, a previous approval of the Italian Data Protection Authority (“Garante”) would be needed. In other words, an organization that wishes to start a data processing on the basis of such a ground, should file a prior application before the Garante, that may authorize (or not) such a data processing.
With particular regard to the use of electronic devices in the workplace, in 2007, the Garante issued a detailed set of guidelines (“Guidelines Applying to the Use of E-Mails and the Internet in the Employment Context”) (“Guidelines”), whereby the Garante recognized the legitimate interest of the employer, also without the data subject's consent, to process the personal data of the employees collected by means of electronic devices that can allow a remote monitoring of the employees, as far as such a data processing was carried out in accordance with the Guidelines and the applicable data protection rules.
The Garante, in particular, clarified that: “In the balance of the interests at issue, account was taken of the safeguards laid down by the Law No.300/1970 (Workers Bill) with regard to the performance of "indirect" controls on employees – whereby the prerequisite does not consist in the data subjects' consent, but rather in the agreement with trade union representatives; failing the latter agreement, the authorisation by a peripheral branch of the labor management agency will be necessary”.
In such circumstances, after the reform at issue, it is now questionable if the employer could keep on relying on the legitimate interest, even if no agreements with the trade unions are in place and no authorizations of the Local Labor Office have been obtained. In deed, such safeguards (that - as mentioned above - are no more needed with regard to a number of electronic devices), were the main factors considered by the Garante in the balance of interests at stake.
In the light of the above, it cannot be excluded that, in the next months, the Garante – who expressed the concerns of the Authority regarding possible controls of the employers not correctly balanced with the fundamental rights of the employees - will review its guidelines.
In the meantime, any company, before implementing in Italy a remote monitoring systems (without a previous agreement with the trade unions or an authorization of the Local Labor Office), should take into consideration that, in order to comply with the Italian privacy rules, relying only on the legitimate interest of the employer could represent a risk.