In 2011 a local administration, following an anonymous tip-off, searched the Web and found that one of its employees was offering sexual services on specialised public websites. Disciplinary proceedings were subsequently commenced that ended in the employee’s dismissal, on the grounds that his behaviour had been detrimental to the administration’s reputation. The employee, however, filed a complaint with the Italian Data Protection Authority (DPA), which found that the use of personal information about the employee’s sex life for disciplinary purposes was unlawful, and enjoined the administration from its further use.

The administration successfully appealed the DPA’s decision before the competent District Court. The latter found that the collection of the employee’s personal information by his employer did not concern matters of personal data protection, because it was aimed at acquiring evidence of a disciplinary infraction, not to process personal data on sexual behaviour; consequently, it quashed the DPA’s order.

The DPA appealed the decision before the Italian Supreme Court (Court of Cassation). With its ruling no. 21107 of 7 October 2014, the Court reversed the first instance decision and upheld the DPA’s original order.

At the centre of the Supreme Court’s decision there is a total repudiation of the lower court’s opinion that the Web search carried out by the administration did not constitute a “processing of personal data” for the purposes of the Italian Data Protection Code. In the Supreme Court’s view, on the contrary, the broad definition of personal data processing within the Code encompasses any use of an individual’s personal information, regardless of the purposes. There could therefore be no doubt that, in the case at hand, the administration had processed its employee’s sensitive personal data.

Drawing on these premises, the Court noted that the Personal Data Protection Code does allow the use of sensitive data by public administrations for employment relationship management (including disciplinary action), but only to the extent that secondary legislation, conforming to an Authority’s prior opinion, expressly specifies the activities allowed and the nature of the data involved.

In the case at issue, the latter requirement was not met. The administration had adopted a regulation that, in respect of employment relationship management purposes, allowed the use of an employee’s sex life data only in case of sex attribution rectification.

The administration had argued that the actual purpose of its use of the employee’s data was the handling of court litigation, and therefore such use fell under a different section of the same regulation, which permitted the use of sensitive data for said purpose without restrictions. The Supreme Court, however, rebutted this argument, observing that court litigation, which is only a possibility at the time of disciplinary action, could not be stretched so far as to encompass the latter without violating the principles of proportionality, necessity and relevance that supersede personal data protection.

Last but not least, the Supreme Court rejected the first instance court’s conclusive remark that the employee had forfeited the protection ensured by the Personal Data Protection Code by voluntarily sharing his own data on the Internet. The Court reminded that the publication of personal data does not allow its indiscriminate use by third parties, but only uses that are compatible with the purposes for which it has been published in the first place.

In conclusion, the Supreme Court quashed the first instance decision and directly ruled on the merits of the case by rejecting the administration’s opposition, thus solidifying the DPA’s original injunction.