The Italian Data Protection Authority (“IDPA”) issued its first decision interpreting the amended Section 4 of the “Workers’ Bill of Rights,” concerning the monitoring of employees’ internet access and e-mail use.

In particular, the employees of a University in Italy claimed their employer monitored their personal data, by recording their web-browsing file logs (specifically, the Media Access Control address, “MAC Address”, and the Internet Protocol address, “IP Address”) and other personal internet-access information, using hidden software operating “in the background”.

The IDPA inquired and found the employer had wrongly classified its employees’ MAC and IP address data as being subject to no “personal protection” rules. This classification, according to the IDPA’s decision, would run contrary to the principles established by the EU Council of Ministers in its Recommendation No. CM/Rec (2015) 5, dated 1 April 2015. Therefore, the IDPA found the generic notice included in the University’s internal privacy policy, concerning its monitoring of internet access and e-mail use by employees, was insufficient under Section 13 of the Italian “Data Protection Code”. The IDPA further declared the relevant principles of “actual need and proportionality” had been breached by the University in performing such invasive and indiscriminate monitoring.

In the decision, the IDPA found the following technical means of internet monitoring to be lawful, to the extent they are strictly connected with the employees’ work or the safety of the employers’ information network: (a) monitoring log-ins to verify the proper use by the employee of the e-mail system made available by the employer, provided that only “external” data of the employee’s e-mail messages are examined (those introductory data set out in the “envelope” of each message), and that the relevant recordings are kept for a maximum period of seven days; (b) using virus-detection and filtering software to identify security threats in the workstations and servers; and (c) installing automatic-inhibition programs to prevent unsuitable or “unrelated” web accesses by the employees, provided that no retention of data concerning any such access occurs.

The IDPA’s decision sets out, for the time being, the limits for employers to monitor, in Italy, their employees’ internet access and e-mail use. We strongly recommend employers exercise caution and seek a preliminary legal review.