The Italian Data Protection Authority (“IDPA”) issued its first decision interpreting the amended Section 4 of the “Workers’ Bill of Rights,” concerning the monitoring of employees’ internet access and e-mail use.
In particular, the employees of a University in Italy claimed their employer monitored their personal data, by recording their web-browsing file logs (specifically, the Media Access Control address, “MAC Address”, and the Internet Protocol address, “IP Address”) and other personal internet-access information, using hidden software operating “in the background”.
In the decision, the IDPA found the following technical means of internet monitoring to be lawful, to the extent they are strictly connected with the employees’ work or the safety of the employers’ information network: (a) monitoring log-ins to verify the proper use by the employee of the e-mail system made available by the employer, provided that only “external” data of the employee’s e-mail messages are examined (those introductory data set out in the “envelope” of each message), and that the relevant recordings are kept for a maximum period of seven days; (b) using virus-detection and filtering software to identify security threats in the workstations and servers; and (c) installing automatic-inhibition programs to prevent unsuitable or “unrelated” web accesses by the employees, provided that no retention of data concerning any such access occurs.
The IDPA’s decision sets out, for the time being, the limits for employers to monitor, in Italy, their employees’ internet access and e-mail use. We strongly recommend employers exercise caution and seek a preliminary legal review.