Employees are entitled to a reasonable protection of their privacy in personal and professional relationships alike. But what about the Employer’s Control? NEW EMAIL ACCOUNT: AVVOCATO@MAGGIPINTO.EU

1. Professional Training in Milan (Italy)
4 June 2014
Workplace Privacy (excerpt)
Dr. Andrea Maggipinto, ICT Lawyer
Bar Association of Milan

2. Employer’s Control
Avv. Andrea Maggipinto
Employees are entitled to a reasonable protection of their
privacy in personal and professional relationships alike
(see Italian Constitution, and the Italian Data
Protection Code: the so called “Privacy Code” - D.Lgs.
169/2003)
ensuring that data subjects' rights, fundamental
freedoms and dignity are protected also in the
workplace
limitations under local laws (Italy)

3. Binding principles
Avv. Andrea Maggipinto
The processing must be compliant with data protection
safeguards in pursuance of the following binding
principles:
(i) necessity: information systems and software must be
configured by minimizing use of personal and/or
identification data in view of the purposes to be achieved
(article 3 of the Privacy Code);
(ii) fairness: the fundamental features of the processing
must be disclosed to employees (article 11 of the Privacy
Code), so they can be aware and fully informed thereof;
(iii) the processing must be carried out for specific, explicit
and legitimate purposes in compliance with relevance
and non-excessiveness principles (article 11 of the Privacy
Code).

4. Employer is required to
Avv. Andrea Maggipinto
always provide clear-cut, detailed information on the
appropriate mechanisms of use applying to the
equipment that is made available as well as on whether,
to what extent, and how controls are carried out (it is
appropriate to issue internal guidelines);
always inform employees in advance and
unambiguously about any processing operations that
may concern them in connection with possible controls,
according to article 13 of the Privacy Code (the so
called “Information Notice”).

5. Hardware and Software
Avv. Andrea Maggipinto
It is not permitted to process data by means
of hardware and software systems that are
intended to carry out distance controls (at
times in a very detailed manner) in order to
keep track of employees' activities.

6. Compliance
Employers may lawfully avail themselves of systems that
allow distance controls to be carried out indirectly (so
called “unintentional controls”) in compliance with article
4 of the Act no. 300/1970 (so called “Workers' Statute”).
In fact, data protection Italian legislation must be applied
jointly with sector-related rules concerning labor law (in
particular, article 4 of the Workers' Statute regarding the
so called “distance monitoring”).
Avv. Andrea Maggipinto

7. Distance monitoring
The Italian Data Protection Authority established that
equipment intended for distance monitoring is
forbidden, for instance:
the systematic scanning and recording of email
messages and/or the respective external data apart from
what is technically necessary to provide email services;
the reproduction and systematic storage of the web
pages visited by employees;
keystroke pattern analysis and recording devices;
the hidden monitoring/analysis of laptops entrusted to
individual employees. Avv. Andrea Maggipinto

8. Unintentional control
The employer must respect his employees' dignity and
freedom with particular regard to the prohibition
against deploying "equipment for the purpose of controlling
employees' activities from a distance" – which
unquestionably includes hardware and software
equipment intended to control the users of electronic
communications systems.
However, if potential criminal activities were detected
through indirect and “unintentional controls”, this
information could be used against the employee
according to local laws.
Avv. Andrea Maggipinto

9. Lawfully Data Processing
Employers may lawfully process personal, non-sensitive
data if the following applies:
(i) if the circumstances are such as to warrant the
legitimate establishment of a judicial claim;
(ii) if the data subject has given his/her free consent
thereto in a valid manner;
(iii) without the data subject's consent only in pursuance
of a decision that establishes a legitimate interest in
processing the data in question as per the legislation
concerning the so-called balancing of interests (see
article 24).
Avv. Andrea Maggipinto

10. Employees’ e-mail
There are restrictions for the Company viewing and
accessing of employee email.
As regards the use of emails in the employment context
and by having regard to the outward appearance of
email addresses in the individual cases, in the absence of
specific policies, the employee may legitimately expect
certain types of communication to be kept confidential.
So it is strongly recommended to establish company
policy and procedure to control employee emails.
Avv. Andrea Maggipinto

11. Dr. Andrea Maggipinto, ICT Lawyer
andrea.maggipinto@gmail.com
W W W . M A G G I P I N T O . O R G
Via Caradosso n. 7
20123 Milan (Italy)
T: +39 02 48102313
F: +39 02 48102321
it.linkedin.com/in/
andreamaggipinto
@amaggipinto