Italian SA: unfettered employee surveillance to be banned

13 May 2021

Background information

  • Date of final decision: 13 May 2021
  • Cross-border case or national case: National case
  • Controller: Municipality of Bozen/Bolzano
  • Legal Reference: GDPR: Article 5 para. 1, letters a) and c) (lawfulness, fairness, transparency; data minimisation); Article 6 (Lawful processing); Article 9 (Processing of special category data); Article 13 (Information); Article 35 (DPIA); Article 88 (Processing in the context of employment); Italian DP Code: Sections 113 and 114 (Safeguards applying to remote surveillance and private life).
  • Decision: finding of infringements of the GDPR; administrative fine
  • Key words: employer-employee relations; remote surveillance; employees’ use of the Internet; impact assessment; anonymisation.                            

 

Summary of the Decision

 

Origin of the case

The case originated from a complaint lodged by an employee who had been the subject of disciplinary measures on account of his having allegedly visited websites that had no connection with his work assignments.

 

Key Findings

The Italian SA found that the municipality (controller) had not complied with data protection principles although it had entered into an ad-hoc agreement with trade unions pursuant to sector-specific national laws. In particular, the municipality had implemented the monitoring system without informing its employees adequately; the system enabled processing activities that were unnecessary as well as disproportionate by having regard to the purposes of protecting and securing the internal IT network, as it collected data on the websites visited by the employees along with information that was unrelated to the employees’ work assignments and pertained to their private lives.

No DPIA had been carried out since the controller had mistakenly assumed that the processing carried no specific risks to employees. Additionally, criticalities were found in the arrangements for handling employees’ requests to undergo ad-hoc medical tests.

 

Decision

An EUR 80,000 fine was imposed on the municipality partly on account of the sensitive nature of the information that had been processed in breach of the law. Additionally, the municipality was ordered to implement technical and organisational measures so as to anonymise the data relating to employees’ workstations, erase any personal data in browsing logs, and update the internal procedures as set out in the agreement with trade unions.

As part of its decision, the Italian SA pointed out that the need to reduce the risk of Internet misuse should not result into nullifying privacy expectations in the workplace, including where the web services are made available by the employer.

 

For further information: decision in national language "Ordinanza ingiunzione nei confronti di Comune di Bolzano - 13 maggio 2021"

 

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.