Labour: Privacy Guarantor sanctions Lazio Region for unlawful control of employees’ e-mail metadata
No monitoring of employees’ e-mail metadata without adequate safeguards for confidentiality and in breach of the rules limiting remote control of workers.
The case examined below arises from the report submitted to the Italian Supervisory Authority “Garante per la Protezione dei dati personali” (hereinafter the “Authority”) by the independent trade union Fedirets (Federation of Managers and Executives of Territorial and Health Authorities) concerning the monitoring – carried out by the Regional Administration of the Lazio Region (the “Region”) – about the e-mails of the personnel employed by the Regional Attorney’s Office. During the preliminary investigation, the Region defended itself by endorsing the above-mentioned monitoring as an internal audit based on the suspicion of a possible disclosure to third parties of information protected by official secrecy.
The Authority once ascertained the concrete carrying out of the monitoring by the Region of the lawyers employed by the Regional Attorney’s Office – in detail of the employees who sent messages to the said trade union – which for the such purpose made use of the data stored for a general purpose of computer security for the 180-day retention period, has consequently stated the unlawfulness of the conduct as performed in the absence of appropriate legal prerequisites and in violation of the principles of data protection and of the national sectoral provisions protecting the dignity of individuals in the workplace, with particular reference to the potential controls by the employer in the context of remote control.
In the decision, the Authority clarified that the generalised collection and storage for a period exceeding seven days of metadata pertaining to the use of e-mail, such as the day, time, addressee, subject and size of the e-mail, which as a form of correspondence is protected by the Constitution, are not instrumental to the “performance of the service” of the employee, within the meaning of the Workers’ Statute. The processing of personal data carried out has, inter alia, allowed the employer to come into possession of information relating also to the private sphere of employees, starting with their opinions, contacts and facts not related to work.
Furthermore, the Authority referred to the following principles, which should have been observed by the data controller in charge of the processing:
principle of lawfulness, fairness and transparency pursuant to Articles 5(1)(a), 12 and 13 of the General Data Protection Regulation (the “Regulation”);
principle of storage limitation pursuant to Article 5(1)(e) of the Regulation;
principle of accountability pursuant to Article 5(2), further clarified by Article 24(1) of the Regulation;
principle of “data protection by design and by default”, pursuant to Article 25 of the Regulation (see Guideline 4/2019 on Article 25 – Data protection by design and by default).
The processing of metadata relating to the use of e-mail accounts by employees must be carried out in compliance with the data protection principles (Art. 5(1) of the Regulation), which the data controller must be able to prove (Art. 5(2) of the Regulation), also with regard to the appropriate technical and organisational measures implemented in order to ensure compliance with the data protection rules and any applicable sectoral rules (Art. 24(1) of the Regulation), in particular:
the data controller must adopt appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 of the Regulation in a concise, transparent, intelligible and easily accessible form, in simple and clear language (Art. 12 of the Regulation) by indicating in the information notice the “legal basis of the processing” and the “period of storage of personal data” (Art. 13, par. 1, let. c) and par. 2, let. a), of the Regulation) in order to provide the data subject with a clear and transparent representation of the overall processing carried out, with particular regard to the collection and storage of metadata relating to the use of electronic e-mail;
undertake the appropriate measures provided for in Article 4(1) of Law No. 300/1970: the trade union agreement or, alternatively, public authorization;
N.B.: the generalised collection and storage of such metadata, for a period of time longer than seven days, cannot be included in the scope of application of Article 4(2) of Law No. 300/1970, but rather among the measures for the protection of the integrity of the data controller’s information assets as a whole, as provided for in Article 4(1);
the data controller must give an account of the processing of such metadata in the policy for the use of IT tools, the purpose of which is in fact to summarise concepts and responsibilities connected with the main rules of conduct to be followed in order to avoid computer-related risks in compliance with the current Italian legislation on the protection of personal data;
limit their storage: personal data must be “stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed” (Article 5(1)(e) of the Regulation);
the controller must adopt internal policies and implement measures that satisfy, among other principles, the fundamental principles of data protection by design and by default, which could take the form, inter alia, of minimising data processing, pseudonymising data or offering transparency and security solutions (see “Guideline 4/2019 on Article 25 – Data protection by design and by default”);
the processing of metadata relating to the use of e-mail should only be carried out following a prior data protection impact assessment pursuant to Article 35 of the Regulation.
On this point, by taking into account the guidelines provided at the European level, the Authority stated that the processing in question, by implying the systematic collection of such metadata (including information relating to the sender/recipient and the subject of each e-mail), its storage for more than seven days and in the possibility of extracting, processing and verifying such metadata, entails specific risks for the rights and freedoms of the data subjects in the working environment (Article 35 of the Regulation).