The Italian DPA again confirms privacy applies also to personal data
stored on professional devices
One of the most common misunderstandings encountered when providing privacy advice is that employers are entitled to indiscriminately access the content of company email accounts and devices used by employees, both during the employment relationship and after its termination. Nothing could be more wrong, as repeatedly stated by the Italian DPA (the Garante) and by national and supranational case law.
The latest case in chronological order concerns an order issued by the Garante on last 10 February, whereby the company Costampress S.p.A. has been fined pursuant to Article 83(5) of EU Regulation 2016/679 (“GDPR”) for breaches of Articles 5(1)(a), 12 and 13 GDPR, because of accessing to the computer in use by its former CEO in the absence of appropriate information.
Following his dismissal, decided by the Costampress on 4 October 2018, the manager filed a complaint with the Garante alleging several breaches of his personal data. In particular, the applicant claimed that: (i) the Company did not delete his professional e-mail account after the termination of his employment with it; (ii) he was not able to obtain his company telephone number, which in the past was a private number and was used by the complainant for both work and personal needs, as well as to access to his laptop; (iii) the Company had access to his devices, allowing third parties to access his private WhatsApp conversations. The applicant added that all this had happened notwithstanding he hadn’t been provided with any privacy information or notice.
The central point of the case is the access to the applicant’s computer in the absence of appropriate information, since the Garante ascertained the absence of violations with regard to other complaints.
In this regard, during the proceedings and investigation, the Costampress firstly affirmed that the applicant was entrusted, among other tasks, with the drafting of the company’s policy on the use of professional e-mail accounts and the appointment of a system administrator authorised to access, on behalf of the company, incoming messages in such accounts. Namely, the company argued that even though he had not completed his task, the CEO had already seen the “draft” of that policy at the time of the processor and was therefore aware that his professional mailbox was accessible at any time by the company or its authorized persons. Costampress then specified that, after the dismissal took place, it adopted the dedicated internal regulation for the use of the company’s IT equipment, internet, e-mail and telephone number, which also serves as notice pursuant to Art. 13 GDPR.
Finally, the Company confirmed that it accessed to the computer used by the former CEO with the help of a digital forensic expert to obtain information necessary for the protection of its own rights before a competent court, in the context of a dispute between the two parties
The decision of the Garante
After the investigation, the Garante ascertained that at the time where the access to the data stored on the professional computer used by the applicant had been made the Company had not adopted any document, in a definitive version made available to employees, serving as privacy notice pursuant to Art. 13 GDPR.
The Garante than referred – as it has often done in the past – to the constant orientation of the European Court of Human Rights, according to which the protection of private life also extends to the working environment, since when carrying out working and/or professional activities relations develop and the personality of the worker is expressed (see Articles 2 and 41, paragraph 2, of the Italian Constitution). In particular, considering that the borderline between the working/professional sphere and the strictly private sphere cannot always be clearly drawn, the ECHR considers that Article 8 of the European Convention on Human Rights, which protects private life without distinguishing between the private and professional spheres, is applicable (see Niemietz c. Allemagne, 16.12.1992 (ric. n. 13710/88), spec. par. 29; Copland v. UK, 03.04.2007 (ric. n. 62617/00), spec. par. 41; Barbulescu v. Romania [GC], 5.9.2017 (ric. n. 61496/08), par. 70-73; Antovi and Mirkovi v. Montenegro, 28.11. 2017 (ric. n. 70838/13), spec. par. 41-42). Therefore, the Garante clarified that the processing of data carried out by means of information technology within the framework of the employment relationship must respect the fundamental rights and freedoms as well as of the dignity of the data subject, with the aim protect workers and third parties (see Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment, par. 3).
In the light of the above, the Garante concluded that Costampress had breached Art. 13 GDPR, as it had carried out the processing in the absence of adequate information to the data subject. The Company was therefore fined of €10,000.
In the commented order, far from having carried out a revolution, the Garante reiterated some fixed points which, although consolidated, always deserve to be reaffirmed
First of all, the importance of protecting privacy also in the workplaces, which are not an oasis where the employers are allowed to do everything, but places where the worker’s personality is expressed and where workers’ rights must be protected.
At a formal level, it is also important to point out that the Garante has once again stressed the conceptual difference between the data controller and its managing director. Although the latter organically represents the entity, in fact, he is a data subject like any other and must therefore receive appropriate information on the processing of his data.
Finally, with regard to the possibility to use data acquired in breach of the GDPR within legal proceedings, it is worth mentioning the Garante’s reference to Art. 160-bis of Legislative Decree no. 196/2003 (Privacy Code), according to which: “Validity, enforceability and admissibility in judicial proceedings of records, documents and measures based on processing of personal data that is not compliant with laws or the Regulation shall continue to be regulated by the relevant procedural law provisions”.