The employer’s right to control over the employee’s usage of the information systems is a subject on which different opinions of jurisprudence and interpretation constantly confronted each other and that involves both labour law and privacy regulation.
With the Legislative Decree 14th September 2015 n. 151, one of the decrees of the so-called Jobs Act, the regulation of the employer’s control over his employees and the art. 4 of the Worker’s Statute have been reformed.
The systems designed to control entries and presences, namely the company badge, and the systems that the employees use for the execution of their job (for example the company computer or the company phone) do not need to be authorized or previously agreed with the trade union and can be monitored by the employer, even if the information stored in the systems could entail disciplinary consequences. Essential requirement for the proper use of the power of the employer is the respect of the Privacy Code rules and the regulations of the Authority, which imposes on the employer to provide the employees with a prearranged and adequate report about the use of the systems and the ways in which the controls are conducted. Moreover, the employee needs to give his free and expressed consent to the data processing.
A “prearranged and adequate report” is an understandable, transparent and written report, regarding: the data controller, the data managers, the – if existing – possibility of transmitting the data to third parties, the rights of the interested parties as stated in art. 7 of the Privacy Code, but also the ways and the purposes of the data processing. If the company intends to use the data collected for disciplinary purposes, it needs to be made clear in the report.
It is important to respect the principles of correctness, relevance and non-excess, therefore, the data could be collected and recorded only for specific, explicit and licit purposes, and could be stored only for the amount of time necessary to the achievement of the purposes themselves.
To this end the Authority, in his guidelines about e-mails and internet dated 1st March 2007, states that could be appropriate for the employers to adopt and make public among their employees, an internal policy containing the rules regarding the proper use of the company systems and the information concerning controls. As an example the internal policy could include: the forbidden behaviours relating to internet surfing or store of specific files in the internal network, whether and how it is allowed to use the company e-mail or internet for personal purposes, which information are temporarily – or for a longer period – saved and who could access them, which kind of controls could be implemented by the employer and the ways in which they are conducted, the consequences – even the disciplinary ones – that could arise from the violation of such policy.
In the event of lack or unsuitability of a “prearranged and adequate report”, the Worker’s Statute states that the data collected are unusable for all business relationship-linked purposes, and the Privacy Code prescribes the payment of an administrative sanction.