Garante per la protezione dei dati personali (Italy) - 10096474

Garante per la protezione dei dati personali - 10096474

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 12 GDPR Article 17 GDPR Article 88 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:	12.12.2024
Fine:	20,000 EUR
Parties:	n/a
National Case Number/Name:	10096474
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	elu

The DPA also imposed a fine of €20,000 on an employer that implemented IT tools for the systematic gathering and memorizing of “internet surfing checkmarks” of their employees.

English Summary

Facts

The controller asked the data subject for access to the latter`s work computer.

The data subject stated that the computer contained personal data and communication.

Subsequently, the data subject asked the controller, with two emails, why the manager asked some technicians to inspect, outside of work hours and without any employee present, the personal data stored inside the work computers.

After receiving no answer to this email, the data subject further requested to exercise her right to erasure under Article 17 GDPR, and to deactivate and delete all email accounts used to avoid collection, the memorization and the indiscriminate minute check of any email received on those account.

Violation of Article 12 and 17 GDPR due to the lack of reply to the data subject´s access and erasure request

The investigation revealed that the controller programmed the installation of a document-management software. When installing the software, the controller asked the service provider to activate an email inbox dedicated to the aggregation of incoming company mail by activating the forwarding of mailboxes to the latter.

Nevertheless, after a couple days, the controller asked the software provider to close the email inbox and set it up for erasure. Thus, the controller claimed that no personal data of employees was accessed or stored in connection with the setting up of that email inbox. Moreover, the controller claimed that the erasure of the data subject´s data was communicated orally to the data subject.

Violation of Article 5(1)(a) and (c) GDPR due to the use of IT tools by the company leading to the systematic gathering and memorizing “internet surfing placeholders”

The controller adopted an internal policy to correctly using the IT tools of the company that included the systematic gathering and memorizing “internet surfing placeholders”.

More specifically, in relation to the email inboxes, personal data is stored for 30 days and, subsequently, the data is stored on an external disk and memorized on optical support kept in a fireproof safe box. Particularly, the controller stores files with the internet surfing logs for 30 days, with the possibility of tracing the identity of every single identifiable employee.

The lawful ground for processing claimed by the controller is the necessity to prevent or correct malfunctioning of the IT system. The controller also asserts the right to directly access the IT tools and the documents therein contained.

Holding

The DPA found the following.

Violation of Article 12 and 17 GDPR due to the lack of reply to the data subject´s access and erasure request

Before establishing that the the controller violated Article 12 and 17 GDPR, the DPA found that the controller unlawfully processed data.

The DPA found that the controller failed to provide for the erasure of the data subject´s personal data “without unjustified delay” under Article 17 GDPR. In fact, as per Article 12(4) GDPR, the controller needs to reply to data subjects´ request within one month.

Even in the case where the erasure of the personal data was communicated orally within that deadline, the date of communication cannot be ascertained and thus it is impossible to establish the lawfulness of the reply of the controller.

The DPA found that the controller failed to respond to the erasure request of the data subject as per Article 17 and 12 GDPR.

Violation of Article 5(1)(a) and (c) GDPR due to the use of IT tools by the company leading to the systematic gathering and memorizing “internet surfing placeholders”

The DPA considered that the legal ground for data processing of ensuring security and efficiency of the IT system must be balanced with the rights and freedoms of the data subjects.

Finally, the DPA considered that the systematic storage of log files through email inboxes, in the context of an employment relationship, indicated that the controller could directly access all the contents present in the devices assigned to the employees. This possibility for the controller to store this data, the controller violated Article 5(1)(a) and (c) GDPR.

Fine

Therefore, the DPA deemed it appropriate to impose a fine of €20,000 on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10096474]

Provision of 12 December 2024

Register of provisions
no. 771 of 12 December 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

HAVING SEEN the complaint submitted pursuant to art. 77 of the Regulation by Ms. XX against Ambiente 2000 S.r.l.;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the investigative activity.

By complaint dated 23 September 2022, Ms. XX complained of alleged violations of the Regulation by Ambiente 2000 S.r.l. (hereinafter, the Company), with reference to the processing of personal data carried out through the management of the company email address.

In particular, the complainant complained that the employer, on 4 November 2021, had asked the complainant (to whom the individualised XX account had been assigned), and the other employees, to communicate the “access passwords and [the] passwords of the individual files of the company computer […] used”.

In this regard, the complainant represented that, on the assigned company PC, there were also “personal […] data and communications relating to […] private life” of the same (see e-mail of 4/11/2021 sent by the then sole director of the company with the subject “Password request”, Annex 1 to the complaint).

The employee documented that she had asked the Company, with two emails sent on 11/21 and 11/25/2021, for explanations on further events that would have occurred in the following days.
In particular, according to what was represented, “on 11/22/21, the sole director […] commissioned some technicians to inspect, again, outside of working hours and in the absence of the employees, the personal data stored within the company PCs”.

Subsequently, on November 23, 2022, a technician from the software assistance service “reported to all employees present in the office, that, without his knowledge, a new email address, XX, had been created to which all the company emails of all employees were being diverted and that this new system was unable to sort the emails to the original recipients”. Subsequently, “The company email system was restored […] on 11/26/21”.

The Company did not provide any feedback to the emails of 21 and 25/11/2021, nor did it respond to a subsequent request, dated 12 September 2022, with which the complainant exercised her right to the deletion of personal data pursuant to art. 17 of the Regulation and also asked to “deactivate and remove the email accounts […] used”; “not to access the […] email boxes”; “to avoid the collection of mail in transit on such accounts, storage and minute indiscriminate control, which constitute remote control”.

The complainant therefore requested the intervention of the Authority, believing that such conduct occurred in violation of the provisions of the Regulation and the Code.

The Company, in responding to a request for information sent by the Authority on 23 October 2023, with a note dated 20 November 2023, stated that:

the request to provide access passwords addressed by the Company to employees on 4/11/2021 was aimed at "allowing the installation of a software called "DOC" [...]. The installation of the software had been made known to all employees, who had been asked to allow access to IT technicians. In particular, this need arose from the failure to communicate important company emails to the Sole Director on the initiative of the complainant, in violation of what is written in paragraph 2.4.4 of the Internal Regulations for the correct use of IT tools, email and internet browsing";

“with a contract dated 4.11.2021, which is attached […], the company […] provided Ambiente 2000 s.r.l. with a license to use the “DOC” software for the management and archiving of documents and organizational flows. At the time of installation, a consultancy was requested for the activation of an email box for the aggregation of incoming company emails. An email address (XX) was thus created by activating the forwarding of the indicated boxes to the latter. Following disruptions related to the slowness of the network and the system, after a couple of days, Ambiente 2000 s.r.l. asked the company […] to discontinue the box by deleting the account; operation carried out in real time remotely”;

therefore “the software was installed on 11/15/2021 on the company workstations that technicians were able to access, i.e. three workstations, one of which was used as a server. The other computers, including that of the [complainant], were inaccessible due to the failure to communicate the access passwords. […] As a result of the disruptions generated following the installation of the software, the company had the opportunity to withdraw from the contract”;

“due to the failure of the software described above, there was neither acquisition nor storage of personal data of the employees”;

“the failure of the software described above did not allow the performance of the function for which it had been adopted and, consequently, there are no subjects who had access to the [XX] account”;

“no access was made to the computer of the [complainant] nor to her email account as she did not share her password”;

as for the request to exercise the rights presented by the complainant, “it should first be noted that the request to exercise the rights was addressed […] not to the company email dedicated to receiving such requests also indicated in the policy […], but directly to the administrator of the company. The same also believed that he did not have to provide a response since no one had been able to access the PC used by the [complainant]; therefore, no abusive or illicit processing of data occurred. […] With regard to the deactivation of the account [assigned to the complainant], this occurred even if it is not possible to indicate the date, as per the request sent to Aruba which is attached”;

“an internal disciplinary document was adopted which is attached”.

2. The initiation of the procedure for the adoption of corrective measures and the company’s deductions.

On 14 March 2024, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, notification to the Company of the alleged violations of the Regulation found, with reference to the arts. 5, par. 1, lett. a) and c), 12, 17 and 88 of the Regulation as well as articles 113 and 114 of the Code.

With defensive briefs sent on 12 April 2024, the Company represented that:

“with regard to the failure to respond to the request […] with which the complainant requested, among other things, the “cancellation of [her] personal data pursuant to art. 17, par. 1, EU Reg. 2016/679”, as well as the deactivation and removal of the email accounts used, it is reiterated that the Company considered, in good faith, that it did not have to respond in writing since there had been no unlawful processing of personal data and, furthermore, because a response, albeit oral, had been given to the interested party. Response made by the then legal representative of the company, […], at the beginning of October 2022” during a conversation also concerning private matters (note 12/4/2024, p. 1-2);

“the complainant today was not just any employee of the company […], but was a partner […] and as such was aware of the content of the Internal Regulations. The request made by the complainant also appeared superfluous as she was required to know that she could not save “personal […] data and communications relating to […] private life” on the company PC, as this was expressly prohibited by the Regulations themselves” (note cit., p. 2);

“the then sole director […], decided not to provide written feedback to the request made: a) because he could not know that “personal […] data and communications relating to […] private life” had been saved on the company PC, by a worker partner who was well aware of the Internal Regulations; b) since there had been no unlawful processing of personal data; c) since the complainant was already in possession of the appropriate elements of response requested, being aware of the fact that the document management software and the email box for the sole “aggregation of incoming company emails” (XX), following the occurrence of “disruptions”, had been immediately deactivated, […]; d) since she had verbally communicated to the complainant the cancellation of the account [assigned to her]” (note cit., p. 2-3);

“the complainant’s request was not sent to the company’s certified email address (XX, as indicated in the privacy policy) but to the personal certified email address [of the then sole director] and, therefore, in good faith its relevance was underestimated. It should be added that the certified email in question arrived in a period in which [the then sole director] was alone engaged in the administrative and organizational management of the company.In the same period [he] was also heavily absorbed in issues related to the complainant who, due to his obstructive conduct, refused in several calls to approve the company's 2021 financial statements" (note cit., p. 3);

with regard to the content of the internal disciplinary document, dated 23/9/2019, "an in-depth analysis carried out with the IT systems supplier [...] highlighted that no system for tracking log files is installed, in addition to the event log that is part of the standard of all Windows systems. Furthermore, the company IT system provides for the evening execution of a back up that concerns all documents that have been created or modified in the shared Ambiente2000 folder. Once a week the system re-runs a complete backup. The Winwaste database, the waste management software, is also backed up daily" (note cit., p. 3);

“The email address assigned to the complainant has been disabled […]” (note cit., p. 4);

“The company does not carry out and has never carried out systematic checks on the use of employees’ electronic tools but reserves the right to carry out targeted accesses or checks ex post in the event of prolonged absence or impediment of the person in charge which makes it indispensable and unpostponable to intervene for exclusive needs of company operations, system security, or suspicion of illicit activities. With specific reference to the complainant, the company has never carried out targeted accesses or checks. The company has never intended to carry out a systematic and massive check of the employee-member’s activity nor access data “not relevant for the purposes of assessing her professional aptitude” as well as private and/or sensitive data” (note cit., p. 4);

“the company informed the complainant ˗ and the other employees ˗ about the methods and purposes of the described data collection and storage activity, through the adoption of the documents called “Basic rules for the storage of information and for the use of paper and IT resources”, “Back up and Recovery”, “Internal regulations for the correct use of IT tools, e-mail and internet browsing”, “Risk analysis” and “Register of treatments” (note cit., p. 4);

“Although the Internal Regulation provides, but only to prevent or correct malfunctions of its system and to guarantee its efficiency, the registration of traffic components (log files) relating to e-mail, internet, internal network and telephony, as already written above, the company Ambiente 2000 srl does not use any system for recording log files. Therefore, no treatment was carried out “in violation of art. 5, par. 1, letter a) and c) of the Regulation and art. 114 and 115 of the Code in relation to the provisions of art. 88 of the Regulation”” (note cit., p. 5);

“a discussion was initiated with the external Privacy consultant for the review of the content of the “Internal regulations for the correct use of IT tools, e-mail and internet browsing” and its actual application in daily practice” (note cit., p. 5);

“although we believe that we have not committed any violation in the sense that there has been no illicit use of personal data, the objections raised by the Guarantor were a useful opportunity to verify the compliance of the internal rules with the legislation to which the company intends to comply” (note cit., p. 5).

During the hearing held on 15 July 2024 following a request from the Company, the latter finally highlighted that:

the failure to respond to the request to deactivate the account occurred due to “an unintentional carelessness. This is because the account on which the aforementioned request for cancellation was received is not that of the company, to which it is necessary to address requests of this kind according to the company's Privacy Policy, but rather the personal account of the sole director pro-tempore, on which, in the same period considered, a considerable number of emails arrived, equal to 47, as documented in the report that the Company will send as soon as possible to the Guarantor";

"The complainant, at the time of the contested facts, was the de facto director of the Company who acted on behalf of the Company itself on the basis of a power of attorney and at an administrative level took care of all the obligations";

"To execute the request to deactivate the email account assigned to the complainant, the IT technician had to intervene as the legal representative was not technically able to do so. The impossibility of doing so independently was verbally represented to the complainant by virtue of the personal relationship in place".

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

3.1 Outcome of the investigation. Violation of Articles 12 and 17 of the Regulation.

Following the examination of the declarations made to the Authority during the proceedings and of the documentation acquired, it appears that the Company, as the data controller, has carried out some processing operations, relating to the complainant, which are not compliant with the regulations on the protection of personal data.

In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to Article 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".

On the merits, it emerged first of all that the Company, based on the contract signed on 4/11/2021 with a service company, planned the installation of a document management software (“DOC”).

At the time of installing the software, the Company asked the service provider to activate an email box (XX) dedicated to the “aggregation of incoming company emails […] activating the forwarding of the boxes to the latter”. However, after “a couple of days”, following the occurrence of “disruptions”, the Company itself asked the service provider to discontinue the box and arrange for its cancellation.

With regard to the document management software, this was installed on 15/11/2023 on three workstations (with the exception of the one assigned to the complainant). Since “disruptions” also occurred in relation to the installation of the software, the Company withdrew from the service supply contract.

According to what was declared by the Company under its own responsibility, therefore, "there was neither acquisition nor storage of personal data of employees" following the temporary activation of the XX mailbox and the document management system (only on three workstations).

Following the examination of the documents, given that in general terms the creation of a company account (whose name also significantly contains the term "control") with redirection to it of all messages arriving on company accounts, even of an individualized type, appears to be of dubious legitimacy (in relation to specific cases of redirection carried out after the termination of the employment relationship, see Provision of 27 April 2023, no. 171, web doc. no. 9909235; Provision of 16 December 2021, no. 440, web doc. no. 9739653), in any case, no evidence emerged of data processing (also referring to the complainant) carried out by the Company on the occasion of the installation of the document management system and the activation of the XX mailbox.

However, it also emerged that, on 12/9/2022, the complainant sent the Company, via email, a request, among other things, for the “cancellation of [her] personal data pursuant to art. 17, par. 1, EU Reg. 2016/679”, with particular reference to the deactivation and removal of the email accounts used by the complainant herself.

The Company did not provide any feedback to this request since, based on what was stated, the then sole director of the Company considered that he was not required to respond since the request was deemed “undue” and in any case there would have been no unlawful processing of personal data.

In addition, the Company considered that the failure to respond was due to the fact that the request for cancellation was sent by the complainant to the certified email address containing the name and surname of the then administrator of the Company and not to the different address XX indicated in the "General Privacy Policy" (dated 23/9/2019) regarding the methods of exercising the rights by the interested parties (see Annex 3, Company response note 20/11/2023).

In any case, it is noted that the individualized account assigned to the complainant at the time was cancelled by the Company, although the Company was unable to document, with precision, when this occurred (despite having made a request to this effect to the service provider: see Annex 5, cited response note).

Confirmation of the cancellation would have been provided verbally to the complainant “at the beginning of October 2022” (see defense briefs 12/4/2024, p. 1-2).

Even taking into account the peculiarities of the case, the Company’s conduct is in contrast with the provisions of art. 17 of the Regulation where it establishes that the data subject has the right to obtain, from the data controller, the cancellation “without undue delay” of personal data concerning him or her in the presence of specific reasons indicated by the law.

The obligation of cancellation, placed on the data controller, must follow the procedures prescribed by art. 12, in particular where it prescribes that “the data controller shall provide the data subject with information on the action taken on a request pursuant to Articles 15 to 22 without undue delay and, in any case, at the latest within one month of receipt of the request”.

Therefore, the Company should have provided, “at the latest within one month”, a specific response to the request for cancellation, hypothetically also in the event of refusal (in accordance with the provisions of art. 12, par. 4 of the Regulation), nor can the provisions referred to above be considered satisfied by the circumstance that the cancellation was carried out and communicated verbally to the interested party, i.e. without observing the specific methods provided for by the personal data protection legislation.

The argument advanced in this regard by the Company cannot be accepted, because the specific methods of response, by the data controller as provided for by the Regulation, constitute an integral part of the right recognized to the interested party. Furthermore, as already observed above, in the specific case, the date of cancellation of the email address that is the subject of the complaint does not emerge with certainty from the documents of the procedure.

Nor can it be considered, as argued by the Company, that the failure to respond is legitimately attributable to the use, for the forwarding of the request for cancellation by the complainant, of the email address containing the name and surname of the then sole director instead of the address dedicated to the exercise of rights included in the Privacy Policy prepared by the Company.

This is because the Company itself represented that it had in any case taken cognizance of the request conveyed to the certified email address of the sole director, despite the receipt of numerous other certified emails on the same account, and that it had responded to it, albeit verbally, during a conversation with the complainant.

In any case, in general terms, it is represented that the Guidelines 01/2022 on data subject rights - Right of access, EDPB, of 28 March 2023, have clarified that the owner cannot request a specific format for requests to exercise the right of access nor, in principle, specific requirements that the interested parties must observe when choosing a communication channel through which they come into contact with the data controller (see point 52).

Therefore, the Company, in the terms described above, has not complied with the obligation to provide feedback to the interested party following the exercise of the rights provided for by the Regulation - in this case the right to erasure pursuant to art. 17 -, within the terms and with the methods prescribed by art. 12 of the Regulation.

3.2 Violation of art. 5, par. 1, lett. a) and c) and 88 of the Regulation as well as art. 113 and 114 of the Code.

It also emerged that the Company has adopted an “Internal Regulation for the correct use of IT tools, e-mail and Internet browsing”, dated 23/9/2019, which, among other things, provides for the systematic collection and storage of “traffic components (log files) relating to: E-mail […] Internet […] Internal network […] Telephony” (see Annex 6, Company feedback note 20/11/2023).

In particular, with reference to e-mail, the data collected is expected to be stored for thirty days and, subsequently, “the information is saved on a disk area and subsequently (with appropriate periodicity) is stored on non-rewritable optical media stored in a special fireproof safe. The history of the last six months is maintained […]”; “only internal or external persons expressly authorised by the Data Controller to manage the e-mail service can access the information collected”.

Also with regard to the internal network, “the information […] is collected, stored and analyzed according to the methods described above for the email service”, with the possibility of access by persons authorized “to manage the internal network services”.

With reference to telephony, “the information […] is collected, stored and analyzed according to the methods described above for the email service”, with the possibility of access by persons authorized “to manage the telephone service”.

With regard to Internet browsing, “the information is collected, stored and analyzed according to the methods described above for the email service”.

In particular, the data controller reserves the right to store the log files relating to web traffic, for a period of thirty days, with the possibility of tracing the individual identifiable operator “through aggregation with the data of a separate table”. Identifiability is also possible in relation to the data relating to email, internal network and telephony (see par. 2.4.9 “Controls and checks”).

In relation to the data collected and stored in the manner indicated above, the Company reserves the right to carry out “occasional checks on electronic instruments, personal computers/processors, related peripherals, storage media and any other electronic apparatus or device”.

Although the methods of carrying out the checks, as represented in the Regulation, are abstractly inspired by the principle of graduality (considering that checks on an individual basis may take place after carrying out checks on an anonymous basis, but in the event of repeated violations of the regulation the Company reserves the right to initiate disciplinary proceedings), the preventive and systematic collection and storage of log files – for a significant period of time, equal to thirty days plus six months – relating to the use of the email system, internet browsing, the internal network and telephony does not comply with the general principle of minimization, according to which personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (art. 5, par. 1, letter c) of the Regulation).

This is also taking into account that the declared purpose of such processing consists in the need to "prevent or correct malfunctions of the [...] system as well as guarantee its efficiency".

Similarly, for "reasons of security of the IT system" as well as for "technical and/or maintenance reasons [...] or for purposes of control and planning of company costs" the owner reserves the right to "directly access [...] the company IT tools and the documents contained therein, as well as telephone traffic records" (see par. 2.4.8 "Access to data processed by the user").

The legitimate purpose of ensuring the security and efficiency of IT systems must in fact be balanced with the rights and freedoms of the interested parties, even more so in the case in which the owner proposes the processing of data relating to communications which, even if carried out in the context of work, are protected in our legal system also at a constitutional level (on this point, with specific regard to the storage of company email logs, see the guidance document "IT programs and services for managing email in the context of work and processing of metadata", Provv. 6/6/2024, no. 364 in www.garanteprivacy.it, web doc. no. 10026277).

Furthermore, through the systematic storage of log files generated by the use of email, internet, internal network and telephony, in the context of the employment relationship, also through the possibility of directly accessing all the contents present in the devices assigned to employees or in any case generated by them, including telephone records, the Company, in violation of art. 5, par. 1, lett. a) of the Regulation (principle of lawfulness of processing), as owner/employer, can reconstruct the activity of its employees and carry out remote monitoring activities through the use of technological devices, even beyond the purposes strictly permitted by art. 4, law 20 May 1970, n. 300 (“Rules on the protection of the freedom and dignity of workers, freedom of association and trade union activity, in the workplace and rules on placement”).

This regulation, which constitutes one of the most specific and most protective rules provided for in employment matters by the national legal system pursuant to art. 88 of the Regulation, is referred to in art. 114 of the Code (“Guarantees in the field of remote monitoring”) as a condition of lawfulness of the processing of personal data carried out in the context of the employment relationship (in this regard, see some previous decisions of the Guarantor in relation to specific cases: Provision 21 July 2022, no. 255, web doc. no. 9809466; Provision 13 May 2021, no. 190, web doc. no. 9669974; Provision no. 53 of 1 February 2018, web doc. no. 8159221; Provision 13 July 2016, no. 303, web doc. no. 5408460).

The aforementioned art. 4, law no. 300 of 1970 provides for a specific guarantee procedure in the case of use of "tools that also provide the possibility of remote control of workers' activities". Given that these tools "can be used exclusively for organizational and production needs, for workplace safety and for the protection of company assets", their installation can only take place "subject to a collective agreement stipulated by the unitary trade union representation or by the company trade union representatives. Alternatively, in the case of companies with production units located in different provinces of the same region or in more than one region, such agreement can be stipulated by the comparatively most representative trade union associations at national level. In the absence of an agreement, the systems and tools referred to in the first period can be installed subject to authorization from the territorial headquarters of the National Labour Inspectorate".

According to the provisions of the sector regulation, therefore, the Company should have verified the concrete existence of the mandatory purposes indicated by the law, in relation to the treatments envisaged with the Regulation, and, following this verification, if necessary activate the guarantee procedure provided for by the aforementioned regulation on remote controls.

Through the systematic tracking of logs and access to the contents of the devices, including telephone records, provided for by the Internal Regulations adopted by the Company, it is also possible to access information on facts that are not relevant for the purposes of assessing the professional aptitude of the worker, in violation of art. 113 of the Code (where it refers to compliance with art. 8, law 20/5/1970, no. 300 and art. 10 of Legislative Decree 10/9/2003, no. 276 as a condition for the lawfulness of the processing; in this last regard, Cass. civ., 19/9/2016, no. 18302 established that “acquiring and storing data that contain (or may contain) similar information already entails the integration of the prohibited conduct […] even if the data are not subsequently used. It is not necessary to subject the collected data to any particular processing to incur the illicit act, since the mere acquisition and storage of their availability entails the violation of the legislative requirement”).

In fact, the systematic monitoring of the logs of communications made via email and the company telephone, as well as Internet browsing, even if exclusively and abstractly related to the work and professional sphere (as provided for in the specific case by the company regulations) may concern - even incidentally - aspects (e.g. industrial relations, relationships between colleagues, including private ones, health status, etc.) capable of revealing to the employer information that, according to the law, must not be known by the latter.

Having said this, it is noted that, with the defensive briefs, the Company declared that during the proceedings before the Guarantor it arranged "an in-depth investigation [...] with the IT systems supplier [during which it emerged] that no system for tracking log files is installed, in addition to the event log that is part of the standard of all Windows systems. Furthermore, the company IT system provides for the evening execution of a back up that concerns all documents that have been created or modified in the shared folder Ambiente2000. Once a week the system re-runs a complete backup. The Winwaste database, the waste management software, is also backed up daily” (defense briefs 12/4/2024, p. 3).

In this regard, however, it is noted that the Company has not provided any evidence and/or documentation (if applicable also from the IT service provider) of the non-existence of systems suitable for carrying out what is indicated in the internal regulations.

At the same time, the Company has also maintained in this regard that “it does not carry out and has never carried out systematic checks on the use of employees' electronic tools but reserves the right to carry out targeted access or checks ex post in the event of prolonged absence or impediment of the person in charge which makes it essential and unpostponable to intervene for exclusive needs of company operations, system security, or suspicion of illicit activities” (defense briefs cited, p. 4).

Finally, following the objections of the Guarantor, “a dialogue was initiated with the external Privacy consultant for the review of the content of the [internal regulations] and its actual application in daily practice” (defense briefs cited, p. 5).

First of all, it is noted that it is up to the controller, based on the principle of accountability (pursuant to art. 5, par. 2 of the Regulation), to process personal data in a manner that respects the general principles established by the legislation on the protection of personal data (see art. 5, par. 1 of the Regulation), even when using professionals who must still operate based on the instructions and specific indications relating to the purposes and means of processing provided by the controller himself (see art. 4, no. 7 of the Regulation).

That said, the specifications adopted by the Company and, as stated, made known to employees as of September 2019 and still in force, although in the process of being “revised”, grants the owner/employer the right to carry out processing operations that, for the reasons set out above, do not comply with the rules applicable to the same processing.

Furthermore, the Company has represented, in very generic terms, the object of the revisions to be made to the specifications that it would have commissioned from the external consultant. The indication of the specific “targeted” control activities that it reserves the right to carry out in any case in the event of needs related to the “prolonged absence or impediment” of the employee in charge but also in the event of unspecified “needs for business operations, system security, or suspicion of illegal activities” is equally generic.

Furthermore, the Company has not clarified to whom the data backed up by the systems are made available, for how long and for what purposes.

For the reasons set out above, the processing indicated in the “Internal regulations for the correct use of IT tools, e-mail and internet browsing” are in violation of the principles of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation in relation to Articles 113 and 114 of the Code) and of minimization (Article 5, paragraph 1, letter c) of the Regulation), as well as Article 88 of the Regulation which allows national law to provide for “more specific measures to ensure the protection of the rights and freedoms with regard to the processing of employees’ personal data in the context of employment relationships”.

4. Conclusions: declaration of unlawfulness of processing. Corrective measures pursuant to Article 58, paragraph 2, of the Regulation.

For the above reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the proceeding to be overcome and are therefore unsuitable to allow the archiving of this proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

The processing of personal data carried out by the Company and in particular the failure to respond to the request for deletion of personal data as well as the processing indicated in the "Internal regulations for the correct use of IT tools, electronic mail and internet browsing" are in fact unlawful, in the terms set out above, in relation to art. 5, par. 1, letters a) and c), 12, 17 and 88 of the Regulation as well as art. 113 and 114 of the Code.

The breach established in the terms set out in the grounds cannot be considered “minor”, taking into account the nature of the breach which concerned the general principles of processing, the exercise of the rights of the data subject and the sectoral rules applicable to the processing, the gravity and duration of the breach itself, the degree of responsibility and the manner in which the supervisory authority became aware of the breach (see Recital 148 of the Regulation).

The Authority also took into account the high level of seriousness of the breach in light of all the factors relevant to the specific case, and in particular the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected by the damage and the level of damage suffered by them.

The Authority also took into account the criteria relating to the intentional or negligent character of the breach and the categories of personal data concerned by the breach as well as the manner in which the supervisory authority became aware of the breach (see Article 83, paragraph 2 and Recital 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the prohibition of the treatments provided for in the internal regulations is ordered in the terms set out in the reasons and the application of a pecuniary administrative sanction is ordered, pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter f) and i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (arts. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceedings, it appears that Ambiente 2000 S.r.l. has violated art. 5, par. 1, letter a) and c), 12, 17 and 88 of the Regulation as well as art. 113 and 114 of the Code. For violation of the aforementioned provisions, the application of the administrative pecuniary sanction provided for by art. 83 of the Regulation is envisaged.

The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18 L. 24 November 1981, 689), in relation to the processing of personal data carried out by Ambiente 2000 S.r.l., which has been ascertained to be unlawful, in the terms set out above.

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that “If, in relation to the same or linked processing operations, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement”, the total amount of the fine is calculated so as not to exceed the maximum amount set out in the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulation, for the purposes of applying the administrative fine and the related quantification, taking into account that the sanction must “in any case [be] effective, proportionate and dissuasive” (art. 83, par. 1 of the Regulation), it is represented that, in this case, the following circumstances were considered:

a) in relation to the nature of the infringement, this concerned cases punished more severely pursuant to art. 83, par. 5 of the Regulation (general principles of processing, rights of data subjects, failure to comply with Member States' provisions adopted pursuant to Chapter IX of the Regulation); in relation to the seriousness of the violation, in this case, the nature of the violation was taken into account, which concerned provisions protecting the exercise of data protection rights and more specific provisions protecting data subjects in the context of employment relationships; with regard to the duration of the violation, the continued validity of the internal regulations was considered relevant;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the negligent conduct of the Company and the degree of responsibility of the same for not complying with the data protection regulations in relation to a plurality of provisions were taken into account;

c) in favor of the Company, the cooperation with the Supervisory Authority, the cancellation of the data relating to the complainant (individualized company email account) and the initiation of review activities of the internal regulations were taken into account; the peculiarities of the specific case were also taken into account.

It is also believed that, in this case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the abbreviated financial statement for the year 2023, are relevant. Lastly, the amount of sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply to Ambiente 2000 S.r.l. the administrative sanction of the payment of a sum equal to 20,000 (twenty thousand) euros.

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this chapter containing the injunction order should be published on the website of the Guarantor

This is in consideration of the type of violations found that concerned the exercise of the rights of the interested party and the general principles of processing, also with regard to the need to observe the sector provisions applicable to processing in the workplace.

GIVEN ALL THE ABOVE, THE GUARANTOR

pursuant to art. 57, par. 1, letter f) and 83 of the Regulation, the unlawfulness of the processing carried out by Ambiente 2000 S.r.l., in the person of its legal representative, with registered office in Via Brasile, 2, Roseto degli Abruzzi (TE), C.F. 01734620766, pursuant to art. 143 of the Code, for the violation of art. 5, par. 1, letter a) and c), 12, 17 and 88 of the Regulation as well as art. 113 and 114 of the Code;

IMPOSES

pursuant to art. 58, par. 2, letter f) of the Regulations on Ambiente 2000 S.r.l., the prohibition of processing data relating to employees provided for in the “Internal regulations for the correct use of IT tools, electronic mail and internet browsing” in the terms set out in the reasons;

ORDERS

pursuant to art. 58, par. 2, letter i) of the Regulations on Ambiente 2000 S.r.l., to pay the sum of 20,000 (twenty thousand) euros as an administrative fine for the violations indicated in this provision;

HEREBY ORDER

therefore the same Company to pay the aforementioned sum of Euro 20,000 (twenty thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is recalled that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

ORDERS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

pursuant to art. 154-bis, paragraph 3, of the Code and art. 37 of the Guarantor Regulation no. 1/2019, the publication of this provision on the Authority's website;

pursuant to art. 17 of the Guarantor Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 12 December 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE DEPUTY GENERAL SECRETARY
Filippi

[web doc. no. 10096474]

Provision of 12 December 2024

Register of provisions
no. 771 of 12 December 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Dr. Claudio Filippi, vice-general secretary;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101 of 10 August 2018, hereinafter the “Code”);

HAVING SEEN the complaint submitted pursuant to art. 77 of the Regulation by Ms. XX against Ambiente 2000 S.r.l.;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the investigation activity.

With a complaint dated 23 September 2022, Ms. XX complained of alleged violations of the Regulation by Ambiente 2000 S.r.l. (hereinafter, the Company), with reference to the processing of personal data carried out through the management of the company email address.

In particular, the complainant complained that the employer, on 4 November 2021, had asked the complainant (to whom the individualised XX account had been assigned), and the other employees, to communicate the “access passwords and [the] passwords of the individual files of the company computer […] used”.

In this regard, the complainant stated that, in the assigned company PC, there were also “personal data […] and communications relating to […] her private life” (see email dated 11/4/2021 sent by the then sole director of the company with the subject “Password request”, Attachment 1 to the complaint).

The employee documented that she had asked the Company, with two emails sent on 11/21 and 11/25/2021, for explanations on further events that allegedly occurred in the following days.
In particular, according to what was stated, “on 11/22/21, the sole director […] commissioned some technicians to inspect, again, outside of working hours and in the absence of the employees, the personal data stored within the company PCs”.

Subsequently, on November 23, 2022, a software support technician “reported to all employees in the office that, without his knowledge, a new email address, XX, had been created to which all company email for all employees was being redirected and that this new system was unable to route emails to the original recipients.” Subsequently, “The company email system was restored […] on 11/26/21.”

The Company reportedly did not provide any feedback to the emails of 11/21 and 11/25/2021, nor did it respond to a subsequent request, dated September 12, 2022, in which the complainant exercised her right to erasure of personal data pursuant to art. 17 of the Regulation and also asked to “deactivate and remove the email accounts […] used”; “not to access the […] email boxes”; “to avoid the collection of mail in transit on such accounts, the storage and the indiscriminate minute control, which constitute remote control”.

The complainant therefore requested the intervention of the Authority, believing that such conduct occurred in violation of the provisions of the Regulation and the Code.

The Company, in providing feedback to a request for information sent by the Authority on 23 October 2023, with a note dated 20 November 2023 represented that:

the request to provide the access passwords addressed by the Company to employees on 4/11/2021 was aimed at “allowing the installation of a software called "DOC" […]. The installation of the software had been brought to the attention of all employees, who had been asked to allow access to IT technicians. In particular, this need arose from the failure to communicate important company emails to the Sole Director on the initiative of the complainant, in violation of what is written in paragraph 2.4.4 of the Internal Regulations for the correct use of IT tools, email and internet browsing";

“with a contract dated 4.11.2021, which is attached […], the company […] provided Ambiente 2000 s.r.l. with a license to use the “DOC” software for the management and archiving of documents and organizational flows. At the time of installation, a consultancy was requested for the activation of an email box for the aggregation of incoming company emails. An email address (XX) was thus created by activating the forwarding of the indicated boxes to the latter. Following disruptions related to the slowness of the network and the system, after a couple of days, Ambiente 2000 s.r.l. asked the company […] to discontinue the box by deleting the account; operation carried out in real time remotely”;

therefore “the software was installed on 11/15/2021 on the company workstations that technicians were able to access, i.e. three workstations, one of which was used as a server. The other computers, including that of the [complainant], were inaccessible due to the failure to communicate the access passwords. […] As a result of the disruptions generated following the installation of the software, the company had the opportunity to withdraw from the contract”;

“due to the failure of the software described above, there was neither acquisition nor storage of personal data of the employees”;

“the failure of the software described above did not allow the performance of the function for which it had been adopted and, consequently, there are no subjects who had access to the [XX] account”;

“no access was made to the computer of the [complainant] nor to her email account as she did not share her password”;

as for the request to exercise rights presented by the complainant, "it should first be noted that the request to exercise rights was addressed [...] not to the company email dedicated to receiving such requests also indicated in the policy [...], but directly to the company administrator. The same administrator also believed that he did not have to provide a response since no one had been able to access the PC used by the [complainant]; therefore, no abusive or illicit data processing occurred. [...] With regard to the deactivation of the account [assigned to the complainant], this occurred even if it is not possible to indicate the date, as per the request sent to Aruba which is attached";

"an internal disciplinary document was adopted which is attached".

2. The initiation of the procedure for the adoption of corrective measures and the company's deductions.

On 14 March 2024, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the alleged violations of the Regulation found, with reference to art. 5, par. 1, letters a) and c), 12, 17 and 88 of the Regulation as well as art. 113 and 114 of the Code.

With defensive briefs sent on 12 April 2024, the Company represented that:

“with regard to the failure to respond to the request […] with which the complainant requested, among other things, the “cancellation of [her] personal data pursuant to art. 17, par. 1, EU Reg. 2016/679”, as well as the deactivation and removal of the email accounts used, it is reiterated that the Company believed, in good faith, that it did not have to respond in writing since there had been no unlawful processing of personal data and, furthermore, because a response, albeit oral, had been given to the interested party. Response given by the then legal representative of the company, […], at the beginning of October 2022” during a conversation also concerning private matters (note 12/4/2024, p. 1-2);

“the complainant today was not just any employee of the company […], but was a member […] and as such was aware of the content of the Internal Regulations. The request made by the complainant also appeared superfluous since the complainant was required to know that she could not save “personal […] data and communications relating to […] private life” on the company PC, as this was expressly prohibited by the Regulations themselves” (note cit., p. 2);

“the then sole director […], decided not to provide written feedback to the request made: a) since he could not know that “personal […] data and communications relating to […] private life” had been saved on the company PC, by a worker partner who was well aware of the internal Regulations; b) since there had been no unlawful processing of personal data; c) since the complainant was already in possession of the appropriate elements of response requested, being aware of the fact that the document management software and the email box for the sole “aggregation of incoming company emails” (XX), following the occurrence of “disruptions”, had been immediately deactivated, […]; d) since he had verbally communicated to the complainant that the account [assigned to her] had been cancelled” (note cit., p. 2-3);

“the complainant’s request was not sent to the company’s certified email address (XX, as indicated in the privacy policy) but to the personal certified email address [of the then sole director] and, therefore, its relevance was underestimated in good faith. It should be added that the certified email in question arrived during a period in which [the then sole director] was alone in the administrative and organizational management of the company. During the same period [he] was also heavily absorbed in issues related to the complainant who, due to his obstructive conduct, refused in several meetings to approve the company’s 2021 financial statements” (note cit., p. 3);

with regard to the content of the internal disciplinary document, dated 23/9/2019, “an in-depth analysis carried out with the IT systems supplier […] highlighted that no system for tracking log files is installed, in addition to the event log that is part of the standard of all Windows systems. Furthermore, the company IT system provides for the evening execution of a back up that concerns all documents that have been created or modified in the shared Ambiente2000 folder. Once a week the system re-runs a complete backup. The Winwaste database, the waste management software, is also backed up daily” (note cit., p. 3);

“The email address assigned to the complainant has been disabled […]” (note cit., p. 4);

“The company does not carry out and has never carried out systematic checks on the use of employees' electronic tools but reserves the right to carry out targeted access or checks ex post in the event of prolonged absence or impediment of the person in charge which makes it indispensable and unpostponable to intervene for exclusive needs of company operations, system security, or suspicion of illicit activities. With specific reference to the complainant, the company has never carried out targeted access or checks. The company has never intended to carry out a systematic and massive check of the employee-member's activity nor access data "not relevant for the purposes of evaluating her professional aptitude" as well as private and/or sensitive data” (note cit., p. 4);