Garante per la protezione dei dati personali (Italy) - 9669974

From GDPRhub
Revision as of 21:44, 28 June 2021 by Papasla (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali (Italy) |DPA_Wi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali (Italy) - 9669974
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Article 13 GDPR
Article 35 GDPR
Article 88 GDPR
Article 113 and 114 Codice in materia di protezione dei dati personali
Type: Complaint
Outcome: Upheld
Published: 13.05.2021
Fine: 84.000 EUR
Parties: Municipality of Bolzano
National Case Number/Name: 9669974
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) fined the Municipality of Bolzano €84,000 for indiscriminate monitoring of employees in violation of Articles 5 (1)(a) and (c), 6, 9,13, 88, and 35 GDPR.

English Summary


An employee of the Municipality of Bolzano has alleged violations of the rules on the protection of personal data with regard to the processing of data carried out by the Municipality of Bolzano by monitoring network traffic and individual Internet accesses of the person concerned and of employees in general. The complaint alleges a violation of the principles of lawfulness, accuracy and minimisation in the processing of the personal data of the Municipality's employees, given that the system for recording Internet access registration system used by the Municipality allows massive, constant and indiscriminate monitoring, tracing, and filtering of the chronology of the internet sites visited and the time of browsing for each site, as well as storing and retaining such data associated with each employee for a long period of time. The processing was allegedly carried out in the absence of any information to the employees about the possible controls on Internet access by the employer.


Is the generalised collection of access to internet data of employees lawful under GDPR?


The Garante's investigations revealed that the municipality had been using, for about ten years, a system for monitoring and filtering employees' internet browsing, storing the data for one month and creating reports for network security purposes. Although the employer had entered into an agreement with the trade unions, as required by the sectoral regulations, the Garante pointed out that such data processing must also comply with the data protection principles laid down in the GDPR. On the contrary, the system implemented by the municipality, without adequately informing the employees, allowed processing operations that were unnecessary and disproportionate to the purpose of protecting and securing the internal network, by carrying out a preventive and generalised collection of data relating to connections to websites visited by individual employees. The system also collected information unrelated to the professional activity and in any case related to the private life of the person concerned. The Authority pointed out that the need to reduce the risk of improper use of Internet surfing cannot lead to the complete cancellation of any expectation of privacy on the part of the person concerned in the workplace, even in cases where the employee uses the network services made available by the employer. The Garante also pointed out that the municipality of Bolzano failed to carry out a data protection impact assessment. Finally, violations were also found with regard to the processing of employees' medical data: the form to be filled in for special medical requests, required the manager of the unit to examine it, this resulted in unlawful processing of health data. For these reasons and with the power conferred by Articles 58(2)(i) and 83 GDPR, the Garante fined the Municipality of Bolzano €84,000 for indiscriminate monitoring of employees in violation of Articles 5 (1)(a) and (c), 6, 9,13, 88, and 35 GDPR. The Garante also ordered the Municipality to take technical and organisational measures to anonymise data relating to employees' workstations, delete personal data in recorded web navigation logs, and update the internal procedures identified and included in the trade union agreement.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.