Garante per la protezione dei dati personali (Italy) - 9669974

From GDPRhub
Revision as of 15:26, 27 July 2021 by Cvl (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali (Italy) - 9669974
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Article 13 GDPR
Article 35 GDPR
Article 88 GDPR
Article 113 and 114 Codice in materia di protezione dei dati personali
Type: Complaint
Outcome: Upheld
Published: 13.05.2021
Fine: 84.000 EUR
Parties: Municipality of Bolzano
National Case Number/Name: 9669974
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) fined the Municipality of Bolzano €84,000 for indiscriminate monitoring of employees in violation of Articles 5 (1)(a) and (c), 6, 9,13, 88, and 35 GDPR.

English Summary


An employee of the Municipality of Bolzano alleged that the Municipality was violating its duty to protect personal data by monitoring the network traffic and individual Internet accesses of the complainant and of employees in general.

The complaint alleges a violation of the principles of lawfulness, accuracy and data minimisation in the processing of the personal data of the Municipality's employees. The system for recording Internet access registration used by the Municipality allows for massive, constant and indiscriminate monitoring, tracing, and filtering of the chronology of the internet sites visited and the time of browsing for each site, as well as the storage and retention of the data associated with each employee for a long period of time.

The processing was allegedly carried out in the absence of any information to the employees about the possible controls on Internet access by the employer.


The Italian DPA's investigations revealed that the municipality had been using, for about ten years, a system for monitoring and filtering employees' internet browsing that stores employee data for one month and creates reports for network security purposes. It characterized the system as carrying out the preventive and generalised collection of data on websites visited by individual employees. Although the employer had entered into an agreement regarding data collection with the trade unions, as required by the sectoral regulations, the DPA pointed out that such data processing must also comply with the data protection principles laid down in the GDPR.

The DPA (Garante) held that the municipality failed to adequately inform employees about the data processing system, which allowed processing operations that were unnecessary and disproportionate to the purpose of protecting and securing the internal network. The system also collected information unrelated to professional activity that related to the private life of employees.

The Garante argued that the need to reduce the risk of improper use of Internet surfing cannot lead to the complete annulment of any expectation of privacy on the part of the employee in the workplace, even where the employee uses the network services made available by the employer. The Garante also pointed out that the municipality of Bolzano failed to carry out a data protection impact assessment.

Furthermore, the Garante found violations with regard to the processing of employees' medical data: the form to be filled in for special medical requests required the manager of the unit to examine it, resulting in the unlawful processing of health data.

For all these reasons, and with the power conferred by Articles 58(2)(i) and 83 GDPR, the Garante fined the Municipality of Bolzano €84,000 for indiscriminate monitoring of employees in violation of Articles 5 (1)(a) and (c), 6, 9,13, 88, and 35 GDPR. The Garante also ordered the Municipality to take technical and organisational measures to anonymise data relating to employees' workstations, delete personal data in recorded web navigation logs, and update the internal procedures identified and included in the trade union agreement.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.