Injunction against Municipality of Bolzano – 13 May 2021
It is not possible to monitor employees’ Internet surfing in an indiscriminate manner. Irrespective of specific trade union agreements, any monitoring must always be carried out in compliance with the Workers’ Statute and data privacy legislation.
This was stated by the Italian Data Protection Authority in a sanctioning measure against the Municipality of Bolzano, initiated on the basis of a complaint submitted by an employee who, in the course of a disciplinary procedure, had discovered that he was constantly monitored.
The administration, which had initially challenged the employee for going on to Facebook and YouTube during working hours, had then dismissed the case because of the unreliability of the surfing data collected.
The investigations carried out by the Data Protection Authority revealed that the municipality had been using, for about ten years, a system for monitoring and filtering employees’ internet browsing, storing the data for a month and creating special reports for network security purposes. Although the employer had entered into an agreement with the trade unions, as required by the sectoral regulations, the Data Protection Authority pointed out that such data processing must also comply with the data protection principles laid down in the GDPR.
Il sistema, implementato dal Comune, senza aver adeguatamente informato i dipendenti, consentiva invece operazioni di trattamento non necessarie e sproporzionate rispetto alla finalità di protezione e sicurezza della rete interna, effettuando una raccolta preventiva e generalizzata di dati relativi alle connessioni ai siti web visitati dai singoli dipendenti. Il sistema raccoglieva inoltre anche informazioni estranee all’attività professionale e comunque riconducibili alla vita privata dell’interessato.
In the measure, the Authority pointed out that the need to reduce the risk of improper use of Internet browsing cannot lead “to the complete cancellation of any expectation of privacy of the person concerned in the workplace, even in cases where the employee uses the network services made available by the employer».
The Data Protection Authority, considering the full cooperation of the administration, fined them €84,000 for unlawful processing of employees’ data. The Municipality will also have to adopt technical and organizational measures to anonymize the data relating to employees’ workstations, delete personal data present in recorded web navigation logs , and update the internal procedures identified and included in the trade union agreement.