Guidelines Applying to the Use of E-Mails and the Internet in the Employment Context - 1 March 2007 
[doc. web n. 1408680]
Guidelines Applying to the Use of E-Mails and the Internet in the Employment Context - 1 March 2007
The Garante per la protezione dei dati personali
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Giuseppe Fortunato and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having regard to the claims, reports and questions submitted with regard to the processing of personal data by employers in connection with the use by employees of IT and computerised tools;
Having regard to the records on file;
Having regard to sections 24 and 154(1), letter b) and c) of the Personal Data Protection Code (legislative decree no. 196 of 30 June 2003);
Having regard to the considerations made by the Secretary General in pursuance of article 15 of the Garante's Rules of Procedure no. 1/2000;
Acting on the report submitted by Mr. Mauro Paissan;
1. Use of E-Mail and the Internet in the Employment Context
The analysis of several claims, reports and questions pointed to the need for laying down some measures as necessary and/or appropriate in order to ensure that the processing of personal data performed by employers to verify that e-mails and the Internet are used appropriately in the employment context is brought fully into line with the legislation in force.
There are a few basic assumptions to make:
a. employers are responsible for ensuring that employees are provided with workable IT tools and use them appropriately, by setting out the respective usage guidelines in the employment context also in the light of trade union laws and rights;
b. employers are required to take suitable security measures to ensure integrity and availability of information systems and data, also in view of preventing misuse and the liability possibly arising therefrom (sections 15, 31 et seq., 167, and 169 of the Code);
c. it is increasingly necessary to protect the employees concerned, partly because use of the devices in question – which are already quite common in the employment context – is bound to be enhanced at a fast pace in many activities also performed outside the workplace;
d. indeed, use of the Internet by employees may be analysed, profiled and tracked in full by processing browsing log files as collected, for instance, by a proxy server and/or another data storage device. E-mail services are also liable to controls – based for instance on the keeping of traffic log files and the storage of e-mail messages – that might ultimately enable the employer (i.e. the data controller) to become apprised of the contents of such correspondence;
e. the information in question contains personal data, including sensitive data, related to employees and/or third parties, whether identified or identifiable. (1)
1.2. Protecting Employees
The personal data at issue may concern, in addition to work-related information, the private life and/or personal sphere of both employees and third parties. As pointed out by the European Human Rights Court, the line between these two areas is at times difficult to draw. (2)
The workplace is a community where it is necessary to ensure that data subjects' rights, fundamental freedoms, and dignity are protected. To that end, employees must be enabled to freely express their own personalities within the framework of mutual rights and duties; additionally, they are entitled to a reasonable protection of their privacy in personal and professional relationships alike (Articles 2 and 41(2) of the Italian Constitution; section 2087 of the Civil Code; see also section 2(5) of the Digital Administration Code (legislative decree no. 82 of 7 March 2005) as for the right to have the processing of data by electronic networks brought into line with respect for fundamental rights and freedoms and data subjects' dignity). (3)
It is no mere chance that several employers – in organising their work and the necessary tools – have envisaged usage mechanisms whereby ad-hoc working areas have been made available to take strictly personal notes, given the increasing amount of network-based activities and the availability of new flat-rate schemes; alternatively, they have allowed reasonable use to be made of IT tools for private purposes.
2. Personal Data Protection Code and Sector-Related Legislation
2.1. General Principles
In issuing the guidelines below, the Garante is taking account of the right to personal data protection, the need for the processing to be regulated by affording a high level of protection to individuals, and the principles of simplification, harmonisation, and effectiveness set out in sections 1 and 2 of the data protection Code. These guidelines are subject to adjustments in the light of the experience gathered and technological innovations.
2.2. Sector-Related Legislation
Some sector-related rules that are left unprejudiced by the data protection Code provide for specific prohibitions and/or limitations – such as those laid down by the Workers' Statute in respect of distance monitoring (sections 113, 114, and 184(3) of the Code; sections 4 and 8 of Act no. 300/1970).
Data protection legislation must be applied jointly with sector-related rules concerning employer-employee relationships and the use of technologies in such sectors, where data protection legislation is either left unprejudiced or expressly referred to (see section 47(3), letter b), of the Digital Administration Code). (4)
2.3. Principles Set out in the Data Protection Code
The processing must be compliant with data protection safeguards and in pursuance of the following binding principles:
a. necessity (or data minimization): information systems and software must be configured by minimizing use of personal and/or identification data in view of the purposes to be achieved (section 3 of DP Code; para. 5.2);
b. fairness: the fundamental features of the processing must be disclosed to employees (section 11(1), letter a), of the DP Code). Information technologies allow processing operations to be performed in excess of those that are related, as a rule, to the employment context – to a greater degree than is the case with conventional devices and technologies. Such processing operations may take place without the employees' being aware or fully informed thereof, also by having regard to the potential applications – which are usually known by data subjects to a limited extent (see para. 3);
c. the processing must be carried out for specific, explicit, and legitimate purposes (section 11(1), letter b), of the DP Code; para. 4 and 5) in compliance with relevance and non-excessiveness principles (para. 6). The employer must process the data "in the least intrusive way possible"; monitoring may only be performed by the entities in charge thereof (para. 8) and "be targeted to the risk area, taking account of data protection rules and, where relevant, the principle of secrecy of correspondence" (Opinion no. 8/2001, points 5 and 12).
3. Monitoring and Fairness of Processing
3.1. Internal Rules
Pursuant to the fairness principle mentioned above, the processing – if any – must be grounded on transparency as also set out in sector-specific legislation (section 4(2) of Act no. 300/1970, "Workers' Statute"; Annex VII, para. 3, to legislative decree no. 626/1994 as subsequently amended and supplemented, concerning "use of equipment provided with video terminals", which rules out any computerised monitoring "unbeknownst to employees"). (5)
Thus, the employer is required to always provide clear-cut, detailed information on the appropriate mechanisms of use applying to the equipment that is made available as well as on whether, to what extent, and how controls are carried out. In so doing, he shall have to take account of the relevant legislation with regard to information for, agreement, and consultation with trade unions.
The employer may avail himself of several tools to provide the said information, depending on the nature and complexity of the tasks discharged, whereby the employees shall be informed with different mechanisms also in the light of the size of the enterprise/firm – e.g. by taking account of the situation applying to small-sized entities where information resources are continuously shared by the staff.
3.2. Guiding Principles
Within this framework, it may be appropriate to issue internal guidelines by using clear-cut, non-generic wording, which shall be adequately publicised – i.e. they shall be made known to employees, on the intranet, by posting them in the workplaces according to mechanisms similar to those set out in section 7 of Act no. 300/1970, and so on. Such guidelines will have to be updated regularly.
For instance, it should be clarified, depending on the circumstances,
- whether certain types of conduct are not permitted as for "browsing" the Internet (e.g. downloading music files and/or software) or keeping certain files on the Intranet;
- to what extent it is allowed to use e-mail and network services also for personal purposes, even though this may only be possible from certain workstations and/or accounts or else via webmail systems, in which case the relevant arrangements and time constraints should be specified (e.g. whether using such systems is only allowed outside working hours or during breaks, or whether they may also be used with moderation during working hours);
- what information is recorded on a temporary basis (e.g. which log file components are recorded, if any) and who is lawfully entitled to access such information (including external entities);
- whether (and if so, what) information is kept for longer, in a centralised or decentralised manner, also because of the making of backup copies and/or the technical management of the network and/or log files;
- whether and to what extent the employer reserves the right to carry out controls in pursuance of the laws, also on an occasional and/or non-regular basis, whereby the legitimate grounds on which such controls would be carried out will have to be specified in detail (as also related to the checks on operation and security of the system) and the relevant arrangements should be spelled out; in particular, it should be specified whether the occurrence of individual and/or repeated cases of misuse results into the issuing of prior collective and/or individual warnings and the performance of controls on individual employees and/or individual devices and workstations;
- which consequences, also of a disciplinary nature, may be drawn by the employer where the latter establishes that email and Internet services are misused;
- which solutions are envisaged to ensure, with the employees' collaboration, that work can continue also in the employees' absence – especially in case of planned leaves – with particular regard to the use of out-of-office auto-reply messages;
- whether it is envisaged that the available systems can be used for personal purposes based on the charging of the relevant costs to the person concerned;
- which measures have been taken in specific employment contexts where it is necessary to abide by the professional secrecy obligations imposed on certain professions;
- which data and systems security measures have been adopted internally (see section 34 of the Code and Annex B) thereto, in particular points 4, 9, and 10).
3.3. Information Notice (Section 13 of the Code)
As well as being required to draw up and disseminate the internal policy document detailing the appropriate use of IT devices and the relevant controls, if any, the employer has the duty to always inform data subjects in pursuance of section 13 of the Code also with regard to the items mentioned under 3.1 and 3.2 above.
Data subjects have actually the right to be informed in advance and unambiguously about any processing operations that may concern them in connection with possible controls.
The purposes to be specified may relate to specific organisational, production and/or occupational safety requirements, where they entail the lawful processing of data (see section 4(2) of Act no. 300/1970); they may also relate to the establishment or defence of a judicial claim.
The employer is to specify, inter alia, the main features of the processing operations in question as well as the person and/or unit the employees may apply to in order to exercise their rights.
4. Equipment Intended for Distance Monitoring
With regard to the principle whereby the purposes of the processing must be specific, explicit and lawful (see Section 11(1), letter b), of the Code), the employer may reserve the right to control – whether directly or via his organisational structure – that work duties have been actually discharged and, if necessary, that work tools are used appropriately (see Sections 2086, 2087, and 2104 of the Civil Code).
In exercising this right, the employer must respect his employees' dignity and freedom with particular regard to the prohibition against deploying "equipment for the purpose of controlling employees' activities from a distance" (section 4(1) of Act no. 300/1970) – which unquestionably includes hardware and software equipment intended to control the users of electronic communications systems.
The processing of data that results therefrom is unlawful regardless of the unlawful deployment of the equipment in question. This is also the case if the individual employees are aware of the circumstances. (6)
In particular, it is not permitted to process data by means of hardware and software systems that are intended to carry out distance controls so as to keep track of employees' activities – at times in a very detailed manner. This applies, for instance,
- to the systematic scanning and recording of email messages and/or the respective external data apart from what is technically necessary to provide email services;
- to the reproduction and systematic storage of the web pages visited by employees;
- to keystroke pattern analysis and recording devices;
- to the hidden monitoring/analysis of laptops entrusted to individual employees.
The ban on distance monitoring set out in the law applies to work duties in themselves as well as to other instances of personal conduct in the workplace. (7) Irrespective of the liability arising under civil and/or criminal law, any data that is processed unlawfully may not be used (see section 11(2) of the code). (8)
5. Software Allowing "Indirect" Controls
5.1. When using information systems to meet production and/or organisational requirements (e.g. to detect malfunctioning or for maintenance purposes), including the case in which the said systems are found to be necessary with a view to occupational safety, employers may lawfully avail themselves of systems that allow distance controls to be carried out indirectly (so-called unintentional controls) – in compliance with Act no. 300/1970 (section 4(2) ). The systems in question give rise to the processing of personal data that are or may be related to employees. (9) The above considerations also apply to the performance of controls on a non-regular basis. (10)
The resulting processing operations may be lawful. This is without prejudice to the need for complying with the procedures to inform and consult with employees and trade unions as for the deployment or modification of automated data collection and processing systems (11) – including the deployment or modification of technical procedures intended to monitor employees' movement and/or performance. (12)
5.2. Data Minimization Principle
In pursuance of the data minimization principle, employers are required to take all the appropriate measures, whether organisational or technological in nature, to prevent the risk of misuse – this being preferable over the adoption of "suppression" measures – and anyhow "minimize" the use of employee-related data (see sections 3, 11(1), letter d), and 22(3) and (5) of the Code; see also the Garante's general authorisation to process sensitive data, no. 1/2005, point 4).
- the impact on employees' rights be assessed carefully (before deploying equipment suitable for allowing distance monitoring as well as before starting the processing of any data);
- the employees authorised to use email and Internet access services be identified in advance, if appropriate by category/class; (13)
- the location of workstations be set out clearly in order to reduce the risk of misuse.
Additionally, employers are required to take such technological measures as can minimize the use of identification data (so-called privacy-enhancing technologies, PETs). The measures in question can be tailored to the specific IT tools (i.e. email, Internet navigation, etc.).
a) Internet: Browsing the Web
To reduce the risk that the Internet is browsed inappropriately – i.e. without any connection with the discharge of labour tasks, e.g. because irrelevant sites are visited, files are uploaded and/or downloaded, network services are exploited for entertainment or other unrelated purposes – the employer is required to take suitable measures in order to prevent ex-post controls on the employees. The said controls, regardless of whether they are lawful or not, may entail the processing of personal information that in some cases is irrelevant and/or suitable for disclosing religious, philosophical or other beliefs, political opinions, health and/or sex life (see section 8 of Act no. 300/1970, sections 26 and 113 of the Code, and the Garante's provision of 2 February 2006 referred to above).
In particular, the employer may take one or more of the following appropriate measures by having regard to the peculiarities of the specific production and professional requirements:
- specifying the categories of website that are regarded as related/unrelated to the work performed;
- configuring systems and/or deploying filters to prevent certain operations from being performed, as such operations are considered to be unrelated to the work performed (e.g. uploading files, or accessing certain sites, possibly included in a sort of blacklist, and/or downloading files or software with specific features in terms of size and/or data types);
- processing the data anonymously, or else in such a manner as to prevent users from being immediately identified, by aggregating the data appropriately (e.g. on a collective basis and/or in respect of sufficiently large groups of employees with regard to web traffic log files);
- retaining the data, if any, for no longer than is absolutely necessary to pursue organisational, production, and/or security purposes.
b) Electronic Mail
The contents of email messages as well as the external communication data (e.g. headers) and attachments are a type of correspondence that is subject to confidentiality safeguards also pursuant to Constitutional principles. The rationale of such safeguards consists in protecting the essential core of human dignity and fostering the full development of one's personality in the social context. Additional safeguards are afforded by the criminal provisions protecting inviolability of secrets (articles 2 and 15 of the Constitution; Judgment no. 281 of the Constitutional Court dated 17 July 1998, and no. 81 of 11 March 1993; Section 616(4) of the Criminal Code; Section 49 of the Digital Administration Code). (14)
However, as regards specifically the use of emails in the employment context and by having regard to the outward appearance of email addresses in the individual cases, one might question whether an employee – irrespective of whether he/she is sending or receiving a given message – is making use of the electronic mail as a part of the employer's organisation or rather for personal purposes, albeit within the framework of a working establishment.
In the absence of specific policies in this connection, the employee and/or third parties may legitimately expect certain types of communication to be kept confidential.
The above uncertainties are mirrored by the difficulties in establishing whether it is lawful for the employer to take steps in order to become apprised of the contents of messages sent either to or from the email address (account) used by an employee (incoming/outgoing mail).
Therefore, it is especially appropriate to take measures also in order to prevent processing operations that might be in breach of relevance and non-excessiveness principles. The measures and solutions in question may prove helpful to reconcile the need for ensuring regular work performance with the avoidance of useless intrusions into employees' private spheres and/or breaches of the legislation on confidentiality of correspondence.
- the employer makes available group email addresses, to be shared by several employees (e.g. email@example.com; firstname.lastname@example.org; email@example.com; firstname.lastname@example.org; and so on), which might be added to individual e-mail accounts (e.g. email@example.com; firstname.lastname@example.org; email@example.com);
- the employer considers the possibility of assigning a different email account to employees, to be used for private purposes; (15)
- the employer makes available specific user-friendly functions to allow automatically sending out-of-office reply messages in case an employee is absent from work (because on holiday or on a mission), whereby such messages should provide details for contacting another employee or department (including via email and/or telephone). It is also appropriate to instruct employees to avail themselves of such functions so as to prevent their email messages from being opened. (16) Where an employee is absent from work unexpectedly (e.g. because of a sick leave) and he/she is unable to implement the procedure described above (also via webmail services), the employer might lawfully have such a mechanism (or a similar mechanism) activated if the leave period is above a given threshold – providing this is necessary and staff specifically in charge of this task is used, e.g. the system administrator and/or the corporate data protection officer, if any. The data subjects will have to be notified thereof;
- in view of the possible need for accessing the contents of email messages on account of pressing requirements related to work, if an employee is absent from work unexpectedly and/or for a prolonged period, the data subject (i.e. the employee in question) should be allowed to entrust another employee (trusted party) with checking the contents of his/her email messages and forwarding such messages as are considered to be work-relevant to the employer (data controller). The data controller should keep specific records of these activities and the employee concerned should be informed thereof as soon as possible;
- email messages should include a disclaimer to clarify, where appropriate, that they are not to be regarded as confidential and/or personal in nature, whether the replies may be accessed by third parties in the sender's organisation, and which policy rules are applicable as set out by the data controller in pursuance of the aforementioned criteria.
6. Relevance and Non-Excessiveness
6.1. Layered Controls
In performing controls on the use of electronic tools, unwarranted interferences with the fundamental rights and freedoms vested in employees and/or external entities sending/receiving electronic communications of a personal and/or private nature will have to be prevented.
Controls are only lawful if the relevance and non-excessiveness principles are complied with.
Where a harmful event and/or dangerous situation have not been prevented with the help of preventative technical arrangements, the employer may take such measures as can allow inquiring into abnormal conduct.
Preference should be given, where feasible, to preliminary controls on aggregate data related to the whole establishment and/or specific units.
Anonymous controls might result into the issuance of general notices/warnings on the non-standard use of the electronic tools made available by the company, whereby all the entities concerned might be called upon to comply strictly with the respective tasks and instructions. Such notices/warnings might be only addressed to the employees working in the department/unit where the said non-standard use could be established. In the absence of subsequent abnormalities, controls focused on individual employees are unwarranted in principle.
Prolonged, continued and/or blanket controls are inadmissible.
6.2. Data Retention
Software systems must be configured and programmed so as to regularly and automatically delete – for instance via the so-called log file rotation – the personal data related to Internet accesses and network traffic, where their retention is unnecessary.
In the absence of specific technical and/or security requirements, the provisional retention of the data related to the use of electronic tools must be accounted for on the basis of specific, proven purposes; additionally, the data retention period should not be in excess of the time required – as set out in advance – for achieving such purposes (see section 11(1), letter a), of the Code).
The retention period may only be extended on an exceptional basis in connection with the following:
- highly specific technical and/or security requirements;
- the circumstance that a data is indispensable to establish or defend a judicial claim;
- the obligation to keep and/or surrender the data in order to comply with a specific request lodged by either judicial authorities or the judicial police.
In the above cases, processing shall be limited – by having regard, as for sensitive data, to the requirements set out in the Garante's general authorisations no. 1/2005 and no. 5/2005 – to such information as is indispensable to achieve the purposes defined as above, and it shall be carried out in accordance with conceptual and organisational arrangements that are closely related to the obligations, tasks and purposes described above.
7. Preconditions for the Processing to Be Lawful: Balancing of Interests
7.1. Private Employers
Private employers and profit-seeking public bodies may lawfully process personal, non-sensitive data if the preconditions mentioned above are fulfilled (see, in particular, section 4(2) of Act no. 300/1970).
The above applies:
a. if the circumstances are such as to warrant the legitimate establishment of a judicial claim (section 24(1), letter f, of the DP Code);
b. if the data subject has given his/her free consent thereto in a valid manner;
c. without the data subject's consent, in pursuance of this decision that establishes a legitimate interest in processing the data in question as per the legislation concerning the so-called balancing of interests (section 24(1), letter g., of the DP Code.)
In balancing the interests at issue, account was taken of the safeguards laid down in Act no. 300/1970 with regard to the performance of "indirect" controls on employees – whereby the prerequisite does not consist in the data subjects' consent, but rather in the agreement with trade union representatives; failing the latter agreement, the authorisation by a peripheral branch of the labour management agency will be necessary.
Sensitive data may be processed with the data subjects' consent; they may also be processed without the data subjects' consent in the cases provided for by the DP Code – i.e., in particular, to establish a judicial claim; to safeguard the data subject's life or bodily integrity; to comply with specific legal obligations also in connection with judicial investigations: see section 26 of the DP Code.)
7.2 Public Employers
As for public employers, the specific preconditions laid down in the DP Code by having regard to the nature of the data at issue (i.e. sensitive or non-sensitive) are left unprejudiced (see sections 18-22 and 112 of the DP Code.)
In all the above cases, the employee's right to object to the processing on legitimate grounds shall be left unprejudiced (see section 7(4), letter a., of the DP Code.)
8. Appointing Staff in Charge
An employer might want to appoint one or more data processors to give them specific instructions on the controls allowed for and the respective arrangements; this is no mandatory requirement, although it may prove helpful especially in a complex organisation (see section 29 of the DP Code).
As regards actions to be taken with a view to system maintenance, care will have to be taken in preventing access to personal data that is contained in folders and/or memory areas allocated to specific employees.
This is without prejudice to the obligation for the entities in charge of the data processing operations arising out of the aforementioned activities – in particular maintenance staff – to only carry out such operations as are absolutely necessary to achieve the relevant purposes – i.e. without performing whatever kind of distance monitoring, even on their own initiative.
Furthermore, it is necessary to include training in network management and security, data protection principles, and communications secrecy when setting out the rules of practice applying to system administrators and/or similar entities in charge of ensuring the smooth operation of IT systems (see Annex B to the DP Code, rule no. 19.6; see also Opinion no. 8/2001 of the WP29, point 9.)
BASED ON THE ABOVE PREMISES, THE GARANTE
1. instructs private and public employers, in pursuance of section 154(1), letter c. of the DP Code, to take the measure required in order to safeguard data subjects under the terms set out in the premises, consisting in the obligation to specify the usage arrangements employees are to comply with in respect of email and the Internet – whereby they shall have to clearly specify how the tools they make available should be used as well as whether, to what extent and in what manner controls are carried out;
2. lays down the following guidelines to safeguard data subjects under the terms set out in the premises, with regard to:
a. adopting and publicizing internal guidelines (point 3.2.);
b. adopting organisational measures (point 5.2.), in particular to
- carefully assess the impact on employees' rights;
- specify in advance which employees are allowed to use email and access the Internet, also by category/class;
- specify the location of workstations so as to reduce the risk of misuse;
c. adopting technological measures, which include in particular, but are not limited to, the following:
I. as for use of the Internet (point 5.2., a.):
- specifying which websites (by category) are considered to be related/unrelated to work performance;
- configuring systems and/or using filters to prevent certain operations from being performed;
- processing data in anonymous format and/or in such a manner as to prevent users from being mmediately identified, by suitably aggregating the data in question;
- retaining the data for no longer than is necessary to achieve organisational, production and/or security purposes;
- providing for a layered approach to controls (point 6.1.);
II. as for email services (point 5.2., b.):
- making available email accounts to be shared by several employees, possibly along with individual accounts;
- making available an ad-hoc account to be used by an employee for private purposes;
- making available specific user-friendly functions to allow automatically sending out-of-office reply messages whenever it is known in advance that an employee will be absent from work, whereby such messages should provide details for contacting another employee and/or department at the company/body in question;
- where it is necessary to access the contents of email messages on account of pressing requirements related to work, and the relevant employee is absent from work unexpectedly and/or for a prolonged period, allowing the data subject (i.e. the employee in question) to entrust another employee (trusted party) with checking the contents of his/her email messages and forwarding such messages as are considered to be work-relevant to the employer (data controller). The data controller should keep specific records of these activities and the employee concerned should be informed thereof as soon as possible;
- including a disclaimer in email messages to clarify, where appropriate, that they are not to be regarded as confidential and/or personal in nature, specifying whether the replies may be accessed by third parties in the sender's organisation;
- providing for a layered approach to controls (point 6.1.);
3. prohibits private and public employers, under section 154(1), letter d. of the DP Code, from processing personal data by means of hardware and software systems with a view to the distance monitoring of employees (point 4), in particular by means of the following:
a. the systematic scanning and recording of email messages and/or the respective external data apart from what is technically necessary to provide email services;
b. the reproduction and systematic storage of the web pages visited by employees;
c. keystroke pattern analysis and recording devices;
d. hidden monitoring/analysis of laptops entrusted to individual employees;
4. pursuant to section 24(1), letter g. of the DP Code, sets out the cases in which personal, non-sensitive data may be processed in order to pursue the employer's legitimate interests also without the data subjects' consent – under the terms referred to in the premises (point 7);
5. orders that a copy of this decision be forwarded to the Publishing Department at the Ministry of Justice for it to be published in the Official Journal of the Italian Republic in accordance with section 143(2) of the DP Code.
Done in Rome, this 1st day of March in the year 2007
THE SECRETARY GENERAL
(1) See Opinion no. 8/2001 by the Article 29 Data Protection Working Party, on the processing of personal data in the employment context, dated 13 September 2001 – points 5 and 12.
(2) See Niemitz v. Germany, 23 November 1992, para. 29; Halford v. United Kingdrom, 25 June 1997, para. 44-46.
(3) See Working Document by the Article 29 Data Protection Working Party on surveillance of electronic communications in the workplace (WP55), dated 29 May 2002, p. 4.
(4) See also the Instructions on the Use of Email in the Public Administration, dated 27 November 2003; Council of Europe's Recommendation no. R(89)2 on the protection of personal data in the employment context; WP29's Opinion no. 8/2001, referred to above, point 5.
(5) See Council of Europe's Recommendation no. R(89)2, referred to above, point 3; WP29's Opinion no. 8/2001, point 9.1.; WP55, referred to above, point 3.1.3.
(6) Judgment no. 1236 of 18 February 1993 by the Court of Cassation; judgment no. 9211 of 16 September 1997.
(7) Judgment no. 1490 of 11 March 1986 by the Court of Cassation.
(8) See also judgment no. 8250 of 17 June 2000 by the Court of Cassation, on use of the data for providing evidence in judicial proceedings.
(9) Judgment no. 1236 of 18 February 1993 by the Court of Cassation; judgment no. 9211 of 16 September 1997.
(10) Judgment no. 1490 of 11 March 1986 by the Court of Cassation.
(11) Council of Europe's Recommendation no. R(89)2, article 3(1).
(12) See article 3(2) of the CoE's Recommendation referred to above. Under this provision, "The agreement of employees or their representatives should be sought before the introduction or adaptation of such systems or devices where [there is] a possibility of infringement of employees' right to respect for privacy and human dignity unless domestic law or practice provides other appropriate safeguards."
(13) See Garante's decision dated 2 February 2006 (web doc. No. 1229854)
(14) See the Notice issued by the Garante on 16 June 1999, as published in the Garante's Bulletin no. 9 (June 1999); see also judgment no. 9425 by the TAR (administrative court) of Latium, division I-ter, dated 15 November 2001.
(15) See Document WP55 referred to above, p. 23.
(16) See Document WP55 referred to above, p. 5.