Internet ' Monitoring by Employers Must Be Proportional - 2 febbraio 2006 
[doc. web n. 1296734]
[ doc. web n. 1229854]
Internet – Monitoring by Employers Must Be Proportional - Decision of 2 February 2006
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having considered the complaint lodged by XY, via his counsel Alfredo Sigillò Massara and Vincenzo Sigillò, at whose office he chose to be legally domiciled,
ZK S.p.A., represented by its counsel Maurizio Maggio, at whose office it chose to be legally domiciled;
Having regard to Sections 7, 8, and 145 of the Personal Data Protection Code (legislative decree no. 196/2003);
Having regard to the considerations made by the Secretary General pursuant to Section 15 of the Garante´s Rules of Procedure (no. 1/2000);
Acting on the report submitted by Mr. Mauro Paissan;
The complainant was the subject of disciplinary sanctions imposed by defendant, a nursing home where the complainant was employed and in charge of registrations and the handling of medical examinations, on account of having accessed the Internet at the workplace without being authorised to do so.
The complainant had requested blocking and erasure of the personal data concerning him as related to the said access, in pursuance of Section 7 of the DP Code. Defendant had provided proof of the accesses in question by producing several pages – which were annexed to the disciplinary provision as well – that contained, in particular, information on the temporary files and cookies generated on the complainant´s computer by the browsing performed during log sessions that had been started by using the password assigned to the said complainant.
Having received no reply, the complainant lodged a complaint with the Garante in pursuance of Section 145 and following ones of the DP Code, as he considered the processing of his data to be unlawful.
The complainant alleged that the data in question included sensitive information, which was suitable for disclosing, in particular, religious beliefs, trade union opinions, as well as sexual attitudes and orientations, since many files had to do with Internet sites of a pornographic nature. Defendant is alleged to have processed those data without any consent and without providing prior information either to the data subject or to the "trade union representatives in the company… in breach of Section 4 of the Workers´ Statute, which allows such activities to only be carried out with the prior consent by either the trade unions´ representatives or the employment inspectorate" concerning the possibility that the computer terminals in the office might be the subject of controls. Therefore, the complainant reiterated its claims and petitioned that the legal costs should be awarded to the losing party.
Following the letter by which the Garante, in pursuance of Section 149(1) of the DP Code, invited defendant to comply with the petition, defendant sent submissions on 29 November 2005 in which it referred to the complaint as inadmissible (because the complainant allegedly was not entitled to lodge such a complaint insofar as he "firmly denied that he had ever carried out the activities referred to in the disciplinary provision") and considered the processing in question to be lawful by quoting case law in which similar cases of employee monitoring had been found to be lawful. More specifically, defendant pointed out that:
- "The facts underlying the complaint (…) are related to the complainant´s dismissal for just cause following the detection (…) of serious breaches performed by the employee in question, which – as for the matters at stake in this proceeding – concerned his having unlawfully accessed the Internet via the company´s computers he availed himself of (…), having used, without being authorised to do so, paper sheets to print out the results of his browsing activities, and having damaged the company´s network following the introduction of computer viruses. An ad-hoc complaint was lodged against the said employee with regard to the latter circumstances";
- The complainant was not informed in advance of the possibility that computer checks might be carried out because "he was not supposed to access the Internet by having regard to the tasks he was in charge of";
- The company has equipped itself with "a quality manual that is available to all employees using the company´s computer terminals (…) and can be consulted by clicking an ad-hoc icon"; the manual informs employees both that "in order to protect the data, regular back-ups will be performed and appropriate anti-virus software will be installed and maintenanced" and that "computers should be regarded as corporate property that is entrusted to an employee with a view to the performance of his/her tasks; any use for private purposes must be avoided";
- The company was not required to obtain the employee´s consent, which is not necessary (under Section 24 of the DP Code) if the processing is grounded, as in the case at issue, on "the legitimate need to establish a legal claim, also with a view to judicial proceedings. This applies both to the employment relationship with XY and termination of the said relationship, and to the protection of the company´s property and activities, by having regard also to the socially relevant purposes pursued by the company, which is a certified health care provider (…) and thereby a part of the broader system set up by the law in order to guarantee citizens´ right to health as set out in the Constitution";
- Sections 2, 3, and 4 of the Workers´ Statute allegedly "leave unprejudiced an employer´s power (as per Sections 2086 and 2104 of the Civil Code) to verify, either directly or via the employer´s hierarchical organisation, performance of the tasks committed to his/her employees, and thereby detect possible specific breaches whether already committed or underway"; the ban on distance monitoring of employees set out in Section 4 of Act no. 300/1970 (the Workers´ Statute) applies "if that monitoring concerns, directly or indirectly, the performance of work, whilst any controls aimed at detecting wrongdoings by an employee (so-called "defensive controls")" – such as those performed in the case at issue – "should be considered to unquestionably fall outside the scope of the said provision";
- "Using a company´s computer for private purposes is a breach of contract on the employee´s part"; therefore, the company could lawfully implement the defensive controls required in order to establish its claims.
At the hearing held on 6 December 2005, the complainant noted that in the case law quoted by defendant it had been considered lawful to subject employees to surveillance because the processing of personal data "was short-lasting and not excessive, or else only concerned time logs without including contents".
In the submissions presented on 13 January 2006 – after expiry of the extended period set out for the handing down of the decision by the Garante – defendant reiterated that they considered the processing to be lawful and notified that, at the complainant´s request, a date had been set for summoning the parties in view of the mandatory settlement conference under the terms of Section 410 and following ones of the Civil Procedure Code. Allegedly, this confirmed the complainant´s intention "to seize judicial authorities in order to claim unlawful dismissal".
In the submissions presented on 25 January 2006, complainant reiterated his petitions and pointed out, in particular, that:
- The only password used by complainant was the "user password" that allowed starting the work session on the computer, whereas no password was required to get to the Internet, which was freely accessible by means of the Windows Explorer icon;
- "ZK´s quality manual (…) does not refer to monitoring of Internet accesses"; anyway, the processing did not concern backup files, since the records contained in the "navigation data pages" related to the complainant "show that the "temporary Internet files" directory contained in the "x-y" folder was manually copied"; a similar operation was allegedly performed in respect of the "browsing history, which cannot be derived from an automatic backup procedure";
- The processed data also include information suitable for disclosing sex life, which may only be processed without the data subject´s written consent (see Section 26(4) of the DP Code) in order to establish a legal claim "of the same rank as the data subject´s one"; the claims lodged by defendant (termination of employment relationship, protecting corporate property, allegedly socially relevant purposes pursued by the company in protecting citizens´ health) would not appear "to be of the same rank as those Mr. XY (…) is seeking to establish";
- The processing performed by the employer should be regarded as excessive, since it "has been in progress for an indefinite period, and anyhow at least since early January of 2005".
Defendant reiterated that the processing performed was lawful in submissions received on 27 January 2006.
BASED ON THE ABOVE PREMISES, THE GARANTE CONSIDERS THAT
The complaint at issue concerns lawfulness and fairness of the processing of data related to browsing of the Internet by an employee, which was objected to by the respective employer.
The complaint is grounded.
The petition for inadmissibility of the complaint is to be rejected.
Defendant claimed that corporate property had been used for private purposes without authorisation and charged the complainant with having browsed the Web during work sessions that had been started by means of his password. Given the direct, unique relationship claimed by defendant – with a view to the imposition of disciplinary sanctions, dismissal for just cause, and lodging of the complaint – between the complainant and the data derived both from the temporary files and from the cookies, as exhibited in the course of the proceeding, the complainant is to be regarded as "data subject" under the terms of Section 4(1), letter i), of the DP Code, whereby he is the "natural person (…) that is the subject of the personal data"; therefore, he is entitled to exercise the rights referred to in Section 7 of the DP Code and lodge a complaint with the Garante.
As for the merits, it should be pointed out that the company, in order to provide proof of a wrongdoing related to the employment context, carried out in-depth enquiries without informing the data subject beforehand about the processing of his personal data as well as in breach of Section 11 of the DP Code – which requires any data to be processed lawfully and fairly in compliance with the principle whereby the data must be relevant and not excessive in respect of the purposes sought.
The records on file show that the employer collected the Internet navigation data by accessing the computer terminal committed to the data subject and copying the folder that contained all the transactions carried out on the said terminal during the work sessions started by means of the data subject´s password; this is shown by the string appearing at the beginning of the file listings submitted by defendant, i.e. c:copiaDocuments and settingsx-y. Therefore, defendant did not access backup files, whose existence is made known to employees by means of the "quality manual" they can access via their own computer terminals.
Apart from the fact that the data subject had not been informed beforehand that the above enquiries would possibly be carried out or that certain mechanisms would be implemented to carry out such enquiries, it should be stressed, from another viewpoint, that the complainant seemingly did not need to access the Internet for discharging his tasks. Therefore, defendant could have shown that the complainant had committed wrongdoings by having regard to the appropriate use of the tools committed to him at the workplace, using other means to prove that the complainant had unduly accessed the network for specific periods. Conversely, the company processed many other items of information on a large scale, also relating to the specific "contents" of the individual websites visited by the complainant during his navigation – and thereby carried out (in a non-transparent manner) processing operations that were excessive in respect of the purposes to be achieved.
Additionally, the collection of the said information resulted into processing sensitive data that were suitable for disclosing religious beliefs, trade union opinions, and sex life – by having regard to the considerable amount of information that was evaluated over a long time span, the specific contents resulting from some web addresses, and the unified context within which those data were evaluated. The legislation on personal data sets out specific safeguards in respect of the said sensitive information, which were not complied with in full in the case at issue (see Section 26 of the DP Code, and the Garante´s general authorisation no. 1/2004).
Indeed, it should be taken into account that sensitive data may only be processed by an employer without the employee´s consent if the processing is "indispensable" to establish or defend a legal claim (see Section 26(4), para. c), of the Code, and the Garante´s authorisation no. 1/2004). In the case at issue, even though the personal data were collected within the framework of computer checks aimed at detecting wrongdoings, which resulted into lodging of a complaint against, imposing a disciplinary sanction on, and dismissing the employee, it does not appear that the processing was indispensable under the terms referred to above.
Furthermore, since the processing also concerned "data suitable for disclosing health and sex life", it could only have been lawful in order to establish or defend a legal claim either of the same rank as the data subject´s one or consisting in a personal right or another fundamental, inviolable right or freedom. This condition was not fulfilled either, given that the claims in question only concerned the employment relationship (see Section 26(4), letter c), of the Code, and point 3, letter d), of the aforementioned authorisation by the Garante; see also the Garante´s provision dated 9 July 2003).
In the light of the foregoing considerations and by having regard to Section 11(2) of the Data Protection Code, whereby any data that is processed in breach of the relevant data protection provisions may not be used, the Garante hereby prohibits defendant – under Section 150(2) of the DP Code – from processing further the personal data collected in the manner that is the subject of the complaint in question, in order to safeguard the data subject´s rights.
This decision leaves unprejudiced any and all rights the parties may have in connection with the lawfulness or unlawfulness of the complainant´s conduct.
Further to the general provision dated 19 October 2005, which set out the costs and duties to be awarded as a lump sum in connection with the handling of complaints, the overall costs and duties related to the complaint in question shall be awarded to defendant and set at Euro 500, of which Euro 150 shall cover handling costs by having regard, in particular, to the procedural steps required for lodging the complaint.
BASED ON THE ABOVE PREMISES, THE GARANTE
a) finds that the complaint is grounded and accordingly prohibits defendant from processing the data subject´s personal data that are referred to in the complaint;
b) awards the costs related to the proceeding to ZK S.p.A., such costs being set as a lump sum at Euro 500 which defendant shall have to pay directly to the complainant.
Done in Rome, this 2nd day of February 2006
THE SECRETARY GENERAL