The Authority sanctions the municipality of Bolzano for 84.000 EUR

It is not possible to control the internet browsing of workers indiscriminately. Regardless of specific trade union agreements, any control activities must always be carried out in compliance with the Workers’ Statute and privacy legislation.

This is stated by the Italian Personal Data Protection Authority in a sanctioning measure against the Municipality of Bolzano, initiated on the basis of a complaint lodged by an employee who, during disciplinary proceedings, He found out he was being watched constantly. The administration, which had initially challenged the consultation of Facebook and Youtube during working hours, had then filed the procedure for the unreliability of the navigation data collected.

From the assessments of the Authority it has emerged that the Municipality employed, for about ten years, a system of control and filtering of the internet navigation of the employees, with the conservation of the data for a month and the creation of appropriate reports, for network security purposes. Although the employer had entered into an agreement with the trade unions, as required by the industry regulations, the Guarantor highlighted that such data processing must also comply with the principles of data protection provided by the GDPR. The system, implemented by the City, without having adequately informed employees, allowed processing operations unnecessary and disproportionate to the purpose of protection and security of the internal network, carrying out a preventive and generalized collection of data relating to the connections to websites visited by individual employees. Furthermore, the system also collected information that was unrelated to the professional activity and in any case related to the private life of the data subject.

In the measure, the Authority noted that the need to reduce the risk of misuse of internet browsing cannot lead to the complete cancellation of any expectation of confidentiality of the person concerned at the workplace, even in cases where the employee uses the network services made available to the employer.

In the course of the investigation, breaches were also noted with regard to the processing of data relating to requests for extraordinary medical verification by employees, made through a special form, The form, made available by the administration, provided for compulsory inspection by the manager of the organizational unit, which involved the processing of unlawful health data.

The Authority, taking into account the full cooperation of the administration, has ordered a penalty of 84.000 EUR for the unlawful processing of personnel data. The Municipality will also have to adopt technical and organizational measures in order to anonymize the data on the work postation of the employees, to cancel the personal data present in the log of web navigation, as well as updating the internal procedures identified and inserted in the trade union agreement.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP