In a recent provision (13 May 2021 – doc. Web N. 9669974) the Italian Data Protection Authority has sanctioned a Municipality to have implemented a navigation control system on the internet without having rendered to the workers a policy in accordance with Article 13 of European Regulation 679/2016. The case dealt with by the Authority has been inspired by a disciplinary sanction imposed on a public worker who, using the Municipal PC, for non-work purposes. In particular, to have consulted Facebook, YouTube and other pages.
From the Authority’s findings it emerged that the Municipality involved, for ten years, a system of control and filtering of the internet navigation of employees, with the retention of data for a month and the creation of dossier, for network security purposes.
The processing has occurred in the absence of an employee policy on possible controls on internet access by an employer. In fact, in the course of the verifications it has emerged that, on the website of the Authority, there was not present any specific information on the processing of personal data of employees, nor, in those available, there is some reference to the processing of personal data about internet browsing from them.
A reference to internet connection processing operations was present in other documents put to employee provisions, some of which published on the intranet, which, the union agreement, the code of conduct, some internal circulars from the Personnel Office, as well as the form that each employee had to sign to the application act for internet access and other network services.
These acts, which did not yet include all the essential information elements requested since Article 13 of the Regulation, being carried out in order to comply with different obligations deriving from the discipline on data protection, cannot replace the policy that the controller has to give, before starting the treatment, to the data subjects on the essential characteristics of the treatment; to enable the person concerned to be fully aware of the typology of processing operations which may also be carried out using, within a framework of lawfulness, the data collected in the course of work (see Judgments of the European Court of Human Rights of 5 September 2017 – action n. 61496/08 – Barbulescu v. Romania, spec. par. n.133 and 140 and judgment of 9 January 2018- action n. 1874/13 and 8567/13- López Ribalda and Others v. Spain, spec. par. n. 115).
On the point it is emphasized that the fulfillment of the informational obligations towards the employees (which consist in the “adequate information of the modalities of use of the instruments and of carrying out controls”) is a specific condition for the use of all data collected in the course of the working relationship, using technological tools and/or working tools, for all purposes related to the related report, including disciplinary observations, together with respect for the discipline on the protection of personal data (v. art. 4, paragraph 3, l. 20 May 1970, n. 300).
SOURCE: FEDERPRIVACY