There is no breach of privacy law in using data contained in a trade union mailing list for disciplinary purposes, when such list was delivered to the employer by one of the recipients

Court of Cassation, Section 1, Judgement, 31 May 2021, no.15161

The case concerned an employee of a local health authority and company representative of a trade union organization who, following a report to the company by one of the participants in the union’s mailing list, was served with a disciplinary notice regarding the offensive content of several e-mails he had sent to people on the mailing list in relation to company management.
The employee applied to the Data Protection Authority to block the processing of the data, claiming that the use of e-mail correspondence for disciplinary purposes was a violation of the Data Privacy Code by the employer.

The claim was considered unfounded by the Data Protection Authority, in whose opinion “the above-mentioned e-mail communications related to ‘personal data’ and were subject to the rules of the Data Privacy Code, but their use was not unlawful, having been transmitted to the company by another person on the mailing list, to obtain an assessment in disciplinary matters; the company had not played any role in the collection of the data, nor had it carried out any investigations or asked any employees about it, but had simply processed it within the scope of the disciplinary powers vested in the company“.
The employee appealed the decision.
The Court rejected the appeal, and the employee went on to file an action in the Supreme Court.
According to the Supreme Court, “e-mail messages fall within the notion of personal data”. Article 4(1)(b) of the Data Privacy Code, considers personal data “any information relating to a natural person, identified or identifiable, even indirectly, by reference to any other information (…), to which the code assimilates the identification data that allow the direct identification of the person concerned“.
Thus, “the use of the expression ‘any information’ in the definition of the concept of ‘personal data’ in Article 2(a) of Directive 95/46 reflects the EU legislature’s aim of giving a broad meaning to that concept, which is not limited to sensitive or private information but potentially covers all types of information whether objective or subjective, in the form of opinions or assessments, provided that they ‘concern’ the interested party’ (judgment of 20 December 2017, C-434/16, p. 33-34).”
The expression “any information” continues the Court of Cassation, “in the Directive clearly signals the legislator’s desire to define a broad concept of personal data”. From the point of view “of the nature of the information, the concept of personal data covers any kind of statement about a person; it may therefore include ‘objective’ information such as the presence of a given substance in a person’s bloodstream, but also ‘subjective’ information such as opinions or assessments (because) their use may have an impact on that person’s rights and interests, taking into account all the circumstances of the case”.
And therefore, the Court of Cassation, after having clarified that the data in question are personal data, does not find “any unlawful processing of such data“, since the company’s behaviour “was not aimed at investigating the trade union orientation or the opinion of the worker, but exclusively at sanctioning the offensive or inappropriate remarks made about the general manager of the local health authority“.
The Court reminds us that “the Data Privacy Authority observed that the respondent company did not play any active role in the collection of data relating to Mr. S. In fact, they came across it in a report by an employee of the ASL itself, who had been included by Mr S. among the recipients of the communications he had sent. Accordingly, there was no monitoring and/or checking of the employee’s e-mail box”.