Injunction against Municipality of Bolzano – 13 May 2021

It is not possible to monitor employees’ Internet surfing in an indiscriminate manner. Irrespective of specific trade union agreements, any monitoring must always be carried out in compliance with the Workers’ Statute and data privacy legislation.
This was stated by the Italian Data Protection Authority in a sanctioning measure against the Municipality of Bolzano, initiated on the basis of a complaint submitted by an employee who, in the course of a disciplinary procedure, had discovered that he was constantly monitored.
The administration, which had initially challenged the employee for going on to Facebook and YouTube during working hours, had then dismissed the case because of the unreliability of the surfing data collected.
The investigations carried out by the Data Protection Authority revealed that the municipality had been using, for about ten years, a system for monitoring and filtering employees’ internet browsing, storing the data for a month and creating special reports for network security purposes. Although the employer had entered into an agreement with the trade unions, as required by the sectoral regulations, the Data Protection Authority pointed out that such data processing must also comply with the data protection principles laid down in the GDPR.
The system, implemented by the municipality, without adequately informing the employees, allowed processing that was unnecessary and disproportionate to the purpose of protecting and securing the company’s internal network, carrying out a preventive and generalized collection of data relating to connections to websites visited by each employee. The system also collected information unrelated to the job and in any case related to the private life of the person concerned.
In the measure, the Authority pointed out that the need to reduce the risk of improper use of Internet browsing cannot lead “to the complete cancellation of any expectation of privacy of the person concerned in the workplace, even in cases where the employee uses the network services made available by the employer”.
The Data Protection Authority, considering the full cooperation of the administration, fined them €84,000 for unlawful processing of employees’ data. The Municipality will also have to adopt technical and organizational measures to anonymize the data relating to employees’ workstations, delete personal data present in recorded web navigation logs, and update the internal procedures identified and included in the trade union agreement.