The Italian data protection authority (‘Garante’) announced, on 19 December 2022, that it had issued, on 1 December 2022, its decision No. 409, in which it imposed a fine of €100,000 on the Region of Lazio, for violation of Articles 5(1)(a), 5(1)(e), 5(2), 6, 12, 13, 25, 35, and 88(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), and Articles 113 and 114 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (‘the Code’), following a complaint submitted by the trade union FEDIRETS.

Background to the decision

In particular, the Garante reported that FEDIRETS had complained about the monitoring activities carried out by the Region on the employees working in the regional legal department. More specifically, the Garante explained that such monitoring had taken place as part of an internal audit that was launched by the Region on the suspicion of a possible unauthorised disclosure to third parties of information protected by official secrecy.

Findings of the Garante

Further to the above, at the end of the investigation carried out, the Garante found that the Region, in order to verify the alleged unlawful disclosure, had instructed LAZIOcrea S.p.A., in its capacity as data processor, to carry out checks on the metadata relating to the use of the institutional email accounts by the employees in question, specifically on date, time, sender, recipient, subject, and size of the emails, which allowed the Region to obtain information relating to the employees’ private sphere, such as their opinions, contacts, and facts not related to work. In this regard, the Garante also explained that the monitoring was made possible because the metadata relating to the use of the institutional email accounts assigned to the Region’s employees was collected in advance and then routinely stored for 180 days.

Further to the above, the Garante determined that the generalised collection and extensive storage of email metadata, which, as a form of correspondence, is protected by the Italian Constitution, are not instrumental to the performance of the service by the employees, within the meaning of Law 300/1970 (‘Workers’ Statute’), and thus found that the Region of Lazio had processed personal data without a legal basis and in violation of the sectoral rules on remote monitoring of employees and collection of data, resulting in a breach of Articles 5(1)(a), 6, and 88(1) of the GDPR and Articles 113 and 114 of the Code.

Moreover, the Garante held that the Region had processed personal data relating to the use of email accounts by employees:

• in a manner inconsistent with the principles of lawfulness, fairness, and transparency, storage limitation, and accountability, in breach of Articles 5(1)(a), 5(1)(e), and 5(2) of the GDPR;
• without providing the employees concerned with information on the processing of personal data, in breach of Articles 12 and 13 of the GDPR;
• in a manner inconsistent with the principles of Data Protection by Design and by Default, in breach of Article 25 of the GDPR; and
• without carring out a Data Protection Impact Assessment (‘DPIA’), in breach of Article 35 of the GDPR.

In light of the violations ascertained, the Garante imposed on the Region a fine of €100,000, considering, among other things, the specific nature of the processing operation and the prolonged duration of the same, which was, at the time of the decision, still under way.

Outcomes

In conclusion, the Garante imposed the aforementioned fine on the Region and ordered the same to:

• cease any processing of the metadata relating to the use of employees’ emails;
• delete the personal data collected unlawfully; and
• communicate the measures adopted to satisfy the decision within 30 days.

Lastly, the Garante noted that the Region of Lazio may lodge an appeal before the judicial authority within 30 days.

You can read the press release here and decision here, both only available in Italian.