Employers can legitimately check their employees’ e-mails (provided that they do so after they have been sent) when the facts are such as to warrant the carrying out of a retrospective investigation in relation to the employees’ conduct.
The Italian Supreme Court ruled to this effect with judgment no. 2722 handed down on February 23, 2012.
The case at hand concerned the dismissal for just case of a bank employee accused of having sent to third parties e-mails containing confidential information about one of the bank’s customers and having carried out – on the basis of such information – several financial transactions from which such employee personally benefitted.
The point of law examined by the Italian Supreme Court concerned the question of whether checking employees’(work) e-mails was compatible with article 4 of Law 300/1970 (the Italian Workers’ Statute) which, as is well known, prohibits the use of audio-visual or any other type of equipment for the purpose of controlling from a distance employees’ activities (paragraph 1) and regulates the manner in which surveillance equipment – which needs to be used for production-related or safety-related reasons and which also allows employers to control their employees from a distance (paragraph 2) – may be installed and used.
In such case, the installation of such equipment may be permitted solely in the event that the employee reaches an agreement in relation thereto with the employees’trade union representatives or, alternatively, is given instructions to this effect by the Work Inspectorate.
In the case at hand, the Supreme Court judges held that, however, that article 4, paragraph 2 was not applicable since the employees’ e-mails had been checked only after they had been sent (and, moreover, without the objective of controlling – even indirectly – the exactness of the work done by them).
The Court recalled, moreover, a consolidated body of case law according to which article 4, paragraph 2 is only applicable to checks which have been conducted recklessly (Italian Supreme Court judgment no. 4375/2010), which are to be construed as those checks which are conducted with a view to satisfying production or safety needs, but which also allow employers to continuously control their employees’ work.
The case at hand also allows us to analyze briefly the important and far from negligible data protection problems that arise from the long-distance surveillance of employees e-mails and which do not seem to have been taken into due account in the above-described judgment.
The Italian Data Protection Authority has, in fact, ruled in the past (Decision dated April 2, 2008) that the exchange of electronic correspondence between an employee and third parties (regardless of whether they are extraneous to the employee’s activity) is to be construed as an activity designed to disclose personal information concerning a data subject (i.e. the contents of correspondence, the names of the persons sending and/or receiving e-mails) which, per se, may be capable of revealing – as is the case with telephone traffic – relevant details about the persons contacted by the data subject and which, therefore, may be considered personal data, especially in the event that the e-mail address in question identifies an employee’s name and surname and is not an address shared among several employees, such as firstname.lastname@example.org, email@example.com, firstname.lastname@example.org (cfr. the Decision dated January 21, 2010).
This leads to the conclusion that such data (including the collection thereof) must necessarily be processed in accordance with the provisions set forth in Legislative Decree no. 196/2003 (starting from the obligation set forth in article 13 to serve upon the data subject a data protection notice).
In particular, the aforementioned data protection notice must clearly inform the data subject about the possibility that his or e-mails may be controlled, as well as the purpose and the manner in which such surveillance may take place (cfr. Decision dated May 18, 2006, Decision dated February 2, 2006, as well as Email and Internet Guidelines dated March 1, 2007, point 3.1.)
The Italian Data Protection Authority has ordered, therefore, employers to stop processing data in those cases in which data is processed for purposes other than the litigation-related reasons provided for under article 160 of the Italian Data Protection Code.
It would be advisable, therefore, to specify in data protection notices whether employers reserve themselves the right to control employees’e-mails (specifying in which cases this may take place and what protection is afforded to the latter, so as to balance the different interests at play).