- Italian Criminal Code. Under Article 616 of the Italian Criminal Code (Infringement, subtraction and deletion of correspondence), it is a crime to read the content of an unopened item of correspondence (including emails and other electronic communications) addressed to a third party. The offense is punishable by imprisonment of up to 1 year and a fine ranging between €30 and €516. The crime is punishable only if the offense is reported by the victim.
- Workers’ Statute. The Italian Workers’ Statute contains some general principles relating to the processing of employees’ personal data1. It prohibits remote surveillance or monitoring of employees by “audio-visual equipment” or “other equipment” (referred to as “distant monitoring”) where the ultimate purpose is to monitor the employees’ performance.
Monitoring employees by means of video-surveillance systems in the workplace is allowed only where justified by specific needs relating to the organization, business, security, or protection of corporate assets and only if: (i) the employer reaches an agreement with the employees’ representatives; or (ii) in the lack of such an agreement, the distant monitoring tools are approved by the Italian government agency responsible for dealing with protection and safety in the workplace namely the National Labor Inspectorate. The above mentioned procedure does not apply to devices used by employees to perform their work (e.g., smartphone, tablet, laptop, personal computer) or to tools recording access to the workplace.
The Workers’ Statute rules are particularly relevant in the context of internal investigations. In order to safely carry out controls and be compliant with data protection rules and the Workers’ Statute, companies should put in place specific measures, such as (a) introducing policies on internal investigations and on the appointment of investigators, (b) introducing or reviewing policies related to use of work emails, laptop and Internet, (c) seeking agreement with the workers’ representatives and obtaining the Labor Inspectorate’s approval before introducing any means of monitoring or (d) keeping employees informed and reviewing periodically IT infrastructure and policies. The IT policies should, in particular, include provisions regarding the following: (i) use of email accounts and Internet by employees, (ii) use of company’s IT resources and other IT resources, (iii) duty of secrecy, (iv) security measures, (v) password management, (vi) the possibility to deny access to websites which are unrelated to the scope of work, and (vii) the procedures in place to report suspected wrongdoings to the competent authorities.
- Law on corporate criminal liability. Legislative Decree No. 231 of 2001 (Decree 231) also set forth rules in connection with whistleblowing channels and data privacy. In particular, it provides that companies are required to put in place “at least one alternative whistleblowing channel capable of guaranteeing the confidentiality of the identity of the whistleblower using computerized methods”.
Companies adopting an organizational model pursuant to Decree 231 should put in place whistleblowing policies that ensure the privacy and confidentiality of the whistleblower and of the process, and forbid any kind of direct or indirect retaliation or discrimination against the whistleblower for reasons connected to their report.
For more information on Legislative Decree No. 231 of 2001, see also the section regarding Anti Bribery and Corruption.
1 Articles 4 and 8 of Workers’ Statute.