The Italian data protection authority (“Garante”) has fined Lazio Region €100,000 following a complaint by the trade union FEDIRETS.
The union complained about monitoring activities carried out by the Region in relation to employees working in the legal department. The monitoring took place as part of an internal audit that the Region had initiated following a suspicion of possible unauthorised disclosure to third parties of information protected by professional secrecy.
In order to investigate and clarify the aforementioned issue, the controller commissioned LAZIOcrea S.p.A., acting as data processor, to carry out an audit of the metadata related to the use of business email accounts by employees. The audit included the dates and times of correspondence, the identities of senders, recipients, subjects and sizes of emails, which allowed the controller to obtain information regarding the private sphere of employees, such as their opinions, contacts and other non-work-related informations.
The Garante found that Lazio Region processed such a wide range of personal data without a legal basis and in breach of national legislation on remote employee monitoring and data collection.
In light of the breaches found, the Garante imposed a fine of €100,000 on the Region, taking into account, inter alia, the nature of the data processing and the lengthy time taken to carry out such in-depth and extensive monitoring of business mail.
The Garante imposed the said fine on the Region and ordered it to:
- to cease any processing of metadata relating to employees’ email usage;
- delete personal data collected illegally; and
- report on the measures taken to implement the decision within 30 days.