The Region has been fined €50,000 by the Guarantor for various unlawful processing practices: retention of email metadata beyond 21 days, unlimited retention of employee internet browsing logs, and retention of data relating to technical assistance requests. In light of these allegations, it is essential that all companies carefully analyze their internal practices.
Point 1: Email Metadata
Although the document on email metadata retention established a maximum retention period of 21 days, organizations are often still not compliant. It should be noted that to exceed this limit, the company must have a union agreement or authorization from the labor inspectorate; otherwise, it violates Article 4, paragraph 1 of the Workers’ Statute (Law 300/70). In this specific case, the region retained the data for 90 days without a union agreement or impact assessment, and was therefore fined.
It is recalled that the Authority considers email metadata to be information protected by confidentiality guarantees, guaranteed by the Constitution (Articles 2 and 15 of the Constitution), to guarantee the dignity of individuals and the development of their personality. It is also necessary to protect such data in the workplace, including smart working and agile working. For this reason, it has imposed a 21-day limit for their retention, or alternatively the requirement of a union agreement or authorization from the labor inspectorate.
Point 2: Sanction for monitoring internet browsing
The region was also fined for having a content filtering system that recorded IP addresses attempting to access blacklisted sites, and for retaining this data indefinitely. This could have allowed the agency to obtain employees’ private information, violating their privacy rights. Proving that this data was never accessed or processed was futile.
Even in this case, it is necessary to set deadlines for cancellation (currently set at 90 days), correctly inform workers of the tracing and stipulate the union agreement.
Point 3: Unlawful processing of ticketing system data
The Lombardy Region was finally fined for unlawful processing of technical assistance request data in the ticketing system, even though it was outsourced to a vendor. The investigation revealed extensive data retention since 2016 (including on a previously decommissioned but still accessible ticketing system), without specific instructions on data processing in the ticketing system. The Guarantor criticizes the Region for failing to demonstrate the reason for the long retention period of the decommissioned ticketing system, but has approved the new system with a reduced retention period of one year.
What can we learn?
To comply with the provisions of the Guarantor, the Region has therefore signed specific union agreements, anonymized logs relating to failed access attempts to websites included in the blacklist, reduced the retention period for internet browsing logs to 90 days, with the possibility of longer retention following anonymization, and prepared an impact assessment for the various processing operations.
In summary, it is therefore necessary for all companies to keep in mind that this type of sanctions still refers to the workers’ statute, created in 1970, which did not in the least foresee the introduction of the digital tools with an “American approach” that we now have, and that until this reference is modified, it is necessary:
Clearly inform workers about how their data will be processed.
map the tracking systems in use in the company
Define information retention criteria based on the actual needs of the processing
Conduct an impact assessment on tracking systems that may infringe the rights of employees (deemed to be vulnerable subjects)
Sign specific union agreements or request specific authorizations from the INL if it is not possible to comply with the 21-day criterion for the retention of email metadata.
Carefully regulate the relationship with technical service providers
Il Garante Privacy sanziona regione Lombardia per i metadati della posta elettronica
Source: Programmaradon.it – Author: Valeria Carozzi .
The Region has been fined €50,000 by the Guarantor for various unlawful processing practices: retention of email metadata beyond 21 days, unlimited retention of employee internet browsing logs, and retention of data relating to technical assistance requests. In light of these allegations, it is essential that all companies carefully analyze their internal practices.
Point 1: Email Metadata
Although the document on email metadata retention established a maximum retention period of 21 days, organizations are often still not compliant. It should be noted that to exceed this limit, the company must have a union agreement or authorization from the labor inspectorate; otherwise, it violates Article 4, paragraph 1 of the Workers’ Statute (Law 300/70). In this specific case, the region retained the data for 90 days without a union agreement or impact assessment, and was therefore fined.
It is recalled that the Authority considers email metadata to be information protected by confidentiality guarantees, guaranteed by the Constitution (Articles 2 and 15 of the Constitution), to guarantee the dignity of individuals and the development of their personality. It is also necessary to protect such data in the workplace, including smart working and agile working. For this reason, it has imposed a 21-day limit for their retention, or alternatively the requirement of a union agreement or authorization from the labor inspectorate.
Point 2: Sanction for monitoring internet browsing
The region was also fined for having a content filtering system that recorded IP addresses attempting to access blacklisted sites, and for retaining this data indefinitely. This could have allowed the agency to obtain employees’ private information, violating their privacy rights. Proving that this data was never accessed or processed was futile.
Even in this case, it is necessary to set deadlines for cancellation (currently set at 90 days), correctly inform workers of the tracing and stipulate the union agreement.
Point 3: Unlawful processing of ticketing system data
The Lombardy Region was finally fined for unlawful processing of technical assistance request data in the ticketing system, even though it was outsourced to a vendor. The investigation revealed extensive data retention since 2016 (including on a previously decommissioned but still accessible ticketing system), without specific instructions on data processing in the ticketing system. The Guarantor criticizes the Region for failing to demonstrate the reason for the long retention period of the decommissioned ticketing system, but has approved the new system with a reduced retention period of one year.
What can we learn?
To comply with the provisions of the Guarantor, the Region has therefore signed specific union agreements, anonymized logs relating to failed access attempts to websites included in the blacklist, reduced the retention period for internet browsing logs to 90 days, with the possibility of longer retention following anonymization, and prepared an impact assessment for the various processing operations.
In summary, it is therefore necessary for all companies to keep in mind that this type of sanctions still refers to the workers’ statute, created in 1970, which did not in the least foresee the introduction of the digital tools with an “American approach” that we now have, and that until this reference is modified, it is necessary:
Clearly inform workers about how their data will be processed.
map the tracking systems in use in the company
Define information retention criteria based on the actual needs of the processing
Conduct an impact assessment on tracking systems that may infringe the rights of employees (deemed to be vulnerable subjects)
Sign specific union agreements or request specific authorizations from the INL if it is not possible to comply with the 21-day criterion for the retention of email metadata.
Carefully regulate the relationship with technical service providers
Tags:
Ai robot Business Cyber 4.0 cyber security finanziamenti IT Company It Solutions