The new handbook of the Privacy Guarantor


Who knows if everyone knows that it is illegal to point the surveillance camera at the badge and time recorder of any office or job. Whether it works or not, it's illegal.
This is what is established in the Vademecum of the Guarantor for the protection of personal data drawn up and made public on 24 April.

The handbook reads:
Private and public employers are prohibited from processing personal data using hardware and software systems aimed at remote control of workers. This prohibition also applies to the use of control tools such as video surveillance and geolocation.
Remote controls must not be expressly carried out in order to verify compliance with the duties of diligence established for compliance with working hours and correctness in carrying out the work performance (for example by directing the camera towards the badge).

And there is no consenting or dissenting union agreement that holds.


Absolute prohibition of the Privacy Guarantor also on the geolocation of employees by companies, even if "adequate precautions are taken to protect their private life". Different if the stated aim is not to control them, but to “optimize the use of resources present in the area and improve the management, coordination and timeliness of technical interventions. In this case, if really necessary, adequate precautions and guarantees must be adopted, pursuant to art. 4 of ln 300/1970, the plants and equipment, "from which the possibility of remote control of the workers' activity can also derive, can be installed only with prior agreement with the company union representatives, or, in the absence of these, with the internal commission. In the absence of an agreement, at the request of the employer, the Labor Inspectorate [today DTL Territorial Labor Directorates] provides, dictating, where necessary, the methods for the use of such facilities”.

In the case dealt with by the Guarantor, the companies, which have undertaken to reach an agreement with the trade union organizations, will have to adopt measures that guarantee that the information visible or usable by the app is only that of geolocation, preventing access to other data, such as example, sms, e-mail, telephone traffic. Furthermore, a clearly visible icon must always appear on the smartphone screen to inform employees that the localization function is active. Employees must also be well informed about the characteristics of the application and the data processing carried out by the companies. According to the Guarantor, the Privacy Code is respected here, as the system makes it possible to optimize the management of technical interventions, increasing the speed of response to customer requests, especially in the event of emergencies or natural disasters.


The use of the internet is no longer prohibited, as it used to be. Indeed, according to recent research, public administrations still travel too little on the web. However, the Guarantor distinguishes between navigation for work reasons and navigation for pleasure.

Controls by the employer for organizational or safety reasons are lawful only if the principles of pertinence and non-excess are respected. The software systems must be programmed and configured in such a way as to periodically and automatically delete personal data relating to internet access and telematic traffic, the retention of which is not necessary.
Private employers and economic public bodies may process the worker's personal data, other than sensitive data, for the legitimate exercise of a right in court, against the manifestation of a free consent or for a legitimate interest, i.e. if the worker has been expressly informed.
Consent is given by prior agreements between the employer, union representatives and the employee.
Therefore the employer has the duty to inform, clearly and in detail, the employees on which methods of use of the tools made available are considered correct and if, to what extent and with which methods controls are carried out, using for example example, an internal, clear and up-to-date specification supported by suitable information.
Therefore, it is up to the employer to adopt suitable security measures to ensure the availability and integrity of information systems and data, also to prevent improper use.
As far as public employers are concerned, the processing of worker data is permitted only for the performance of institutional functions, on the basis of the Privacy Code, laws and regulations.
To limit the use of the internet, the employer must specify and make known all the modalities of the limitations and who is entrusted with the management of the same.
In practice, it must be clearly specified whether or not browsing the Internet or managing files on the internal network authorizes specific behaviors such as the download of software or music files or the use of network services for recreational purposes or purposes unrelated to work .
It is also necessary to specify what consequences, even of a disciplinary nature, the employer reserves the right to draw if it finds that the internet is being used improperly.
In order not to incur the penalties of the Privacy Guarantor himself, the employer must tend to preventively reduce the risk of improper use of the Internet by adopting appropriate measures that can prevent subsequent checks on the worker and which can be illegal depending on the case as they can involve the processing of sensitive data, such as religious, philosophical, political beliefs, health status or sex life.
For example, you can identify sites related or not to work performance or configure systems or filters that prevent certain operations.


And we come to the point 'time clock, with regard to the principle according to which specific, explicit and legitimate purposes must be pursued (Article 11, paragraph 1, letter b), of the Code), the employer may reserve the right to control (directly or through its own structure) the effective fulfillment of the work performance and, if necessary, the correct use of the work tools (see articles 2086, 2087 and 2104 of the civil code).
In exercising this prerogative, however, the freedom and dignity of workers must be respected, in particular as regards the prohibition to install "equipment for the purpose of remote control of the workers' activity" (art. 4, first paragraph, law 300/1970), which certainly includes hardware and software instruments aimed at user control of an electronic communication system.
The resulting data processing is unlawful, regardless of the unlawfulness of the installation itself. This, even when individual workers are aware of it.
In particular, treatment carried out using hardware and software systems designed for remote control, thanks to which it is possible to reconstruct – sometimes even minutely – the activity of workers, cannot be considered permitted. This is the case, for example:
• the reading and systematic recording of e-mail messages or related external data, beyond what is technically necessary to perform the e-mail service;
• the systematic reproduction and eventual memorization of the web pages viewed by the worker;
• reading and recording the characters entered using the keyboard or similar device;
• hidden analysis of entrusted laptops in use.
The remote control prohibited by law concerns working activities in the strict sense and other personal conduct in the workplace. Apart from any civil and criminal liability, data processed unlawfully cannot be used (Article 11, paragraph 2, of the Code).


The use of facebook, like Likedln and others, is permitted since it is the employer's right to find, for law or work purposes, employee data found on social networks also thanks to "mutual friends", without therefore sending direct contact request.
The situation regarding private chats is different: unlike social profiles, in fact, they are equated in all respects to correspondence, and therefore covered by the obligation of secrecy. (Article 15 of the Constitution)


On the other hand, the employer of a public body who collects sensitive data on the internet, relating for example to the sex life of an employee, in order to fire him, commits the illegal processing of personal data. In fact, personal data can only be used in court to protect a right. In addition to this, of course, there is the nullity of the dismissal for discriminatory reasons.


The art. 9 of Legislative Decree lgs. no. 33/2013 establishes that "Administrations cannot have filters and other technical solutions aimed at preventing web search engines from indexing and carrying out searches within the "Transparent Administration" section".
It should be noted that the indexing obligation in the general search engines during the mandatory publication period is limited only to the data strictly identified pursuant to the provisions on transparency to be placed in the "Transparent Administration" section, with the exclusion of other data which has the obligation to publish for other advertising purposes other than those of "transparency", as set out in the "Introduction" and in the second part of these Guidelines.
Among other things, sensitive data and judicial data are expressly removed from indexing (Article 4, paragraph 1, Legislative Decree No. 33/2013). Therefore, the recipients of the publication obligations envisaged by Legislative Decree no. lgs. no. 33/2013 must provide for the relative de-indexing through - for example - the insertion of noindex and noarchive metatags in the headers of web pages or the encoding of exclusion rules within a specific text file (the robots.txt file) placed on the server hosting the website configured in accordance with the Robot Exclusion Protocol (bearing in mind, however, that these precautions are not immediately effective with respect to content already indexed by Internet search engines, the removal of which may take place according to the methods by each of these provided


Moving from risks to opportunities, the Adecco Group has published the fourth edition of the research Work in the time of #SSocialRecruiting, conducted for the first time on a global level. The results that emerged from the research show that social media are, and will increasingly be, the new job market, but the effects of this revolution are not yet entirely clear for both job seekers and job offers. The research involved 1,500 recruiters from 24 countries and over 17,000 job seekers. According to the results, in 2013 more than half of the selection activities took place on the Internet (53%) and in 2014 the trend seems to have continued to grow up to 61%.
In Italy, the research was conducted in 2013 on 7,597 candidates and 269 selectors. 67% of the candidates interviewed confirmed that they use social networks to look for work (53% in 2013). Linkedin is the most used channel with 41%, followed by Facebook with 23%. Also in the last year, 56% of the interviewees disseminated their CV through social media and 7% found a job thanks to social media (they were respectively 30% and 2% in 2013). Contrary to expectations, social media recruitment is no longer the preserve of highly qualified candidates; in fact, most of the profiles sought are non-managerial ones. Among the more social sectors, sales emerge (which selects 54.2% of profiles on the web), administration and finance (45.8%) and marketing (40.8%).


Sign up to our newsletter!