The Italian Data Protection Authority prohibits companies from using software which may monitor employees



On 8 March 2018, the Italian Data Protection Authority (hereinafter, the “Garante”) banned any further processing activities of the Customer Care employees’ data, which were carried out by an important Italian telecommunication company (hereinafter, the “Company”), through a software (namely, Salesforce Arcadia, hereinafter the “software”) that handled the calls to subscribers. The software processed not only the data related to the calls of the customers and their biographical data in order to facilitate the management of the customer’s request, but also the personal data of the call center operators of the Company, enabling further processing of information related to their activity.

Specifically, the Garante contested:

  • the Company’s failure to deliver to such employees a comprehensive information about the processing;
  • the absence of a specific Trade Union agreement.

Therefore, the processing was declared unlawful and the data collected inoperable.


Main issues

The measure at stake results from an investigation that the Garante launched in response to complaints from a Trade Union organisation and from call center employees after the introduction of a new software by the Company in January 2016, with the purpose of being used as CRM (Customer Relationship Management) for the customers of the Company.

The analysis of the software revealed that it allows to establish adequate links between the different activities of hundreds of call center operators and, in particular, the storage, the collection and the recording of some of their personal data, such as the identification number of the employee (“operators code)”, the type of activity performed, the duration, the date and the time of the call.

Such data would be used by the Company to evaluate – through daily reports – the performance, the efficiency and the quality of the service and generally improve the organisation’s internal resources.

The Company clarified that such recording does not automatically generate reports in order to monitor the operators’ activities and that the relevant human resources functions do not have access to the collected data of the employees, which may be used only by legitimate users to manage the ordinary interaction with the customers, and by system administrators.

The corporate managers of the Company declared that they were unaware of the opportunity to carry out – through the abovementioned software – individual and specific processing and profiling operations of the data related to the quantity and to the quality of the work performance of the employees.

In accordance with the principles of lawfulness and fairness laid down in the article 11.1.a of the D. lgs no. 196/2003 (the Italian Personal Data Protection Code, hereinafter the “Privacy Code”) and as stated in a recent judgement of the European Court of Human Rights, which we spoke about some months ago (case of Bărbulescu v. Romania, Application no. 61496/08), the Garante considered that the involved employees did not receive a comprehensive information notice about the processing of their personal data pursuant to article 13 of the Italian Privacy Code because it did not specify in a clear and detailed way the collection and the purpose of these processing activities. With regard to the latter point, the Garante clarified that the processing of the personal data – collected through systems like the one at stake – for the purpose of legal defence of the Company, is allowed only when there is an existing litigation or a pre-litigation situation meanwhile not applicable to abstract and uncertain events of potential litigation defence.

Moreover, the Garante notes that the software allows the employers to track, directly or indirectly, the activities carried out by its operators, enabling the potential monitoring of their work. On this regard, the Garante – contrary to the view expressed by the Company – considers that the software at stake cannot be considered as a tool used to purely carry out the work of the call center operators but rather as an organisational tool that may be used for the indirect and remote monitoring of the Company’s employees; originating the need of applying the procedures laid down in article 4.1 of the Law no. 300/1970 (“Statuto dei lavoratori”) and therefore a specific union trade agreement or the previously expressed authorisation of the local Labour Inspectorate must be entered into.


Practical implications

In light of the above, companies should pay special attention to the softwares adopted within their own organisation in order to verify if any software is able to potentially track the employees’ activities. In the event that the verification has a positive outcome, the companies should:

  • assess the proportionality and subsidiarityof the intended monitoring as defined by Article 29 Working Party Opinion 2/2017, in order see whether less intrusive means may achieve the same aim;
  • provide an adequate and comprehensive information notice to the employees concerned, which clarifies the modality and the purposes of the processing pursuant to Article 13 of the Privacy Code;
  • enter into Trade Union agreements with the Trade Union organisations concerned or, alternatively, obtain the expressed authorization of the local Labour Inspectorate pursuant to Article 4 of the Statuto dei lavoratori.