The Italian Constitution guarantees the freedom and confidentiality of correspondence and all other forms of communication.
The restriction or withholding of private correspondence, or the violation of the privacy of such correspondence, is a crime under Article 616 of the Penal Code. This provision includes email correspondence.
The Privacy Code (Decree-Law 196/2003) and the Labour Law (300/1970) prohibit all forms of remote surveillance by an employer, including surveillance using hardware or software systems. For example, it is illegal systematically to read and record an employee's emails or to record the websites that an employee visits, as such methods are deemed an illegal invasion of an employee's privacy in the workplace.
However, the Labour Law includes an exception that allows the use of technologies which could indirectly result in the remote surveillance, provided that (i) the employer obtains the consent of the appropriate trade union or the authorization of the local labour office, and (ii) such surveillance is essential for organizational or manufacturing reasons or for workplace security.
On March 1 2007 the Data Protection Authority issued a further set of guidelines aimed at establishing principles for the use of email and the Internet in the workplace. The authority's guidelines require employers to adopt an email and internet policy, which must describe in detail:
- the extent to which employees may use the technologies in
question for personal communications in the workplace;
- the surveillance methods, if any, used by the
- the information which may be stored temporarily and the
parties with access to such information; and
- the disciplinary penalties that may be applied for misuse
of such technologies.
Employers must disclose the policy appropriately by emailing it to employees and displaying copies in generally accessible areas of the workplace.
Supreme Court Decision
In Decision 47096, issued on December 11 2007, the Supreme Court found an employer not liable under Article 616 of the Penal Code. It held that the employer had not violated the privacy of an absent employee's email correspondence because the employer has complied with the relevant company policy.
The relevant parts of the policy stated that:
- the company's email and internet systems were not
for employees' personal use;
- access to employees' computers should be password
- each employee should secretly communicate his or her
password to the employer; and
- in the employee's absence, the employer could use
the password to access his or her account and read emails
received at his or her company email address.
Therefore, as the employer had adopted the policy and had followed the appropriate procedure in the employee's absence, the court held that the employee's privacy had not been violated under Article 616.
The Supreme Court would probably not have found in the employer's favour had the employer not implemented a policy on email and internet use.
The fact that the employer had forbidden all personal use of the company's email and internet systems simplified the situation - it was clear that in checking the employee's emails, the employer could expect to view work correspondence only.
The situation is more complicated if a company's policy allows employees to make reasonable personal use of its email and internet systems. Monitoring or accessing an employee's email correspondence in such cases would require the employer to act carefully and with the prior consent of the appropriate trade union or the authorization of the local labour office.
Such prior consent or authorization is not required if such monitoring is deemed defensive – that is, if it is aimed at preventing unlawful conduct by employees. The meaning of the term 'defensive' in this context is elastic and could be subject to a range of interpretations depending on the company's core business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.