Comune di Bolzano – €84,000 Fine (Italy, 2021)

The Italian DPA (Garante) has fined the municipality of Bolzano EUR 84,000. A former employee of the municipality filed a complaint with the DPA against the municipality. In particular, the former employee complained that the municipality processed personal data related to his internet use during working hours and that he later received a notice of initiation of disciplinary proceedings accusing him of accessing Facebook for more than 40 minutes and YouTube for more than 3 hours during his working hours and of using the municipality's computer for private purposes. The DPA's investigation revealed that the municipality had been using a system to control and filter employees' internet browsing for about a decade, with monthly retention of data and creation of special reports for network security purposes. The system also collected information that had nothing to do with professional activities and, in any case, concerned the private life of the person in question. The DPA finds that the controller thus violated the principle of data minimization, lawfulness and purpose limitation. The controller should rather have taken less intrusive measures to prevent the private use of the Internet. The DPA pointed out that the need to reduce the risk of misuse of Internet navigation cannot lead to the complete elimination of any privacy of the data subject at the workplace, even in cases where the employee uses network services provided by the employer. In addition, the controller had not adequately informed employees about the collection of Internet history, in violation of its obligation under Article 13 of the GDPR. Furthermore, the investigation identified other violations in the processing of data related to employees' requests for extraordinary medical examinations, which were made using a special form. The form provided by the controller had to be checked by the head of the organizational unit, a circumstance that led to the unlawful processing of health data.