Data protection considerations in internal investigations

Francesca Petronio
Willkie Farr & Gallagher, Italy
fpetronio@delfinowillkie.com

When conducting an internal investigation, which includes a review of employees’ emails among its activities, various constraints regarding labour law and privacy issues must be taken into account. As affirmed by the Grand Chamber of the European Court of Human Rights in several judgments, the core of the matter is that of finding a balance between the right to respect for the employee’s private life and correspondence as set forth by Article 8 of the European Convention on Human rights, on the one hand, and the employer’s right to take measures in order to ensure the smooth running of the company, on the other.

In Italy, the matter is governed by several provisions of different statutes all of which have to be taken into account and have an impact on the way internal investigations and emails review must be carried out.

The Italian Constitution protects the secrecy and inviolability of the correspondence (Article 15) and the Criminal Code punishes whoever opens and reveals the the content of sealed letters (including emails) (Article 616 of the Criminal Code).

From a labour law perspective, the matter is governed by Law No 300/1970 as reformed by Legislative Decree No 185 of 24 September 2016 (the ‘Workers’ Statute’). In particular, Article 8 prohibits the employer from investigating employees’ opinions related to politics, religion, trade unions and personal life and Article 4:

• prohibits: (1) remote surveillance or monitoring of workers by ‘audio-visual equipment’ or ‘other equipment’ (referred to as ‘distant monitoring’) if the ultimate scope is to monitor the employee's performances; and (2) investigation on employees’ opinions related to politics, religion, trade-unions and personal life;
• allows distant monitoring in the workplace only in case of organisational, business, or security, or protection of corporate assets needs and only if: (1) the employer reaches an agreement with the workers’ representatives; or (2) in the lack of such agreement, the distant monitoring tools are approved by the Labour Inspectorate;
• sets forth that the aforementioned procedure does not apply to the instruments used by the worker to perform his work and to the instruments recording the access to the place of work;
• provides that information gathered through distant monitoring can be used for the purposes connected to the employment relationship only if the employee obtained adequate information on the way the controls tools are used and in compliance with the data protection regulation.

Given these general principles, however, Article 4 of the Workers’ Statute sets forth a specific exception: controls on employee's emails and files can be conducted in case the employer has to defend his rights and in the presence of a proven suspicion of wrongdoing (so called ‘defensive controls’). Defensive controls do not fall under Article 4 of the Workers’ Statute.

The investigative activities must be compliant with the rules set by EU General Data Protection Regulation No 2016/679 (‘GDPR’),^[1] as well as by the Legislative Decree No 196/2003, as subsequently modified and amended by Legislative Decree No 101/2018 the ‘Data Privacy Code’) (GDPR and the Data Privacy Code, collectively, ‘Privacy Laws’) and by the decisions and guidelines of the Italian Data Protection Authority (‘Garante’).

Issues relating to data privacy arise from the preliminary and initial phases of the internal investigation, and have a prominent role even in the activities that give rise to an investigation.

In particular, imaging and files review are a processing of personal data and under the GDPR and Data Privacy Code, personal data must, amongst other things, be: (1) processed lawfully^[2] and fairly; (2) collected for specific, explicit and legitimate purposes; (3) the processing must be necessary and proportionate in relation to the purposes for which the data are collected; and (4) stored for no longer than necessary for the purposes for which the data were initially collected (principle of storage limitation).

In general terms, and in order to be able to conduct informed and effective internal investigations, the following principles and key constraints provided by Privacy Laws must be taken into account and respected:

• Informative and explicit consent remain the key principles of the protection of personal data. The employer, pursuant to Article 13 of the Italian Data Privacy Code and in its capacity as data controller, must provide each involved employee with an information notice setting out the: (1) purposes and means of the data processing; (2) identity of the data processors, as well as those to whom the data may be communicated; and (3) employees’ rights in the context of the processing.^[3] The employee’s consent (and the information to the employee) is not necessary (amongst others) if the processing is necessary, inter alia, for (i) complying with a legal obligation to which the controller is subject; or for (ii) the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data – which could include a ‘defensive investigation’ provided that the data are processed exclusively for said purposes.^[4]
• Data subjects have the right to obtain from the controller the erasure of personal data concerning them without delay and controllers have the obligation to erase personal data without undue delay.^[5]
• Duty for each controller to keep a record of processing activities performed under its responsibility that must contain all relevant information concerning the processing operations.^[6]
• The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.^[7]
• Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.^[8]
• Organisations must document how they’re complying with the principles of the GDPR and data protection authorities may ask an organisation to produce this information at any time.^[9]

Furthermore, in relation to the use of emails and the internet in the employment context, companies should also adopt specific internal guidelines, to be approved by trade unions and publicised internally, in order to enable the employer to carry out controls on employees’ internet files and emails.^[10]

All the aforementioned principles and rules are crucial when organisations conduct investigations.

In addition to the immediate actions aimed at preserving the documents to review (ie, through the circulation among the employees of a document retention notice/freeze notice, before initiating the collection and the review of data, the decision on how to deal properly with the information notice and consent – especially when deciding to access and review inboxes of employees who are not the suspects of the investigation – is often a key moment in the setting up of an investigation plan, given the conflict between the company’s willingness to protect the confidentiality of the investigation and the need to respect data privacy requirements. It is important to understand if consent is needed (could depend on the existence of concurrent criminal investigations, or on the existence of previous information notice and consent form allowing review of emails/devices, signed with the employment contract).

In addition, according to Annex A to the updated Data Privacy Code,^[11] if the data is processed to exercise the right of defence in the jurisdictional context, this can happen even before a proceeding is pending, provided that the data is strictly functional to the exercise of the right of defence, in accordance with the principles of lawfulness, proportionality and minimisation of data with respect to defensive purposes.

Furthermore, the following rules will apply to the data processing operations that will be done by or on behalf of the Italian company:

• The investigation accessing personal data must be ‘absolutely necessary’ for the specific purpose.
• Information systems and software should be configured to minimise the use of personal information and discard any unnecessary data – if the purpose sought can be achieved by using anonymous data, identification of an employee should only occur in cases of absolute necessity.
• The investigative activity must be ‘proportionate’: alternative and less intrusive measures should be considered before engaging in any monitoring activity of electronic communication; emails should be searched only through key words or other filters that limit to the minimum extent possible the perimeter of the review.
• Data retrieved must be retained only for the time necessary to carry out the investigation and no longer.
• The review of employees’ emails must be performed by firms/individuals expressly appointed – in writing (by means of the appointment letters of data processors and of persons in charge of the processing) – by the person within the Italian company that has data protection powers.
• The relevant employees of the Italian company (who will be under the emails’ review) should be informed of the purposes and procedures for processing his or her emails and give his or her consent to it (by means of the information notice and consent forms).

More specifically, the company should appoint as data processors all the entities (eg, the other companies of the group) and the external firms (lawyers, e-discovery firm/forensic specialist, etc) which will receive the personal data, with a specific appointment letter as data processor – this letter should be signed by the person within the Italian company that has data protection powers. Then, each data processor (as previously appointed) shall appoint its identified employees as persons in charge of the processing (by means of the appointment letters as persons in charge of the processing).

This complex scenario gets even more complicated when dealing with multinational groups or cross border investigations as several additional legal issues must be resolved in advance to assure full compliance with the relevant applicable statutes. With specific regard to cross-border investigations, the company must always be mindful of regulatory framework, particularly when handled from another jurisdiction or data are stored in another jurisdiction since issues may arise in relation to the transfer of personal data in those countries that are deemed as not meeting certain minimum requirements in relation to data protection. For example, the sharing of the investigative report and of the emails is considered as processing of personal data. All the law firms and other entities involved in the review must be appointed as data processors. Moreover, the transfer of personal data to recipients in third countries outside the European Economic Area (EEA) is only permitted where the strict requirements for international data transfers according to articles 44 et seq of the GDPR are met. Safeguards may need to be implemented to ensure an adequate protection of personal data, such as entering into additional agreements with the recipients outside the EEA.

Non-compliance with Privacy Laws as well as with the Workers’ Statute may expose companies to negative consequences including:

• criminal actions: improper data processing could constitute a crime under Article 167 of the Data Privacy Code;
• fines: administrative fines of up to several million euros, or up to a percentage of the total worldwide annual turnover of the company, whichever is higher, may be imposed;^[12]
• damage claims: the employee whose rights have been violated may bring a civil action seeking for damages suffered as a consequence of the unlawful processing of his or her personal data;
• restriction of the ability to obtain information or to use it: (1) data retrieved in violations of the law cannot be used as evidence in court; (2) data retrieved in violations of the law must be destroyed.

In conclusion, Italian data privacy laws set strict limits for conducting internal investigations. Companies have to deal with a variety of requirements and obligations. To ensure compliance with data protection laws, companies should carefully assess the individual circumstances and legal requirements for each investigation. Companies are well advised to set up an investigation plan which take in due consideration of all privacy and labour law constraints, including appropriate internal procedures and technical and organisational safeguards, enabling the company to effectively manage the internal investigation in line with legal requirements. The steps taken should be documented in order to be able to demonstrate compliance with the GDPR. Otherwise, companies may face serious sanctions, data subject damage claims, reputational damage and exclusion of evidence due to unlawful processing.

Notes

[1]     The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU regardless of whether the processing takes place in the EU or not. It also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to: (i) the offering of goods or services, (ii) the monitoring of their behaviour. See GDPR, art 3 – Territorial scope.

[2]     The processing of personal data is considered lawful when: (i) the data subject has given consent; (ii) processing is necessary for the performance of a contract; (iii) processing is necessary for compliance with a legal obligation; (iv) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (v) processing is necessary for public interest; (vi) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

[3]     If the Italian company’s internal policies (duly provided to the employees), already contain this information and are properly communicated to the employees, no separate information notice is required. According to the Italian Data Privacy Authority Guidelines, the internal policy must: (i) set out the rules that the employees must follow in using email communication systems and the Internet; (ii) identify the individuals and/or the corporate functions (eg, IT personnel) that oversee compliance with the policies; (iii) set out the procedure to be followed to image and access the data with sufficient detail as to when, to what extent, and through which means, the imaging and review will be managed, as well as the employees’ rights in this process; (iv) indicate that continuous, real-time monitoring of emails will not occur; and (v) provide that the imaging and review is limited to a reasonable time period relevant to the purpose of the review.

[4]     See also n 2.

[5]     See GDPR, art 17 – Right to erasure.

[6]     See GDPR, art 30 – Records of processing activities.

[7]     See GDPR, art 32 – Security of processing.

[8]     The GDPR calls this assessment ‘Data Protection Impact Assessment’, or ‘DPIA’. A DPIA may be required, for example, when processing highly sensitive data, using new technologies, processing children’s data, or processing that risks physical harm to the individuals whose data is collected if the data is leaked. See GDPR, art 35 – Data protection impact assessment.

[9]          See GDPR, art 5 para 2 – Principles relating to processing of personal data.

[10]        See Guidelines of the Garante for email and Internet dated 1 March 2007 available at www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1387522.

[11]        ‘Regole deontologiche relative ai trattamenti di dati personali effettuati per svolgere investigazioni difensive o per fare valere o difendere un diritto in sede giudiziaria’.

[12]        See GDPR, art 83 – General conditions for imposing administrative fines.