Italian Data Protection Authority Backs Decision to Suspend Employee for Unauthorised Access to Company Data

The Data Protection Authority (DPA) (Garante per la protezione dei dati personali) recently found that an employer's decision to suspend an employee was legitimate in light of its right to defence against the employee's breach of Article 24 of the Privacy Code and Articles 2104 and 2015 of the Civil Code.

An employee appealed to the DPA against his employer processing his personal data, which was stored on his work computer. The computer had been seized when the employee was suspended. It was subsequently subjected to a content check and a copy of the hard disk was made. The employee challenged the employer's actions as unlawful and arbitrary due to the absence of assurances regarding "the immutability of the contents of the PC" and the fact that the data acquisition took place "in his absence and in the presence of a third party unconnected to the company… in violation of the principles of relevance".

The DPA found that the employer was entitled to carry out proper checks on performance and protect its assets. It found that correct procedure had been followed in that regard, as the checks had aimed to protect the company's rights.