by Federico Manfredi and Rebecca Pala
Remote working has revealed itself to be a revolution in the methods of execution and management of the employment relationship, destined to stabilize on an economic and – consequently – also on a legal level. The difference on the organisational-business level, compared to what was experienced with the previous “emergency dimension” is evident, since in the current context, it is no longer necessary to temporarily obviate health restrictions of various measures, but to implement a real new method of carrying out one’s job stably. The repercussions on the organisation of work in the company therefore have a completely different and more fixed scope. Furthermore, as can be guessed, what is at stake also fully involves the use of remote control tools which in the present context, have an unprecedented role in supporting the organisation of remote work even before exercising the power of employer control.
In recent years, technological evolution has made it necessary to define new limits applicable to the employer’s power of control, which is carried out by means of systems and devices that are interposed between the worker and employer. It is in this context that the reform of the Jobs Act with Legislative Decree 151/2015 amended Article 4 of the Workers’ Statute relating to remote controls. First of all, it should be noted that the rule applies to all employers, private and public, which can set up systems to supervise the work carried out by employees. The workers concerned are all subordinates, including managers, subject to the aforementioned controls. The wording of the article introduces two regimes. The first regime relates to audiovisual systems as well as other tools which also give rise to the possibility of the remote monitoring of workers. The second, relates to the devices used by the employee to perform their job.
The systems referred to in the first category, can be legitimately installed by the employer if there are organisational and production needs for work safety and, as a new reason, for the protection of company assets. Furthermore, it is necessary to establish a collective agreement, stipulated by the trade union or labour union of the company. In the case of a company with multiple production units located in different provinces of the same region, or in several regions, the agreement can be defined comparatively by the most representative trade union associations on the national territory. In the event that an agreement is not reached, or due to the absence of RSU/RSA or due to non-converging intentions of the parties, the installation of the systems must be authorised by the Labour Inspectorate, territorially competent, or in the hypothesis in which the company has multi-located in offices of different territorial jurisdictions, by the National Labor Inspectorate.
As for the tools used by the employee to perform the service, the employer is not subject to the prior negotiation of a trade union agreement or administrative authorisation. Therefore, having fulfilled the obligations of an informative nature relating to the personal treatment of the worker acquired, the aforementioned information can be used for any purpose connected to the employment relationship. It should be specified that the consent of the worker is not required for the use of the data, but it is sufficient for the employee to receive a communication – attributable to the managerial power of the employer – about the company policies, relating to the methods of use of the control tools at a distance or containing the prescriptions to which the worker must comply with in the use of work tools. The usability of the data is in fact subject to compliance with the obligations set out in the Privacy Code, Legislative Decree 196/2003. Submission to the legislation therefore allows the worker to claim the protection of confidentiality and also to exercise all the prerogatives provided with regard to the methods of access, transparency, accuracy and retention of personal data over time.
It is therefore evident how important it is to understand what are the distinctive criteria of the devices, such as to make each of them fall within the first or second regime. In fact, from both types of tools, it is possible to monitor the worker’s activity directly or at a later stage. The control tool, governed by the first paragraph of art. 4 of the Workers’ Statute is presented as a technology, installed by the employer, with the sole aim of carrying out a check on work performance; the employee therefore occupies a passive position, in which they are required to undergoing such control. Instead, the work tool referred to in the second paragraph of art. 4 of the Workers’ Statute is present in the operational availability of the employee and is used by them in the fulfilment of the work performance. This tool contains an intrinsic and unavoidable functionality of indirect surveillance and subsequent collection of data, including the personal data of the worker. The tools used for recording attendance and access to the workplace are also subject to the same regime.
Finally, the case relating to devices owned by the worker upon which a program owned by the employer is applied in order to access the company computer networks, has recently become relevant. In this case, the same tool presents sensitive data, belonging to the employee’s private sphere and data relating to the work activity. Given that Article 4 of the Articles of Association does not provide for distinctions regarding the ownership of the tool, it follows that there is the possibility that in some cases the application installed by the employer is also considered as a “work tool”, provided there is the consent of the worker (as the owner of the device) and provided that this is functional to the performance of their duties. Given the delicacy of the situation in question, the employer should in any case proceed with the checks, adopting specific measures in order to ensure that the monitoring carried out is also pursuant to the provisions of art. 88 of the GDPR.
Lastly, a separate topic is arises from the use of “defensive” controls. The introduction of the protection of company assets, among the reasons that legitimise the installation of the control tools, intervenes in the field of defensive controls. This is a category of jurisprudential controls, aimed at balancing the protection of the dignity and confidentiality of the worker with the need for self-protection of the employer against unlawful conduct carried out by the employee. The most recent jurisprudence on this point distinguishes between defensive controls “in the broad sense” and defensive controls “in the narrow sense”. The first type includes checks in defence of company assets against all employees, necessarily carried out in compliance with Article 4 of the Statute, with the consequence that non-compliance with the requirements makes the control illegitimate and the data unusable. The defensive controls in the strict sense, on the other hand, are beyond the scope of application of the relevant standard. For this last check to be legitimate, it must be targeted and carried out ex post, if the employer has suspicion of unlawful behaviour of one or more workers.