Data Protection Authority backs decision to suspend employee for unauthorised access to company data
Data Protection Authority backs decision to suspend employee for unauthorised access to company data
Newsletters
March 16 2016 | Contributed by Stanchi Studio LegaleThe Data Protection Authority recently found that an employer's decision to suspend an employee was legitimate in light of its right to defence against the employee's breach of Article 24 of the Privacy Code and Articles 2104 and 2015 of the Civil Code.
Facts
An employee appealed to the Data Protection Authority against his employer processing his personal data, which was stored on his work computer. The computer had been seized when the employee was suspended. It was subsequently subjected to a content check and a copy of the hard disk was made.
The employee challenged the employer's actions as unlawful and arbitrary due to the absence of assurances regarding "the immutability of the contents of the PC" and the fact that the data acquisition took place "in his absence and in the presence of a third party unconnected to the company… in violation of the principles of relevance".
The authority's findings revealed the following:
- The employer had taken only the necessary steps to prevent interference that could have affected the investigation of serious and repeated violations of criminal and civil laws during the disciplinary proceedings that it had brought against the employee. The violations concerned the rules for processing personal data.
- After discovering the leak of confidential corporate information, the company examined the event logs on the registries of computers used by other employees. The findings revealed numerous instances of unauthorised access of these computers via the computer used by the employee under suspicion. The company subsequently suspended him as a precautionary measure.
- When performing processing operations, the company's data controller asked the employee to hand over his personal work computer, which was put into a sealed envelope without being switched on or given to anyone else. The computer was only switched on and the hard disk verified during a meeting that the employee attended.
- The employee had refused to check the content of his computer together with company personnel. As a result, the company used an external IT company to analyse the PC in the presence of a trusted staff member. The examination process was conducted and documented meticulously, without accessing the employee's personal files. A technical report of the operation was drafted.
- The examination's findings confirmed the company's accusation against the employee. The computer was subsequently put back into a sealed envelope and held on the company's premises to be made available to civil and criminal judicial authorities.
The Data Protection Authority assessed the legitimacy of the employer's actions, having found that the employer was entitled to carry out proper checks on performance and protect its assets. It found that correct procedure had been followed in that regard, as the checks had aimed to protect the company's rights.
Comment
The authority's decision is notable because it examined a specific procedure that used digital forensics techniques to examine a company's computer system and IT tools entrusted to employees.
For further information on this topic please contact Andrea Stanchi or Laura Lattanzi at Stanchi Studio Legale by telephone (+39 02 546 9522) or email (a.stanchi@stanchilaw.it or studio@stanchilaw.it).
Comments
Post a Comment
Please share your valuable comments and thoughts on this article. Thanks!