The Court of Cassazione has confirmed the survival of the so-called “defensive controls” in the current regulatory framework, following the amendment of Article 4 of the Workers’ Statute on the subject of remote controls of working activity brought by Legislative Decree no. 151 of 2015 and Legislative Decree no. 185 of 2016.
COMMENT – In a recent ruling, the Court of Cassazione affirmed the following principle of law: “The controls, including technological ones, carried out by the employer for the protection of assets unrelated to the employment relationship or aimed at avoiding any unlawful conduct are permitted in the presence of a well-founded suspicion of the commission of a unlawful behaviour, provided that a proper balance is guaranteed between the need to protect the interests and assets of the company, related to the freedom of economic initiative, and the essential protection of the dignity and privacy of the employee, provided that the control pertains to data acquired after the onset of the suspicion”.
The case in question concerns a disciplinary contestation, which resulted in the dismissal of an employee for using the company’s equipment for private purposes, which, in addition to causing an undue interruption of the employee’s working activity, led to the spread of a virus within the company’s network with consequent damage to the company’s assets.
Following such spread, the employer carried out a check on the computer used by the employee, discovering that the virus had spread from such computer and noticing, on the same occasion, numerous accesses by the employee to websites for reasons unrelated to work.
In challenging the dismissal, the employee contested, among other things, the employer’s possibility to lawfully invoke for disciplinary purposes the information acquired by the company during the search for the origin of the computer virus, given the absence of an adequate information under privacy laws on how the controls would be carried out, as required by Article 4, paragraph 3, of the Workers’ Statute in order for data collected through remote controls to be used for all purposes related to the employment relationship.
The Court ruled out that the employer had violated Article 4 of the Workers’ Statute on the grounds of the company’s need to protect the data contained within the company network affected by the virus and to verify the origin of the virus, stating that the employer was not precluded from using the data obtained through the check on the computer used by the employee, since they were acquired through a remote control which was not subject to the limits set out in Article 4 of the Workers’ Statute it being a so-called “defensive control”.
In order to reach this conclusion, the Court firstly carried out an excursus on the institution of “defensive controls”, starting from the regulation of remote controls under Article 4 of the Workers’ Statute in the version of the rule in effect before the 2015 reform.
The former version of Article 4 of the Workers’ Statute provided for two levels of protection of the personal sphere of the employee: the first was represented by the provision of the absolute prohibition of the use of audio-visual systems and other equipment for the purpose of controlling remotely the activities of workers if such controls were not supported by business reasons; the second consisted in the provision of the necessary completion of certain “safety procedures”. In this context, the jurisprudence had, therefore, created the so-called “defensive controls”, which were admitted as an exception to the safety procedures provided for by Article 4 of the Workers’ Statute, in order to give the employer a means of protection in the event of unlawful activities carried out by its employees to the detriment of the company’s assets.
Although they were essential to protect the company’s assets, defensive controls could only be carried out in derogation of Article 4 of the Workers’ Statute if three conditions were met, two of which were necessary while one only potential.
As regards to the first two requirements, it was necessary, on the one hand, for the employer’s initiative to be specifically aimed at ascertaining a specific unlawful conduct by the employee and, on the other hand, for the unlawful acts to be damaging to the assets or image of the company.
The third and final condition, which was only potential, consisted in the fact that the employer’s controls were made ex post, i.e. after the actual execution of the unlawful conduct, so that they were necessarily unrelated to the mere monitoring of the performance of the working activity. The potential nature of the third condition stemmed from its function of mere confirmation of the effectiveness of the defensive control, the mere suspicion that unlawful conduct was being carried out being sufficient.
Following the 2015 legislative amendment, among other things Article 4 of the Workers’ Statute implicitly reaffirmed the rule that remote controls of workers’ activities are not lawful unless they are compliant with the provisions of the same Article 4. The new wording has, however, given rise to doubts as to the survival, or otherwise, of defensive controls due to the inclusion of the “protection of the company’s assets” among the needs listed in the first paragraph of the provision, for which instruments can be used under the conditions of legitimacy defined therein. The “protection of the company’s assets” is, in fact, the very reason why jurisprudence has created defensive controls, so that it could now be argued that defensive controls are currently included in the area of operation of Article 4 of the Workers’ Statute and that they must, therefore, be subject to the relevant regulations.
In order to unravel this issue, the Court distinguished between the so-called defensive controls “in the broad sense” and the so-called defensive controls “in the strict sense”: the former are those aimed at defending the company’s assets, targeted indiscriminately at employees in their generality; the latter, on the other hand, are those aimed at ascertaining the unlawful conduct of individual employees.
Well, according to the Court, defensive controls “in the broad sense” must necessarily be implemented in accordance with the provisions of Article 4 of the Workers’ Statute, while those “in the strict sense”, not having as their object the activity of the employee, do not fall within the scope of application of Article 4 of the Workers’ Statute despite the fact that they are carried out through the use of technological instruments. The main feature that characterises and makes legitimate the defensive control “in the strict sense” is its existence ex post and, therefore, its implementation only after the unlawful conduct of the employee of which the employer had a well-founded suspicion.
In conclusion, the Court stated that the ex post control cannot concern the examination and analysis of data acquired before the “well-founded suspicion” arose and, therefore, in breach of Article 4 of the Workers’ Statute; otherwise, the scope of application of defensive controls would be extended beyond all reasonable limits, granting the employer the power to monitor its employees continuously for long periods of time, being in the position to declare the targeted nature of the control only afterwards (i.e. ex post), so as to focus the control on information which, on a case-by-case basis, might be of interest to the employer for disciplinary purposes.
 Court of Cassazione, employment section, 22 September 2021, no. 25732.
 Court of Cassazione, employment section, 28 May 2018, no. 13266.
Photo: Auguste Renoir, Bal au moulin de la Galette, 1876