Workplace Investigations

In internal investigations, the fundamental rights and freedoms of employees are at stake,  including the right to privacy, respect for the privacy of home life and correspondence, freedom of expression, and the obligation of loyalty in searching for evidence.

In principle, work emails and files can be reviewed, even without the employee's consent, prior knowledge or warning. This includes: work email accounts; files stored on a work computer or a USB key connected to a work computer; and SMS messages and files stored on a work mobile phone and documents stored in the workplace unless they are labelled as “personal”. On the other hand, it is not permissible for an employer (or an investigator) to review “personal” emails and files, such as documents or emails identified as “personal” by the employee, or personal email accounts (Gmail, Yahoo, etc), even if accessed from a work computer.

There are certain exceptions to the above principle. An employer is allowed to check “personal” emails or data in any of the following cases:

• if the employee is present during the review;
• if the employee is absent, but was duly notified and invited to be present;
• if there is a particularly serious “specific risk or event”;
• if the review is authorised by a judge (this means having to prove a legitimate reason justifying not informing the employee).

When documents or emails are not marked as “personal” but contain information of a personal nature, the employer may open and review the data but may not use such documents or emails to justify applying disciplinary measures to the employee or use such documents or emails as evidence in court if they indeed relate to the employee’s private life.

Special attention must be given to employee representatives who must be entirely free to carry out their duties.

In light of the legal and case-law principles as outlined above:

• see question 7 regarding employee “physical inspections and inspections on the employee’s belongings”;
• regarding “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities also arises”, article 4 of the Workers’ Statute provides for:
  • the prohibition of the use of audiovisual equipment and instruments of “direct” remote control (ie, whose sole purpose is to verify the manner, quality and quantity of working performance (eg, a camera installed in an office to film employees’ working activities, without any other purpose));
  • the possibility of carrying out controls through audiovisual equipment and “indirect” remote instruments (ie, instruments that serve different needs (organisational, production, work safety or company assets’ protection), but which indirectly monitor working activities (eg, a camera installed in a warehouse to prevent theft, but which indirectly monitors the activity of warehouse workers), which may only be installed with a trade union agreement (or National Labour Inspectorate authorisation);
  • the possibility of carrying out checks using working tools in the employee’s possession (e.g., PCs, tablets, mobile phones, e-mail), which may be carried out even in the absence of any trade union agreement, provided that the employee is given adequate information on how to use the tools and how checks may be carried out on their use (according to privacy law strictly related to the employment relationship).

Furthermore, based on case law, the employer can carry out so-called defensive controls (ie, actions carried out in the absence of the guarantees provided for in article 4, to protect the company and its assets from any unlawful conduct by employees). These “defensive controls” can be carried out if:

• they are intended to determine unlawful behaviour by the employee (ie, not simply to verify his or her working performance);
• there is a “well-founded suspicion” that an offence has been committed;
• they take place after the conduct complained of has been committed; and
• adequate precautions are nevertheless put in place to guarantee a proper balancing between the need to protect company assets and safeguarding the dignity and privacy of the employee.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]