The Italian Data Protection Authority (IDPA) is increasingly faced with issues relating to the ways employers may monitor the Internet usage of its employees. In 2016, the Authority handed down two important decisions on this topic.

In the first decision, the IDPA stated that an Italian University (the University of Chieti and Pescara) was acting unlawfully in the way that it used e-mails to trace the identity of Internet users. This University, without having given any prior warning to its employees, implemented a system that retained information regarding personal Internet access, for the purpose of service monitoring, internal security and for the prevention of possible investigative inquiries by the Authorities. In essence, the policy, which controls, filters and monitors information on Internet data, enabled the employer to indiscriminately monitor employees from a distance. The IDPA’s decision was based on the argument that this policy breached the relevant principles of “actual need and proportionality of the treatment”. The IDPA considered that the policy was not in accordance with the law because it did not refer to tools used by the employees in performing their duties and had not been previously communicated to the employees.