Consulting and Training Safety, Occupational Medicine, Management Systems, Quality, Privacy, Environment and Organizational Models

Can Employers Monitor Employees’ Internet Browsing?

The employer cannot monitor employees’ internet browsing. The Garante Privacy (Italian Data Protection Authority) has prohibited a company from using data relating to an employee’s internet browsing after the worker, although unauthorized, accessed the internet from a company computer. The employer, having examined the computer’s data, accused the employee of visiting religious, political, and pornographic websites, providing a detailed list.

To contest the improper use of company resources, the Garante Privacy stated in its ruling, it would have been sufficient to verify internet access and connection times without investigating the content of the websites. In short, other types of checks would have been proportionate to verifying the employee’s behavior.

“Spying on workers’ computer use and internet browsing is not allowed,” commented Mauro Paissan, a member of the Garante Privacy and the author of the ruling.
“What is at stake are the freedom and confidentiality of communications and the guarantees provided by the Workers’ Statute. Additionally, it must be considered that simply detecting the websites visited can reveal highly sensitive personal information: religious beliefs, political opinions, membership in parties, unions, or associations, health conditions, and even information about sexual life.”

In the case brought before the Garante, after an initial unanswered request to the company, the worker filed a complaint challenging the employer’s actions.

The company had included in the disciplinary notice sent to the worker (later dismissed) several pages of temporary files and cookies originating from the employee’s internet browsing during work sessions initiated with the employee’s password. These pages, copied directly from the employee’s directory, revealed sensitive information the company could not lawfully collect without first informing the worker.

While the data was collected during computer checks aimed at verifying misconduct, sensitive information (e.g., religious beliefs or political and union opinions) could only be processed by the employer without consent if necessary to assert or defend a right in court. Such necessity was not demonstrated in the proceedings.

The processing of data related to health and sexual life was also deemed unlawful. According to the Privacy Code, this type of processing is allowed without consent only when necessary to defend a personality right or another fundamental right in court. However, in this case, the company was asserting rights linked to the employment relationship.

Background and Legal Framework

This case, one of many examples of violations of employee privacy, dates back to February 14, 2006.

Since then, regulations on remote monitoring of equipment and work tools, aimed at protecting company assets, productivity needs, and workplace safety (Article 4 of the Workers’ Statute), have undergone significant changes.

Under Legislative Decree 151/2015 (part of the Jobs Act):

  1. The general ban on using audiovisual systems or similar devices to monitor employees has been abolished.
  2. Defensive monitoring (though limited) has been legitimized.
  3. Monitoring through devices used by employees (e.g., computers, tablets, or smartphones) or access and attendance recording systems (e.g., badges) has been authorized.

Limits on Monitoring Activities

These changes, however, do not authorize indiscriminate monitoring of employees. Specifically:

  • Monitoring must use only the normal functionalities of the devices provided to employees for work purposes.
  • The installation of software specifically designed to monitor employees is not permitted.
  • Data collected must be used solely for work-related purposes, and the employee must be informed through an appropriate notice.

The Decree protects workers from the risk that employers might examine or even print the content of internet searches conducted on their work computers (as in the case above). However, it allows monitoring to ensure the proper performance of assigned tasks.

Employer Rights and Obligations

The regulation grants employers the right to:

  • Verify that employees are performing their assigned duties.
  • Use data collected lawfully to take disciplinary measures if necessary.

At the same time, employers must:

  • Ensure transparency by informing employees of monitoring activities.
  • Limit monitoring to what is strictly necessary and proportionate.
  • Avoid investigating personal or sensitive information irrelevant to the employment relationship.