The Italian Data Protection Authority (Garante per la protezione dei dati personali) imposed a fine of 50,000 euros on the Lombardy Region for violating privacy laws regarding the handling of employees’ data, including during remote work situations. The decision followed a cycle of inspections carried out by the authority to verify compliance with applicable privacy regulations.
It was discovered that the Lombardy Region was collecting and retaining internet browsing logs, which constitute information about the websites visited by employees, including failed attempts to access sites on a specific blacklist. This was done without having concluded a collective agreement with the union representatives and also without the adoption of sufficient safeguards for workers. This procedure allowed the employer to gain access to information not relating to work activities but to private aspects of employees’ lives.
In addition, no agreement was initially signed for the processing of employees’ email metadata. However, it has been observed that even before the adoption of the DPA’s Guide on Metadata, the Region had already initiated a compliance process taking into account the recommendations provided over time by the authority in similar cases.
Despite acknowledging the initiatives undertaken by the Region during the investigation to bring treatments into compliance with privacy regulations, the DPA issued a series of corrective measures in addition to the administrative sanction. These corrective measures include the anonymization of logs related to failed access attempts to websites listed in the blacklist, encrypting data concerning the names of employees assigned to laptops, and reducing the retention period of such data.

