Hidden recording of a business meeting and unlawful personal data processing

With sentence no. 2286 of December 2nd 2021, the Court of Venice confirmed that conversations recorded in the workplace are subjected to the regulation provided by the UE Reg. 2016/679 (so called GDPR).

By overturing the previous decision made by the Italian Data Protection Authority, the Court stated that storing for years the recording of a business meeting and giving it to other colleagues constitutes an unlawful processing of persona data.

The case examined by the Court concerned the recording in secret of a business meeting carried out by an employee and then given to other two colleagues, who were not present at the meeting. Two years after the meeting, the two colleagues engaged a litigation against the company and, in the context of the labor case, used the recording they were in possession of.

After having found out they had been recorded without their knowledge, those who attended the business meeting addressed the Italian Data Protection Authority (DPA), reporting the conduct of the colleague author of the recording and the conduct of the other two colleagues, that had used in judgment a copy of the recording.

Nevertheless, considering that the recording was registered for “strictly personal” purposes and that, therefore, this processing was not subjected to the provisions contained in the GDPR regarding personal data, the Italian DPA did not find any offence.

Against the decision of the Italian DPA, an opposition was presented before the Court of Venice, which instead declared the unlawfulness of the reported conducts, expressly recognizing the application of the GDPR even in the case under exam.

As a matter of facts, the Court recalled that the inapplicability of the GDPR to the data processing carried out “to exercise activities of an exclusively personal or domestic nature” concerns only processing having no connection with the professional activity. On the contrary, in the case of the recording of a business meeting, the GDPR is of course applicable because it is not an activity pertaining to a strictly private and familiar context.

After affirming the applicability of the GDPR, the Court excluded the legitimacy of the storage and transfer of the business recording.

As a matter of fact, as already stated in other cases, to consider a hidden business recording as lawful it is necessary that the recording is made to protect one’s position in the workplace, or to pre-constitute a means of proof, but always on the condition that such recording is pertinent and proportionate to the defensive needs of the worker.

On the contrary, in the case under exam, the employee making the recording did not have any defensive need towards the employer, not even potential, given that at the time of the business meeting there was not any contentious context that involved or prejudiced him. Such recording, instead, was saved and transferred in order to be used “at the right time”, that is after two years and by two colleagues involved in their personal contention with the company, but not present in the meeting itself.

The Court, therefore, considered the conducts of each of the three employees an unlawful processing of personal data, both because there was not a defensive need that justified the processing, and because the data was archived for a time period which was not strictly necessary to the defense.

Ilaria Feriti