The Italian Data Protection Authority has issued its opinion on the data protection implications relating to the new information duties set forth on employers by legislative decree 104/2022.
On August 13, 2022, legislative decree 104/2022 (“Transparency Act”) has entered into force. It provides for a new set of mandatory information that the employer must communicate to its employees at the time of their onboarding. On January 24, 2023, the Italian Data Protection Authority (“Garante”) issued its opinion about compliance of such new information duties with the provisions of the relevant data protection legislation.
In particular, the focus of the Garante was centered on the mandatory communication that, according to section 4, paragraph 8 of the Transparency Act, the employer must give to the employees if any “decision or monitoring automated system is used for the sake of providing information which is relevant for the hiring, management or termination of the employment relationship, for the assignment of tasks and duties, or for the surveillance, evaluation and fulfillment of contractual duties by the employee”. The Garante has stated that:
- GDPR Sanctions Apply in case of Breach. The implementation of any decision or monitoring automated system must be made in compliance and within the limits set forth by the applicable labor law provisions, and in particular law 300/1970. Such labor law provisions, which allow the implementation of automated systems only if certain conditions occur, must be deemed as providing “more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context” (as per section 88, paragraph 2, of the GDPR), and thus non-compliance with them may lead to administrative fines pursuant to section 83 of the GDPR.
- Data Processing Impact Analysis (“DPIA”). The employer, who is subject to the duty of accountability, must assess beforehand if the relevant processing is likely to result “in a high risk to the rights and freedoms of natural persons responsibility”, and thus requires a preliminary data processing impact analysis under section 35 of the GDPR. In such regard, the Garante has clarified that data subjects (i.e., employees) should be deemed as “vulnerable”, and that the processing of their data with automated systems is very likely to meet the conditions that make the DPIA mandatory according to the guidelines on the DPIA issued by the WP 29 on April 4, 2017.
- Compliance with the “privacy by default” and “privacy by design” principles. Employers must implement appropriate technical and organizational measures and integrate the necessary safeguards into the processing so that to protect the rights of data subjects (privacy by design). Moreover, the controller shall ensure that, by default, only personal data which are necessary for the specific purpose of the processing are processed (privacy by default), and should then refrain from collecting personal data that are not strictly related to the specific purpose of the relevant processing.
- Update of the register of processing activities (“ROPA”). The employer must indicate the processing of data through automated systems within his/her ROPA.
Need any further assistance on the matter? Don’ hesitate to reach us out!
The second issue of our summer series focuses on the recent decision by the Italian Data Protection Authority, which affects all users of the Google Analytics services in Italy, as well as other similar services that entail the transfer of users’ personal data to the United States.
Read our slides to understand what actions are available to you.
As the vaccine campaign continues with few cornerstones and many unknows, several interesting questions regarding protection and processing of vaccine-related data are starting to arise.
One of these came to the attention of the Italian Data Protection Authority (“Authority”) and concerns the legitimacy of instruments of vaccine tracking such as electronic passes or Apps. These instruments – yet to be discussed officially by the Italian Parliament – would allow only vaccinated individuals to access certain areas (airports, cinemas, restaurants) and services (public transport, circulation in general). The Authority has underlined, through a memo dated March 1, 2021, how such tools should not be considerate legitimate from a data protection standpoint unless a national law regulates the whole subject matter. In fact, an inappropriate treatment of vaccine-related data – according to the Authority – may cause extremely dangerous consequences in terms of risks for discrimination and unjustified compression of constitutional freedoms. Given the non-mandatory nature of vaccine themselves – as reminded by the Resolution of the Parliamentary Assembly of the Council of Europe on January 27 – it would be unreasonable to punish, in fact, those who freely decide not to get vaccinated, by preventing them the access to the almost all public spaces and services. Considering that such balance between public needs and individual freedoms can (and must) only be stroke by the national legislator, also to avoid fragmented rules, the Authority submitted a notice to the Italian Parliament to promptly address the matter.
The issue is relevant also on a European level: the official proposal of the “Green Pass” is expected to be unveiled on March 17, 2021. This Pass – according to the remarks by the President of the European Commission Ursula von der Leyen – should substantially be a European passport including information on vaccination and, for those who are not vaccinated, the results of the Covid-19 tests. Such instrument would hopefully facilitate international mobility. It is still to be seen whether European countries will reach consensus on the matter, as some of them (France and Belgium, among others) already pointed out the unfairness of a mechanism that would facilitate the mobility of only those who are vaccinated, in prejudice of others.
Another related issue which the Authority has addressed, with FAQs on its website, concerns the processing of vaccination-related data in the workplace. In particular, the employer is not entitled to have access to the information on whether his/her employees are vaccinated or not, being the competent doctor the only subject able to process and assess data concerning vaccination. Even if the employee, due to the fact that he/she is not vaccinated, must be considered as non-suitable for specific duties (for example in the healthcare sector, where vaccinated workers would be preferable), the employer will only be able to have access to the information on the total or partial non-suitability, while only the competent doctor would be able to process information regarding vaccination of single employees.
It seems quite evident the need for a step in of the national legislator to address these matters.
Unless you are exclusively devoting this lockdown to following webinars on the Schrems II decision (there is an impressive offering out there), you may have missed a couple of interesting developments in the area of data protection:
- the European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which can be found here. In short, the EDPB sets forth a to-do-list for data controllers exporting data composed of 6 steps:
- 1. map your transfers outside the EU;
- 2. verify the transfer tool you are using;
- 3. assess the law or practice of the country of destination (refer to the EDPB European Essential Guarantees recommendation);
- 4. identify and adopt supplementary measures;
- 5. take any formal step to introduce any supplementary measures; and
- 6. re-evaluate periodically.
- The Italian Data Protection Authority is increasingly worried by threats to privacy posed by apps (not just TikTok). It has issued a presentation to warn users about the use and misuse of personal data by various apps.
The Italian Data Protection Authority has recently reiterated what to do when an employee leaves the company, i.e.:
- Close down email accounts attributable to the former employee;
- Adopt automatic response systems indicating alternative addresses to those who contact the mailbox; and
- Introduce technical measures to prevent the display of incoming messages to unauthorized subjects.
The automatic forwarding of emails to colleagues of the former employee amounts to a breach of principles of data protection, which impose on the employer the protection of confidentiality even of the former worker.
In the case decided by the Authority the e-mail account had remained active for over a year and a half after the end of the employment relationship and before its elimination, which took place only after a formal complaint filed by the worker.
Our life sciences team at Gitti and Partners wishes you a relaxing Christmas break and a 2020 full of happy innovation, useful technology and interesting legal developments!
There are a few interesting developments in the area of data protection that you may have missed and we can recap for you:
- CONDITIONS TO PROCESS CERTAIN DATA ISSUED BY THE ITALIAN DATA PROTECTION AUTHORITY. According to section 9 paragraph 4 of the GDPR, Member States are entitled to introduce additional conditions for the processing of genetic, biometric or health data. On July 29, 2019 the final version of such conditions issued by the Italian Data Protection Authority has been published on the Official Journal. Such conditions apply to processing of data (i) in employment relationships, (ii) by associations, (iii) by private investigators, (iv) that are genetic or (v) for purposes of scientific research.
- RIGHT TO BE FORGOTTEN. On September 24, 2019 the European Court of Justice has issued a judgment on the right to be forgotten in case C‑507/17 against Google Inc. The Court has ruled that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.” While the right to be forgotten must be enforced in all Member States, there is no obligation to do that in all national search engines. The Court, however, added that a supervisory or judicial authority, after balancing all rights concerned, would be able to order de-referencing on all search engines in the world since “EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.” Given the reaction to the judgment by the Chairperson of the Italian Garante (the data protection authority) Mr. Antonello Soro, it cannot be excluded that that the Garante may issue a universal, rather than EU-wide, dereferencing order.
- PROCESSING FOR “OWN PURPOSES”. A med-tech company has been sanctioned for having used patient data (medical scans) in a public tender process and in a subsequent litigation in an anonymized form. The company had been appointed by the hospital as a data processor but, the Garante ruled, had further processed such patient data for an own purpose rather than for the purposes mandated by the data controller (i.e., maintenance of equipment generating scans for patients).
- AGAIN ON THE RIGHT TO BE FORGOTTEN. In a decision by the Italian Garante dated July 24, 2019 Google LLC has been ordered to de-reference from its search engine news about criminal facts occurred in 2007 for which an individual, without any public role, had been condemned, but who had been fully rehabilitated.
- CONSUMER CREDIT CODE OF CONDUCT. On September 19, 2019 the Italian Garante approved a new code of conduct for companies operating in the areas of consumer credit, credit worthiness analysis and payment punctuality.