Compliance with the applicable law and the protection of personal data in the labour scenario.
The Data Protection Regulation (EU) 2016/679, which entered into force four years ago, guarantees an equivalent level of personal data protection, rights and freedoms for natural persons across Member States. The Regulation introduced new obligations and principles to protect the exchange of personal data and provide greater legal certainty. This means data controllers must comply with the Regulation to avoid its heavy fines.
What is the right to privacy?
The “right to privacy”, originated in the United States in 1890 as “the right to be left alone“, was developed in Italy as the right to free determination in personality development.
The first European references to privacy are found in the “European Convention on Human Rights” (the “Convention”) signed in 1950 by the Council of Europe to protect human rights and fundamental freedoms. The Convention forbids, public authority interference with an individual’s rights to individual freedom, respect for private and family life, home and correspondence (see Art. 8, paragraph 1). The only exceptions permitted by law (see Art. 8, paragraph 2) are measures necessary for:
- national security,
- public order,
- the country’s economic well-being,
- the prevention of criminal offences,
- the protection of health or morals, or
- the protection of the rights and freedoms of others.
The “personal data protection right” was extended in later international agreements and is a recognised fundamental individual right under Article 8 of the Charter of Fundamental Rights of the European Union.
This Article states that:
- “Everyone has the right to the protection of their personal data.
- Such data must be processed fairly, for specified purposes and based on the data subject consent or some other legitimate legal basis. Everyone has the right to access their collected data and have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.”
The expression “personal data protection right” means the right granted to the individual to choose to whom they wish to disclose their information and its processing method, since personal data helps identify an individual. On the contrary, the “right to privacy” was created to exclude and distance third parties from the personal sphere.
Checking compliance and correct application of what is provided for by the applicable regulations is entrusted to the independent Authorities present in each Member State, which assume the role of Guarantor Authorities for the protection of personal data (in Italy, the “Garante per la protezione dei dati personali”).
- Current regulatory framework
- Parties involved in personal data processing
- Personal data protection general principles
- Processing legal bases
- Accountability
- Impact assessment
- Processing register
- Personal data breaches and security measures to protect it
- Information to be provided and rights granted to data subjects
- Protecting personal data in employment
- Training and education
Current regulatory framework
The current regulatory framework for the protection of personal data includes:
- Regulation (EU) 2016/679 on the protection of personal data (the “Regulation“, or “General Data Protection Regulation“, the “GDPR“) or
- Legislative Decree no. 30 June 2003, no. 196 as amended by Legislative Decree no. 101/2018 laying down rules to coordinate national law with the Regulation (the “Privacy Code“, and together with the Regulation, the “Privacy Legislation“).
The Regulation:
- lays down the rules on the protection of individuals for personal data processing or the rules on the free movement of such data;
- protects individuals’ fundamental rights and freedoms, particularly the right to the protection of their personal data;
- protects the right to free movement of personal data within the European Union, a right which may not be restricted or prohibited on grounds for the protection of individuals for personal data processing;
- applies to personal data whole or partial electronic processing, or using other means intended to be contained in a filing system (see Article 2, point 1).
The Privacy Code must be interpreted based on the Regulation; Art. 22, paragraph 1), states that “this decree and the national law provisions shall be interpreted and applied considering the European Union rules on personal data protection and shall ensure the free movement of personal data among Member States under Art. 1, paragraph 3) of Regulation (EU) 2016/679.” In the same explanatory report of the Decree when talking about Art. 22, paragraph 1, it highlights that it “contains (…) a general interpretative clause, which requires to interpret and apply this decree and the remaining national rules based on European rules on the protection of personal data.”
Measures, decisions, opinions and orders issued by the Data Protection Authority are a fundamental support for a correct and consistent legislation application/interpretation on the protection of personal data.
This topic includes the rulings of the European Data Protection Board (or EDPB, see Articles 68 – 76 of the Regulation, which replaced the Working Party “Article 29”, which was operational until 25 May 2018). The Board was tasked with ensuring that the rules on the protection of personal data were applied consistently across the Member States. The EDPB acts as an EU independent body, and
- provides general guidance through the adoption of guidelines, recommendations and best practices;
- advises the European Commission on the protection of personal data and regulatory proposals in the European Union;
- adopts tools for cross-border data protection transfers; and
- promotes cooperation and effective exchange of information and best practices between national supervisory authorities.
Parties involved in personal data processing
The parties involved in the processing of personal data are:
- data controller and joint controllers;
- data processor;
- Individuals authorised to process personal data;
- data protection officer; and
- representative.
Let us briefly analyse each role.
in Art. 4, paragraph 1, no. 7, the Regulation, defines data controller as “the individual or legal person, public authority, agency or other body which alone or with others defines the personal data processing purposes and methods; where the purposes and methods of such processing are determined by EU or Member State law, the controller or the criteria applicable to their designation may be determined by EU or Member State law.”
Where two or more data controllers determine the processing purposes and methods, they are referred to as joint controllers (see Art. 26 of the GDPR). Joint control must be governed by an internal agreement where the respective responsibilities for compliance with the Regulation are defined transparently.
The data controller differs from the processor, i.e. “the individual or legal person, public authority, service or other body that processes personal data on behalf of the controller” (see Art. 4, paragraph 1, no. 8 of the Regulation). The data processor may appoint sub-processors under certain conditions (see Art. 28 of the Regulation).
The data controller or processor may assign processing operations to designated and instructed individuals acting under their authority (see Art. 29 of the GDPR and 2-quaterdecesies of Legislative Decree no. 101/2018), parties authorised to process data.
The Regulation introduced two new roles:
- representative, i.e., “the individual or legal person established in the EU who, designated by the data controller or processor in writing (…), represents them for their respective obligations under this Regulation” (see Art. 4, paragraph 1, no. 17) and
- Data Protection Officer (DPO): a person, working alongside the data controller or processor, who assesses and organises the personal data processing management (see Art. 37).
The data subject is an individual to whom the processed data relates (see Art. 4, paragraph 1, no. 1, of the GDPR).
Processing means “any operation or set of operations performed upon personal data or sets of personal data, including by electronic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparing or association, restriction, erasure or destruction (see Art. 4, paragraph 1, no. 2, of the GDPR).
Personal data is the information that directly or indirectly identifies or enables identification of any individual and reveals their features, habits, lifestyle, personal relationships, etc. According to the Data Protection Authority, the following is important:
- data allowing direct identification – such as personal data (e.g.: name and surname), images – and data allowing indirect identification, such as an identification number (e.g.: tax code, IP address, plate number);
- data falling into special categories (“sensitive” data), i.e., data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, and data concerning health or sex life, genetic, biometric data and data concerning sexual orientation (see Art. 9 of the Regulation);
- data on criminal convictions and offences (“judicial” data), i.e., data which may reveal the existence of certain judicial measures subject to registration in the criminal record or the status of defendant or suspect, and data on criminal convictions and offences or related security measures (see Art. 10 of the Regulation).
With new technologies, in the opinion of the Data Protection Authority, other personal data has taken on a significant role, such as data on electronic communications (via Internet or telephone) and that allowing geolocation, providing information on places visited and movements.
Personal data protection general principles
Any personal data processing must comply with the principles laid down in Art. 5 of the Regulation. Personal data must be:
- processed lawfully, fairly and transparently towards the data subject (“lawfulness, fairness and transparency“);
- collected for specified, explicit and legitimate purposes, and processed so that any further processing is compatible with the purposes for which the data was collected (“purpose restriction”);
- adequate, relevant and limited to what is necessary for the purposes for which it is processed (“data minimisation”);
- accurate and, where necessary, updated. Every reasonable step must be taken to ensure that inaccurate data is erased or rectified without delay, for the purposes for which it is processed (“accuracy“);
- kept in a format which permits identification of data subjects for no longer than the time necessary for the purposes for which data is processed. Personal data may be kept for longer periods if it is processed solely for archiving in the public interest, scientific or historical research or statistical purposes (“storage limitation”);
- processed to ensure data security, including protection using technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality”).
Processing legal bases
Under Art. 6 of the Regulation, personal data processing is lawful only if one of the following conditions applies (“legal bases”):
- the data subject has consented to the processing of their personal data for specific purposes;
- it is necessary to implement a contract to which the data subject is a party or carry out pre-contractual measures taken at the data subject’s request;
- it is necessary for compliance with a legal obligation to which the data controller is subject;
- it is necessary to protect the vital interests of the data subject or another individual;
- it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- it is necessary to pursue the legitimate interests of the data controller or third party, provided that the interests or fundamental rights and freedoms of the data subject which require personal data protection, particularly when the data subject is a child, are not overridden.
Processing special categories of data is prohibited, unless (see Art. 9 of the Regulation):
- the data subject has not given their consent;
- the processing is not carried out by a foundation, association or other non-profit organisation pursuing political, philosophical, religious or trade-union aims;
- the processing does not relate to personal data which is manifestly made public by the data subject;
- processing is not necessary for (a) fulfilling the obligations and exercising the specific data controller or data subject rights in the field of employment and social security law and social protection; (b) protecting a vital interest of the data subject or another individual where the data subject is physically or legally incapable of giving their consent; (c) establishing, exercising or defending a legal claim in court or whenever the courts exercise their judicial functions; (d) reasons of significant public interest based on EU or Member State law; (e) for preventive or occupational medicine, assessment of the employee’s ability to work, diagnosis, health or social care or treatment or management of health or social care systems and services; (f) reasons of public interest for public health; (g) for archiving in the public interest, scientific or historical research or statistical purposes.
Accountability
The Regulation emphasises the principle of data controller and processor “accountability“, consisting in the adoption of proactive behaviour to demonstrate the practical adoption of technical and organisational measures to ensure the Regulation application (see Art. 23-25).
The accountability principle is one of the main innovations introduced by the Regulation. The data controller/processor is entrusted with the task of deciding, independently, the personal data processing methods, guarantees and limits, under the law and the Regulation’s criteria.
The most important criterion is “data protection by default and design” (see Art. 25 of the GDPR), i.e., the need to configure the processing by providing, from the beginning, the essential safeguards “to meet regulatory requirements” and protect data subject rights. This must consider the general framework in which the processing takes place and the risks for data subject rights and freedoms. as the Data Protection Authority pointed out:
- This must take place before data processing (“when defining processing methods and during processing“, as stated in Art. 25, paragraph 1 of the Regulation) and
- requires prior analysis and enforcement efforts by the data controller, i.e., undertaking specific and demonstrable measures.
Impact assessment
““When processing involves using new technologies, considering the processing nature, subject matter, framework and purposes, this is likely to present a high risk to the rights and freedoms of individuals. In this case, before processing, the controller shall carry out a processing impact assessment for the protection of personal data. […].” This is established in the first paragraph of Art. 35 of the Regulation on “Impact Assessment“. (or, Data Protection Impact Assessment – DPIA).
The Impact Assessment is a description of one or more processing operations to assess the need, proportionality and risks, to enable appropriate measures to be taken.
The Guidelines of WP-29 [now EDPB, on this see point 1 above]:
- specify the cases in which the Impact Assessment is mandatory (i.e., for systematic monitoring (see video surveillance) or for innovative uses or application of new technological or organisational solutions (see facial recognition, IoT devices, etc.);
- identify who should carry the DPIA out: the responsibility lies with the data controller, but its preparation may be entrusted to another party, whether internal or external to the organisation;
- describe the Impact Assessment and highlight the need for a continuous updating process.
Processing register
Art. 30 of the Regulation, among the main data controller and processor obligations, includes keeping a “Processing Register.”
The Processing Register is a document containing the main information (specified in the same article and any other information that may be useful) for the processing carried out by the data controller and, if appointed, the data processor (see FAQ made available by the Data Protection Authority on its official website on 8 October 2018).
The Data Protection Authority considers the Processing Register “one of the main elements of data controller accountability, as it is a suitable tool to provide an updated picture of the processing operations within its organisation, which is indispensable for any preliminary risk assessment or analysis.”
The Processing Register, according to the Data Protection Authority, must:
- be written or electronic media which can be produced on request;
- be kept updated, since its content must correspond to the processing. Any change or amendment must be immediately recorded in the Register, and previous versions archived.
Under Art. Under Article 30 of the Regulation, companies with less than 250 employees do not need a processing register “unless the processing is likely to present a risk to the rights and freedoms of data subjects, the processing is not occasional or includes special categories of data referred to in Article 9, paragraph 1) or personal data relating to criminal convictions and offences referred to in Article 10.” The Data Protection Authority in its FAQs recommends its drafting since it is “a tool that provides full knowledge of the type of processing, is a simple and accessible way to enforce the accountability principle, and cooperatively facilitates the Data Protection Authority control.”
Personal data breaches and security measures to protect it
A data breach is “a security breach that results from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or processed” (see Art. 4, of the Regulation).
A personal data breach ( (“data breach“) may compromise data confidentiality, integrity or availability. Examples of a Data Breach may be (i) theft or loss of computer devices containing personal data or (ii) the inability to access data due to accidental causes or external attacks, viruses, malware.
If the data controller suffers such an infringement – without undue delay within 72 hours of the breach – it must notify the Data Protection Authority, unless it is unlikely that the infringement will result in a risk to individuals’ rights and freedoms. If the breach is suffered by the data processor, they must promptly inform the data controller so that they can act within the time limits prescribed by the Regulation (see Art. 33, paragraphs 1) and 2) of the Regulation).
According to the Data Protection Authority, the breaches to be notified are those that may have significant adverse effects on individuals, causing physical, material or immaterial harm.
The Data Protection Authority clarified that notifications made after the 72-hour deadline must be accompanied by the reasons for the delay. As of 1 July 2021, notifications of breaches to the Data Protection Authority must be made under an online procedure available on the official website.
Regardless of whether it notifies the Data Protection Authority, the data controller must document any personal data breach it has suffered (including the circumstances surrounding it, its consequences, and the measures taken) in a register (see Art. 33, paragraph 1 of the Regulation).
If the breach is likely to have a high risk for data subjects’ fundamental rights and freedoms, the controller must inform them, “without undue delay”, using the most appropriate channels so that the information reaches and is understood by them (Art. 34, paragraph 1 of the Regulation).
Article 32 of the Regulation requires the data controller to ensure a level of security appropriate to the risk when implementing technical and organisational measures, and must consider, “the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of the processing systems and services”’ and “the ability to restore personal data availability and access quickly if there is a physical or technical incident.”
Under the new legislation, there is no longer a generalised obligation to adopt “minimum” security measures. Art. 32 of the Regulation contains an open list of measures, and the expression “among others, where appropriate” is used.
The data controller or processor must assess the adopted measures “considering the state of the art and the cost of their implementation, the processing nature, subject-matter, framework and purposes and the risks of varying degrees of portability and severity for the rights and freedoms of individuals” (see Art. 32, paragraph 1 of the Regulation).
Compliance with specific codes of conduct or certification systems may be used to certify the adequacy of the measures taken (see Art. 32, paragraph 4 of the Regulation).
A code of conduct is a reference tool to apply the Regulation according to the reference sector and guarantees the data controllers and processors the effective, consistent application of the legislation, and correct balancing of interests among the parties.
To date, the Data Protection Authority has approved codes of conduct on (i) commercial information, (ii) credit information systems, and (iii) health, scientific research and anonymisation. As required by Art. 40, paragraph 6) of the Regulation, the approved codes of conduct are recorded and published in a register, the “Register of Codes of Conduct“, available on the Authority’s official website which, as specified by the Authority, refers to the Supervisory Body, to which each user may refer for the resolution of any complaints.
Information to be provided and rights granted to data subjects
Under the transparency principle, the data subject must receive from the data controller processing information before collecting their data.
If the data is collected from a third party, the information must be provided to the data subject within a reasonable time, not exceeding a month from the collection, or at the time of the data communication (see Art. 14, paragraph 3, of the Regulation).
Such information must be concise, transparent, intelligible and easily accessible, using simple and clear language. It may be provided in writing or by other means, including, electronic and, if requested by the data subject, orally, provided that the data subject’s identity is proved.
Under Articles 13 and 14 of the Regulation, the data controller must provide the data subject with the following information:
- its identity and contact details and, where applicable, those of its representative;
- if designated, the contact details of the Data Protection Officer (“DPO“)
- the data processing purposes and related legal basis;
- where the processing is necessary to pursue a legitimate interest, a specification of the legitimate interests pursued by the controller or third parties;
- personal data recipients or any categories of recipients;
- where applicable, its intention to transfer personal data to a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, the reference to appropriate or adequate safeguards and the means to obtain a copy of those safeguards or the place where they have been made available;
- the personal data retention period or, if this is impossible, the criteria used to determine that period;
- the existence of the data subject’s right to request personal data access, rectification, erasure or processing restriction or object to its processing, and data portability;
- the existence of the right to withdraw the consent where the processing is based on data subject consent, including for special categories of personal data, without prejudice to the lawfulness of the processing based on the consent given before withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a legal or contractual obligation or a necessary requirement for contract stipulation, and whether the data subject is under an obligation to provide personal data, and the possible consequences of failure to provide such data;
- the existence of an automated decision-making process, including profiling, and in such cases, meaningful information on the logic used, and the importance and consequences of such processing for the data subject.
As a further form of protection, the Regulation grants data subjects rights that they can exercise against the data controller. These include the right to:
- withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing based on the consent before withdrawal (“Right to withdraw consent“).
- obtain confirmation from the controller as to whether their data is being processed and obtain access (“Access Right“).
- obtain from the controller the rectification of inaccurate personal data without undue delay. Considering the processing purposes, the data subject has the right to obtain the integration of incomplete personal data, by providing a supplementary declaration (“Rectification Right“).
- obtain from the data controller the erasure of their personal data without undue delay if one of the grounds set out in the provision applies (“Erasure Right“).
- Obtain from the data controller the processing restriction when one of the cases under the law applies (“Restriction Right“).
- based on personal reasons, object to the processing of their personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or in pursuing a legitimate interest, including profiling based on such provisions (“Objection right“).
- (i) receive the personal data provided to the controller in a structured, commonly used and electronically readable format and (ii) transmit it to another controller, without hindrance from the first controller under the Regulation (“Portability Right“).
If the data subject considers that the processing of their data is in breach of the Regulation, they may lodge a complaint with a supervisory authority, in the Member State where they habitually reside or work or the place where the alleged breach has occurred, for Italy as identified above (“Complaint Right“).
Protecting personal data in employment
Article 88 of the Regulation “grants”’ each Member State the possibility to lay down additional specific rules by law or National Collective Bargaining Agreements (“CCNL”) to ensure the protection of the rights and freedoms relating to the processing of workers’ personal data. This is for the “purposes of recruiting, implementing the employment contract, including fulfilment of the obligations laid down by law or collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and to exercise and enjoy employment individual or collective rights and benefits, or its termination “.
Art. 88 states that such provisions must include “appropriate and specific measures to safeguard data subject human dignity, legitimate interests and fundamental rights, particularly for processing transparency, transfer of personal data within a group of undertakings or a group of undertakings carrying out a joint financial activity and workplace monitoring systems.”
Before the entry into force of the Regulation, the Data Protection Authority had issued Guidelines that defined, for the first time in a unitary framework, the measures and precautions to regulate the collection and use of personal data within the employment relationship (see the “Guidelines on personal data processing of private workers – 23 November 2006” [1364939]). These guidelines highlighted principles that are still valid, such as the employer’s obligation to process the personal data of employees exclusively for the purposes for which it was collected, the duty to expressly authorise and provide adequate instructions to anyone acting under its authority who accesses and processes personal data, which will be discussed below.
Within the management of the employment relationship, the employer must process personal identification and socio-demographic data and any data belonging to special categories [see point 2 above]. In the latter case, the employer must process using the “requirements for processing special categories of data, under Art. 21, paragraph 1, of Legislative Decree no. 10 August 2018, no. 101”, published in the Official Gazette General Series no. 176 of 29 July 2019. With this measure, the Data Protection Authority clarified the obligations that public or private entities, including employers, must follow to process special categories of personal data, such as information related to health, political opinions, ethnicity and sexual orientation.
These provisions relate to (i) the scope of application; (ii) data subjects; (iii) processing purposes for such category of data; (iv) specific requirements for the processing carried out in the pre-employment phase and (v) processing carried out during the employment relationship and (vi) specific processing methods requirements.
When to obtain the worker’s consent
Consent is one of the possible legal bases for personal data processing legitimacy, and the Regulation provides the following definition: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which the data subject signifies their assent provided by a statement or unambiguous affirmative action, to personal data processing” (see Art. 4, paragraph 11) of the Regulation).
The consent to be valid must be “free” and “revocable.” This concept is expressed by Recital no. 43 of the Regulation according to which: “To ensure the freedom of expression of consent, it should … not constitute a valid precondition for the processing of personal data in a specific case where there is an obvious imbalance between the data subject and controller […].”
Within the employment relationship, the worker’s consent cannot constitute a valid condition of lawfulness due to the imbalance of power between the parties. This has been repeatedly confirmed by the Working Party of European Data Protection Supervisors (formerly “WP29”, now “EDPB – European Data Protection Board“) with several Opinions/Guidelines, and by the Data Protection Authority. Recently, the Data Protection Authority has stated as much in its response to some FAQs on the lawfulness of the request for confirmation made by the employer to the worker about the anti-Covid-19 vaccination.
The worker may be required to give consent for purposes for which they can express their will in a “free, specific, informed and unequivocal manner.” For example, consent is a legal basis to be used when collecting and using images, photos or videos showing them at events/courses/seminars/meetings organised by the employer or where they participate. Any refusal to give consent does not affect the employment relationship or its management by the employer.
Remote working and personal data protection
Remote working. [see – Remote Working: a complete guide] has implications from the perspective of the protection and safeguarding of workers’ personal data and the data they process (e.g. customer or supplier data).
The “accountability principle” requires the data controller (i.e. the employer) to identify and manage the risks related to the processing, in compliance with the principles of data protection by design and by default.
The employer, by allowing the worker to perform their tasks in remote working outside the company premises and potentially, outside the home environment, must carry out a preliminary risk and impact assessment. This is done to (i) analyse the existing and potential risks, (ii) identify the appropriate technical and organisational security measures, and (iii) guarantee the protection of the processed data (see Article 35 of the Regulation). The employer must also provide the remoteworker with precise and complete instructions on the proper use of work tools. Such instructions may be provided through company regulations, policies or guidelines [see paragraph 10.3 below].
On 7 December 2021, the social partners and the Ministry of Labour and Social Policies signed the “National Protocol on remote working” (the “Protocol“).
The Protocol establishes the reference framework defining remote working by identifying guidelines for national, corporate and local collective bargaining in compliance with the legal framework set out in Law 22 May 2017, no. 81 and existing collective and individual agreements.
The Protocol emphasises the protection of personal data and confidentiality of workers and the data they process for professional purposes and for which the employer is the data controller or processor. [see – Remote Working: a complete guide]
Employer’s control and disciplinary power
The employer has the power to check that the worker performs their duties with diligence (Art. 2104, paragraph 1, of the Italian Civil Code), complies with the instructions given (Art. 2104, paragraph 2, of the Italian Civil Code), complies with the loyalty obligations (Art. 2105 of the Italian Civil Code), and to exercise its disciplinary power (Art. 2016 of the Italian Civil Code).
The employer’s power of control is not absolute but must not to infringe the worker’s fundamental rights, such as dignity and confidentiality. The Workers’ Statute has outlined the limits within which this power may be exercised, identifying the parties authorised to carry it out and the forms in which it may be exercised (remote and direct control).
Here we focus on remote control regulated by Art. 4 of the Workers’ Statute, according to which audio-visual equipment and other work tools “from which derives the possibility of remote control” may be used (paragraph 1):
- specific needs (organisational and production needs; safety at work and protection of company assets) and
- subject to trade union agreement or, alternatively, administrative authorisation.
The above does not apply to the tools used by the employee to perform work and those for recording access and attendance (see paragraph 2).
The information collected using the above equipment/tools may be used for employment relationship purposes, including disciplinary, provided that the employee has been given adequate information on the methods such equipment/tools are used, the controls carried out, and comply with the personal data protection rules (see paragraph 3).
The Data Protection Authority, in the “Guidelines on Internet and email in the public and private workplaces” [Web document 1387522] issued on 1 March 2007 and still valid, stated that “the workplace is a social unit where the protection of rights, fundamental freedoms, and dignity of those concerned must be ensured by guaranteeing the expression of the worker’s personality and a reasonable protection of their confidentiality in personal and professional relations, within a framework of reciprocal rights and duties.”
The Data Protection Authority stated that processing must be carried out using the following principles:
- necessity principle : information systems and computer programmes must be configured to minimise the use of personal and identification data;
- fairness principle : the essential processing features must be made known to workers. Information technology makes it possible to carry out processing operations in addition to those associated with work. This is done without the workers’ knowledge or full awareness, considering any potential applications, which may not be adequately known by data subjects.}
- Relevance and non-excessiveness principle : processing must be carried out for specified, explicit and legitimate purposes.
According to the Data Protection Authority, the employer must clearly specify the tools’ methods and how controls are implemented. This must consider the relevant applicable rules on information and consultation of trade unions.
In its guidelines, the Data Protection Authority recommended that employers adopt internal rules, to be publicised in ways similar to Art. 7 of the Workers’ Statute (e.g. by posting them in a place accessible to everyone), which should specify,
- whether certain behaviour is not tolerated when “surfing” the Internet or keeping files on the internal network;
- what information is temporarily stored (i.e., the components of any log files recorded) and who (including outsiders) has legitimate access;
- whether, and to what extent, information is stored for longer, using centralised methods (including as a result of backup copies, technical network management or log files);
- whether, and to what extent, the employer has the right to carry out checks under the law, even occasionally, stating the specific legitimate reasons for which they would be carried out and related methods;
- what consequences, including disciplinary, the employer may use if it finds that email and the Internet are being misused;
- the solutions to guarantee, with the worker’s cooperation, the work continuity in the worker’s absence (especially if scheduled), including automatic reply systems to email messages received.
Training and education
ThThe concepts of “training” and “education” about personal data protection are in the Regulation, which expressly provides as follows:
- “The data processor, or any person acting under their authority or under the authority of the controller, who has access to personal data shall not process such data unless they are instructed to do so by the controller […]” (Article 29 of the Regulation).
This provision is reconfirmed in the following Article 32, entitled “Processing security”, which states that:
- “The data controller and processor shall ensure that any person acting under their authority who has access to personal data does not process such data unless instructed to do so by the controller […]” (Article 32 of the Regulation).
The Regulation states that the Data Protection Officer (“DPO”) tasks include:
- “[…] awareness-raising and training of staff involved in the processing and related supervisory activities […]” (Article 39 of the Regulation).
It is necessary the employer:
- provide for training courses aimed at increasing specific technical, organisational and digital skills, for an effective and safe use of the work tools;
- encourage and incentivise continuous training of its employees on personal data protection.
This is to protect the personal data of employees and data acquired as a controller or processor (see customer or supplier data).
Case law and insights
Home working and Data Protection (Top Legal Focus Privacy & Data Protection, February 2021 – Vittorio De Luca, Elena Cannone) – De Luca & Partners (delucapartners.it)Employer controls, disciplinary measures and the right to confidentiality (Norme & Tributi Plus Diritto – Il Sole 24 Ore, 20 December 2021 – Alberto De Luca, Martina De Angeli)
Controls: company information found on former employee’s company PC can be used
DOWNLOAD NOW
Enter your email address to receive these contents in pdf format.