On 24 January 2023, the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali, the ‘Authority’) provided some interpretative and operational guidelines on data protection, which arose following the entry into force of Italian Legislative Decree of 27 June 2022, No 104 (also known as the ‘Transparency Decree’).
As is well-known, Article 1-bis of the Transparency Decree identified specific information obligations in the event of use of automated decision-making or monitoring tools, used to provide information (i) relevant for the purposes of recruitment or assignment, management or termination of the employment relationship, assignment of tasks or duties, or (ii) affecting the monitoring, assessment, performance and fulfilment of the contractual obligations of workers.
In this context, by means of the clarification under consideration, the Authority has identified both some additional information that the employer must provide to the data subject – in addition, therefore, to what is already provided for in Articles 13 and 14 of Regulation (EU) 2016/679 (the ‘GDPR’) – and some operational guidelines specifying the scope of the articles just mentioned.
Additional information includes: (i) the aspects of the employment relationship that are affected by the use of automated decision-making or monitoring systems; (ii) the operation of such systems; (iii) the main parameters used to program or train automated decision-making or monitoring systems, including performance evaluation mechanisms; (iv) the control measures adopted for automated decision-making or monitoring systems, any correction processes and the quality management system manager; (v) the level of accuracy, robustness and cybersecurity of the automated decision-making or monitoring systems and the metrics used to measure those metrics, as well as the potentially discriminatory impacts of those metrics.
In addition, each controller must, by way of example but not limited to:
- carry out assessments on compliance with the general principles of processing, including the principles of ‘privacy by design’ and ‘privacy by default’;
- preliminarily verify the existence of the conditions of lawfulness established also by the applicable regulations on remote controls;
- comply with all the requirements set out in the data protection regulations;
- comply with the conditions for the lawful use of technological tools in the work context;
- in implementation of the accountability principle, assess whether to carry out a prior impact assessment (i) in view of the technologies used and considering (ii) the nature, scope, context and purposes pursued;
- update the Record of processing activities.
Furthermore, if systems are used which give rise to exclusively automated decision-making processes which produce legal effects or which significantly affect the data subject, the employer will also have to evaluate alternative solutions which allow the worker to exercise the right to obtain human intervention, to express his or her point of view or to contest the decision.
In the light of the above, employers will have to carry out analyses and assessments of company processes to identifying the presence of the systems described, so as to develop and identify the activities to be adopted on a case-by-case basis, in order to ensure compliance with the regulations, both in the field of employment law and data protection.
Other related insights: