With Regulation 157 of 30 July 2019, which fully replaces all previous measures on the subject, the Guarantor for the Protection of Personal Data has provided the form for reporting computer incidents.

Data Breach

Pursuant to Article 33, paragraph 1, of the EU Regulation 2016/679 on the protection of personal data (the “GDPR“), the Data Controller is obliged, without undue delay and, where possible, within 72 hours of becoming aware of it, to notify the breach to the Supervisory Authority unless the breach of personal data is unlikely to pose a risk to the rights and freedom of individuals. In addition, the Data Controller who becomes aware of a possible violation is obliged to inform the owner in a timely manner so that he can take action.

Notifications to the Guarantor made after the 72-hour period must be accompanied by the reasons for the delay.

Furthermore, if the breach involves a high risk to the rights of the individuals, the holder must communicate it to all the persons concerned, using the most appropriate channels, unless he has already taken measures to reduce its impact.

The Data Controller, regardless of the notification to the Guarantor, documents all breaches of personal data, for example by preparing a special register. This documentation allows the Control Authority to carry out any audits on the compliance with the regulations.

Content of the notification to the Guarantor

Pursuant to Article 33, paragraph 3, of the GDPR, the notification to the Guarantor must include the following information:

  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of records of the personal data concerned;
  • indicate the name and contact details of the Data Protection Officer (DPO) or other point of contact from whom more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed by the controller to remedy the personal data breach and also, where appropriate, to mitigate its possible adverse effects.

The above information is given in the form attached to the Regulation of 30 July 2019.

Notification must be made via PEC to the following address  protocollo@pec.gpdp.it and must be digitally signed or signed by hand. In the latter case, the notification must be submitted together with a copy of the signatory’s identity document. The subject of the message must contain the words “NOTIFICATION OF VIOLATION OF PERSONAL DATA” and, optionally, the name of the data controller.

In the event of a breach of the notification procedures, a financial penalty of up to €10 million or, in the case of companies, up to 2% of the total global annual turnover is applied.

The procedure for revising the 9 General Authorisations issued by the Privacy Guarantor in 2016 when the previous legislation was in force, in light of the EU Regulation on the protection of personal data 2016/679 (“GDPR“), has been completed.

At the end of the public consultation launched last December, the Guarantor adopted Regulation 146 of June 5, 2019, published in the Official Gazette of the following July 30, containing the obligations that must be met in various areas to be able to process particular categories of personal data (e.g. data related to health status, sexual orientation, genetic and biometric data).

The regulations concern the processing:

  • of these special categories of data (i) in employment relationships; (ii) by associations, foundations, churches and religious associations or communities, as well as by private investigators; and
  • genetic data and the processing carried out for scientific research purposes.

The Regulation was adopted on the basis of Legislative Decree 101/2018 regarding provisions for adapting the national legislation to the GDPR, also taking into account the most significant and relevant contributions sent by the participants in the public consultation.

In the same Regulation, the Guarantor specified that the General Authorization on the processing of judicial data by private individuals, public economic entities and public entities ceases to produce its effects, since it does not come under the situations of processing referred to in Art. 21 of Legislative Decree 101/2018.

General Authorisations 2, 4 and 5, concerning respectively the processing of (i) data disclosing health and sex life, (ii) sensitive data by self-employed professionals and (iii) sensitive data by different categories of data controllers, cease to have effect as they do not contain specific provisions.

Here we limit ourselves to examining the processing of data in employment relationships.

Scope

The Regulation applies to all those who, for various reasons (owner/manager of the processing), perform processing for the purpose of establishing, managing and terminating an employment relationship and, among others:

  1. employment agencies and other persons who, in accordance with the law, carry out, in the interest of third parties, activities of intermediation, research and selection of personnel or support for professional relocation, including accredited training bodies;
  2. natural and legal persons, companies, also social enterprises, bodies, associations and organisms that are part of an employment relationship or that use even atypical, partial or temporary employment services, or that in any case confer a professional assignment to the figures indicated in the following letters c) and d);
  3. the workers’ representative for safety, including territorial and site safety;
  4. persons who handle obligations in the field of employment, social security and social and tax assistance on behalf of other subjects who are part of an employment or self-employment relationship;
  5. the company doctor, who acts as a freelance professional or as an employee of the employer or of affiliated structures.

Interested parties to whom the data refers

The interested parties are:

  1. candidates for the establishment of employment relationships, even in the case of curricula spontaneously transmitted for the establishment of an employment relationship;
  2. employees;
  3. consultants and freelancers, agents and representatives;
  4. subjects who carry out collaborations organized by the client, or other self-employed workers in a collaborative relationship, including in the form of ancillary work services;
  5. natural persons holding corporate or other positions in the aforementioned legal entities, bodies, associations and organisations;
  6. third parties who have suffered damage in the course of their work or professional activities;
  7. third parties (family members or cohabitants of the persons referred to in letters b) and d) above) for the issue of benefits and permits.

Purpose of the data processing

Pursuant to Art. 9, paragraph 2, of the GDPR, the processing of special categories of personal data is carried out only if necessary:

  1. in order to fulfil or require the fulfilment of specific obligations, or to carry out specific tasks provided for by the legislation of the European Union, laws, regulations or collective agreements event corporate, in particular for the purpose of establishing, managing, and terminating an employment relationship, as well as the recognition of subsidiaries or the disbursements of contributions, the application of the legislations regarding social security and assistance even supplemental, or in matters of occupational health and safety, as well as in tax or trade union matters;
  2. also outside the cases referred to in point a), in compliance with the law and for specific and legitimate purposes, for the purposes of keeping accounts or paying salaries, cheques, bonuses, other emoluments, donations or accessory benefits;
  3. for the purpose of safeguarding the life or physical safety of the worker or a third party;
  4. to assert or defend a right, also by a third party in court, as well as within the context of an administrative proceedings or arbitration and conciliation procedures in the cases provided for by law, regulations or by collective or company contracts. This, provided that the data is processed exclusively for these purposes and for the period strictly necessary for their pursuit;
  5. to fulfil the obligations arising from insurance contracts aimed at hedging the risks associated with the liability of employer as regards occupational health and safety, occupational illness or harm caused to third parties during the performance of the work or professional activity;
  6. to ensure equal opportunities in employment;
  7. to pursue specific and legitimate aims identified by the statutes of associations, organisations, federations or confederations representing categories of employers or by collective agreements, with regard to trade union assistance to employers.

Specific requirements relative to different categories of data

  1. Processing carried out in the phase prior to the establishment of the employment relationship

The Regulation specifies that employment agencies and other persons who, in accordance with the law, carry out, in their own interest or that of third parties, activities of intermediation, recruitment and selection of personnel or support for professional relocation, may process data likely to reveal the state of health and racial and ethnic origin of candidates, only if their collection is justified by specific and legitimate purposes and is necessary to establish a working relationship/collaboration.

The Regulation also specifies that the processing carried out for the purposes of establishing the employment relationship, both through questionnaires sent electronically on the basis of predefined models, and in the event that candidates provide data on their own initiative, in particular by sending curricula, must refer only to information strictly relevant and limited to what is necessary for these purposes, also taking into account the particular tasks and / or the specific features of the professional profiles required.

If the CVs sent by the candidates contain data which is not relevant to the purpose pursued, the employers making the selection must refrain from using this information.

Genetic data may not be processed for the purpose of establishing the professional competence of a candidate for employment, even with the consent of the person concerned.

  1. Processing carried out in the context of the employment relationship

The employer processes data that reveals religious or philosophical beliefs or membership in associations or organizations of a religious or philosophical nature only in the case of use of leave during religious holidays or for the manner of provision of canteen services or, in cases provided for by law, for the exercise of conscientious objection.

The employer processes data that reveals political opinions or trade union membership, or the exercise of public functions and political duties, activities or trade union duties exclusively:

  • for the purposes of obtaining permits or leave of absence periods recognised by law or, where appropriate, by collective agreements, including company agreements; and
  • to allow the exercise of trade union rights including the processing of data relating to deductions for the payment of membership fees to associations or trade unions.

The Employer:

  • in the case of participation of employees in electoral operations as list representatives, in accordance with the principle of necessity, must not process data revealing political opinions in the documentation to be submitted for the purpose of recognising legal benefits; and
  • may not process genetic data for the purpose of establishing the professional competence of an employee, even with the consent of the person concerned.

Processing methods

With reference to the processing methods:

  1. as a general rule, the data must be collected from the data subject;
  2. in all communications to the interested party, containing special categories of data, forms of communication must be used, including individualised electronic communication with the interested party or his delegate, including through authorised personnel. If the paper document is sent, it must be sent, as a rule, in a closed envelope, except for the need to obtain proof of receipt of the document, including by signing it upon receipt of the document;
  3. documents containing special categories of data, where they are to be transmitted to other offices or departments of the same organizational structure as a result of their respective responsibilities, must contain only the information necessary for the performance of the function without attaching, where not strictly necessary, complete documentation or include excerpts within the text. To this end, methods of transmitting documentation must be selected and used to ensure that they are received and processed only by the competent offices or organisational structures and only by authorised personnel;
  4. when, for organisational reasons, and as part of the preparation of shifts, data is made available to parties other than the person concerned (for example, other colleagues) relating to attendance and absence from work, the employer must not explain, even through acronyms or acronyms, the reasons for the absence from which it is possible to infer the knowledge of particular categories of personal data (e.g. trade union permits or health data).

The Court of Cassation, in its judgement 21628/2019, stated that extending the lunch break beyond the time allowed and not having completed the work is more serious than absence from work.

The facts

A postman was fired for “having been remained on two occasions with others well beyond the anticipated lunch period, while leaving the mail assigned to him and the vehicle provided unattended. All without having completed his work for not having delivered two packages“.

The Court of Appeals with territorial jurisdiction upheld the decision of the first instance, stating, among other things, that “the conduct is carried out with clear awareness in the violation of the company rules inferable from the manner in which it is carried out“.

The worker appealed against the decision on two grounds in Cassation, to which the company appealed with counter-claim.

The decision of the Court of Cassation

The worker, among other things, argued that the charge against him was one of the cases for which the sectoral national collective bargaining agreement provided for a conservative penalty. Consequently, the court could not impose a more serious penalty than that indicated by the social parties.

This reason was considered unfounded by the Court of Cassation in light of the principles it had recently expressed (see Cassation no. 12365 of 2019, Cassation conf. no. 14064, 14247, 14248, 14500 of 2019). In particular, only where the disputed and ascertained fact is expressly contemplated by a provision of a source of negotiation binding on the employer, which typifies the conduct of the worker as punishable by conservative sanction, the dismissal can be declared illegitimate and, therefore, also worthy of the reintegration protection provided for in amended Art. 18 paragraph 4.

According to the Court of Cassation, in the present case, contrary to what the worker claims, the Court of Appeals held that the conduct complained of was more serious because: “it was carried out with other employees and was noticed by the community to the point that there was also a complaint against the malfunctioning of the service by the inhabitants of the area concerned from which the investigations arose; during the time spent at lunch after the break granted, the employee could well have completed the research needed to deliver the packages which had remained unprocessed; P., who normally spent time at the restaurant, had left the company vehicle completely unattended during those times”.

These facts, in the opinion of the Court of Cassation, appreciated by the Territorial Court and unquestionable in terms of legitimacy, “are certainly suitable for excluding the continuation of the charges as ascertained by the court of merit to the more general provision of habitual negligence or habitual non-compliance with service obligations punishable by a conservative sanction by the collective bargaining.

In the opinion of the Court of Cassation, the assumption of the Court of Appeal according to which: “the unjustified absence from work of an employee is in fact less serious than the conduct of a person who, despite being regularly on duty, chooses to spend time with others beyond the permitted time, without having fully performed the tasks entrusted to him and inherent in his duties.

According to the Court of Cassation, in this case there is a serious breach of the contractual obligations incumbent on the employee, who shows a particularly strong intentional element.

In view of all the above, the Court of Cassation rejected the employee’s appeal, confirmed the legitimacy of the dismissal ordered against him and settled the costs according to the principle to be borne by the losing party.

The Court of Cassation, in its judgement 21390 filed on 14 August 2019, stated that a company agreement signed to deal with a temporary increase in activity does not expire unless explicitly provided for and can be reused later.

The facts

The Court of Appeals with territorial jurisdiction upheld the decision of the lower court which had rejected the request made by a worker against the employer to establish the irregularity of the manpower supply agreement and the fixed-term contract (extended several times in 2010) between them. The purpose of these contracts was “to provide assistance (handling) at the airport of (OMISSIS) for the scheduled operations during the period of the relationship, of the Airlines that were starting up and partly consolidating their activities at the airport“.

Specifically, the Court of Appeals stated that “the manpower supply contract had been concluded because of the need to deal with the temporary increase in activities deriving from the “Postal Flights” project expressly referred to in the trade union agreement of 6 December 2006 by which the social partners had defined, for this purpose, the need to use fixed-term and supply contracts and the procedures for implementing the agreed increases in staff. In this context, the reason for the fixed-term contracts had to be regarded as being sufficiently specific. The justifying reasons relating to the implementation of the Poste project were then positively reflected in the trade union agreement of 6 December 2006, in respect of which no expiry had been set, with the result that that agreement could not be regarded as automatically having ended, as the applicant claims, at the end of the 36th month following its conclusion (April 2010)”.

The employee appealed to the Court of Cassation against that decision, relying on two reasons, which the company resisted in its defence argument.

The decision of the Court of Cassation

The worker contested, inter alia, the judgement under appeal for having given validity to the Trade Union Agreement of 6 December 2006. This gave it an indefinite duration and allowed an unlimited use in time of the fixed-term contract also administered, to deal with the same business activities relating to postal flights, which the same agreement had limited in time to 2 years and 12 months.

On this point, the Court of Cassation noted that the appeal courts pointed out that “the agreement of 6 December 2006 had intervened in the start-up phases of the Postal Flights business and with it the collective parties had acknowledged that this activity entailed the need for fixed-term recruitment in relation to the contract concluded with the Poste Italiane company, agreeing on how to proceed with fixed-term recruitment or manpower supply contracts; and this without setting any deadline, even indirectly, so that it could not be considered automatically terminated in April 2010, at the end of the 36 months from the conclusion of the agreement, as claimed by the worker.

According to the Court of Cassation, the appeal courts considered that, once the contract with Poste Italiane had been renewed, the company’s need to resort to a temporary increase in staff was repeated. In light of the above, they concluded that the 2006 agreement, although signed on the occasion of the first tender contract, was still suitable for confirming that these same recruitment requirements already positively assessed by the Trade Unions continued to apply also to subsequent contracts.

In view of the above, the Court of Cassation dismissed the employee’s appeal, charging the costs of the proceedings to the party losing the case.

The Court of Cassation reiterated that the judge’s review cannot also concern the merits of the employer’s management choices, and a minimum reduction in revenue, if objectively linked to the expulsion measure, can be considered suitable to justify dismissal. The background that the Court of Justice, with its judgement of 18 July 2019, No 19302, examined was, very briefly, the following. A worker applied to the Court of First Instance for a declaration that the dismissal ordered to him was unlawful on the grounds that he was opposed to the employer’s decision to convert his employment relationship from full-time to part-time. The Court of Appeal, in confirming the first instance decision that had accepted the worker’s application, pointed out that it was obvious that the company’s balance sheet for the year prior to the dismissal had recorded a profit for the year and a reduction in liabilities. In addition, according to the District Court, the accounting entries and the depositions of the witnesses showed a slight decrease in profit from 2008 to 2010, although the operating results remained positive. And in order to face the described and slight negative drop in the profit margin, the employer decided to transform the employment relationship of some employees, including the complainant, from full time to part time. Therefore, the economic situation described above could not be considered as justifying the redundancy in question. The employer appealed against the decision on the substance of the case in Cassation on two grounds, the first of which relating to the incorrect assessment of the non-recurrence of the justified objective ground. In the first grounds for appeal, in other words, the conflict was declared between what was stated in the judgement under appeal and what was stated several times by the Court of Cassation, “according to which even reasons aimed at improving management efficiency or increasing the profitability of the business, which lead to a real change in the organisational structure through the abolition of a job, may justify individual dismissal on objective grounds”. In addition, the employer pointed out: – in a small company such as yours, not even the slightest but constant reduction in revenue from 2008 to 2010 can be underestimated;                                   – that it was only because of the worker’s failure to agree to move to a part-time scheme that he was dismissed for justified objective reasons. On this point, the courts of law have specified that the judicial review of the lawfulness of dismissal must be substantiated by verification: (i) the existence of the objective reason that the employer has declared to be the basis of the same; (ii) the existence of the causal link between the reason ascertained and the suppression of the employment position.