Vittorio De Luca and Elena Cannone will be speakers at the next HR Breakfast “GDPR: urgent fulfilments for companies” organized by De Luca & Partners to deepen the understanding of new regulations for companies after the implementation since 25 May, 2016 of the European Regulation on the topic of personal data protection (“GDPR”). The GDPR will become fully operative starting from 25 May, 2018, fully repealing Law Decree 196/2003 (the so-called “Privacy Code”). The GDPR establishes uniform rules for the Member States as well as a new approach to the processing of personal data based on risk, introducing also the concept of “accountability” which will require to demonstrate the adoption of adequate security measures. The GDPR calls for a new guarantor figure: the Data Protection Officer (the so-called “RDP” or “DPO”), and the mandatory use of a Register of Data Processing Activities. The GDPR, in addition, assigns to the Interested Party a series of rights, among which the right to data portability and the right to be forgotten. The GDPR re-defines the role and the responsibilities of the Data Controller as well as includes an obligation to cooperation with the Supervisory Authorities through notifications of a data breach. The GDPR has introduced harsher penalties, leaving the Member States free to adopt the regulation related to other penalties. These are the topics of the next HR Breakfast.

The Supreme Court (judgement no. 6608/2018) stated that the typing of just cause for dismissal listed in the collective agreements are as an example and are not necessarily binding, having therefore the Court the power to expand or to circumscribe the extent to disciplinary purposes. Within its powers, therefore, the Judge, in the opinion of the Court, is free to infer the right cause of dismissal even missing a specific provision of the collective agreement, in the presence of a serious non-complying conduct of the employees or otherwise exclude it, as the result of the assessment of the concrete circumstances characterizing the defaulting behavior, although the collective agreement ascribes this specific behavior in the category of the dismissal without notice. The power of the judge would be constrained only if the collective agreement would provide for a purely conservative sanction, even if the employee’s defaulting behavior would integrate a just cause of dismissal. In this case, the provisions of the collective agreement should prevail on the more stringent evaluation of the judges regarding the existence of the just cause, on the assumption that the rules about just cause and proportionality of the sanctions would be favorably suspendable.

Il 25 maggio 2018 diventerà pienamente applicabile il Regolamento Europeo n. 679 del 2016 sulla protezione dei dati personali (“GDPR”). Ciò determinerà una uniformità della disciplina in materia di trattamento dei dati personali su tutto il territorio europeo. In tal senso, in Italia è stato approvato, in via preliminare, uno schema di decreto che abroga definitivamente il D.Lgs. 196/2003. Le novità sono molteplici. Basti osservare che le disposizioni del GDPR sono applicabili a tutte le imprese che, a prescindere dalla relativa collocazione geografica, trattano i dati di persone fisiche che si trovano all’interno dell’Unione Europea. Inoltre il GDPR propone un nuovo approccio al trattamento dei dati personali, basato sul rischio (“risk based approach”) introducendo anche il concetto di responsabilizzazione (“accountability”). In sostanza non più oneri o misure di sicurezza predefinite, ma quel che si chiede ai Titolari ed ai Responsabili del trattamento è di effettuare valutazioni ed analisi scrupolose, case by case, all’esito delle quali adottare, sempre nel rispetto delle disposizioni contenute nel GDPR medesimo, misure tecniche ed organizzative adeguate in relazione al trattamento che si intende operare ed ai rischi a cui esso è esposto. Non solo, in capo agli stessi grava l’onere di dimostrare di aver adottato misure proporzionate ed efficaci. Un’altra novità è l’introduzione del Registro delle attività di trattamento svolte. Si tratta di uno strumento che consente al Titolare e al Responsabile di avere un quadro aggiornato dei trattamenti in essere all’interno della propria organizzazione ed è indispensabile per ogni valutazione e analisi del rischio. In sostanza esso è parte integrante di un sistema di corretta gestione dei dati personali. Ed è proprio per questo che se ne consiglia la tenuta a prescindere dalle dimensioni aziendale.

Peraltro, riflette l’approccio “responsabilizzante” che permea il GDPR l’obbligo per i Titolari e i Responsabili di nominare, in casi specifici, il Responsabile della Protezione dei Dati. Questa figura deve avere precise caratteristiche, quali indipendenza, autorevolezza e competenze manageriali. Lo stesso svolge funzioni di supporto e controllo, consultive, formative e informative relative all’applicazione del GDPR nonché coopera con le Autorità di controllo e funge da punto contatto per le questioni connesse al trattamento dei dati. Inoltre, il GDPR – oltre ad aver inasprito le sanzioni – riconosce in capo al Soggetto Interessato tra gli altri, il il cd. diritto alla portabilità, alias il diritto per l’interessato, a determinate condizioni, di richiedere che i propri dati vengano trasferiti ad un altro Titolare senza impedimenti da parte del Titolare a cui inizialmente li ha forniti. Il GDPR disciplina con particolare attenzione anche l’eventuale fase patologica del trattamento, vale a dire la fase successiva ad un cosiddetto data breach, imponendo al Titolare di notificare la violazione dei dati personali alla Autorità di Controllo competente e di comunicarla al soggetto interessato. Insomma, il GDPR sembra rispondere perfettamente a quell’esigenza avvertita ormai da decenni circa la necessità di armonizzare la normativa privacy sul fronte europeo, essendo in grado di garantire la circolazione dei dati personali e la maggior certezza giuridica nell’era degli sviluppi tecnologici.

Clicca qui per sentire l’intervista di Vittorio De Luca e scaricare le slide di approfondimento.

The Court of Cassation, with judgement no. 4211 filed on 21 February 2018, passed a ruling in regard to an opposition against a payment injunction. In the specific case at hand, by said injunction, INPS had demanded payment by a company of penalties and interests on the substitute allowance in place of the prior notice paid to a former employee – in the specific case at hand, a manager – long after the date of the judgement of the court of first instance. This judgement had declared the dismissal for just cause, object of the proceedings, to be invalid. The opposition filed by the employer had been upheld by the courts of first and second instance. In particular, the Court of Appeal having jurisdiction over the case, had based its belief on the assumption that (i) the welfare obligations had ceased with the dismissal; (ii) the ruling condemning to pay the substitute allowance in place of the prior notice had been challenged and (iii) pending the appeal decision, no welfare obligation towards the welfare agency can be considered arisen. The Court of Cassation entirely reversed the decision of the trial court, maintaining instead that the welfare contributions due by the employer to INPS had arisen with the judgement – which by law is provisionally enforceable – that had condemned the company to pay the substitute allowance in place of the prior notice. Therefore, in the Court of Cassation’s opinion, the delay accrued from the decision to the day of actual payment of the welfare contributions had to be evaluated for the purpose of the timeliness of the fulfilment of the welfare obligations, since the fact that opposition proceedings are pending is irrelevant.

The Court of Cassation with judgement no. 5523 filed on 8 March 2018, has dealt inter alia with the issue of the validity of a dismissal for just cause imposed on the basis of the contents of a few emails sent from the email address of a worker recipient of the dismissal and therefore of their probative value. The evaluation of the Court appeals to a lack of absolute certainty in attributing the messages “to their apparent author”, as these have no electronic signature and therefore lack the nature of private deed pursuant to Article 2702, Italian Civil Code. In this regard, the Court stressed that traditional emails (such as those produced in the proceedings by the company and on which the dismissal was based) are modifiable and unable to ensure identification of their author. Therefore, in the Court’s opinion, these emails are, in accordance to Article 21, Legislative Decree 82/2005 (so-called Digital Administration Code) electronic documents subject to the free interpretation of trial courts. In the light of this reasoning, the Court concluded that the appeal of the employer against the judgement of the Court of Appeal having jurisdiction is groundless, which, reversing the judgement of the court of first instance, had found the dismissal invalid and condemned the same to pay the supplementary indemnity and the substitute allowance in place of the prior notice.