DLP Insights

The requirements relative to the processing of special categories of data have been issued

Categories: DLP Insights, Practice

03 Sep 2019

The procedure for revising the 9 General Authorisations issued by the Privacy Guarantor in 2016 when the previous legislation was in force, in light of the EU Regulation on the protection of personal data 2016/679 (“GDPR“), has been completed.

At the end of the public consultation launched last December, the Guarantor adopted Regulation 146 of June 5, 2019, published in the Official Gazette of the following July 30, containing the obligations that must be met in various areas to be able to process particular categories of personal data (e.g. data related to health status, sexual orientation, genetic and biometric data).

The regulations concern the processing:

  • of these special categories of data (i) in employment relationships; (ii) by associations, foundations, churches and religious associations or communities, as well as by private investigators; and
  • genetic data and the processing carried out for scientific research purposes.

The Regulation was adopted on the basis of Legislative Decree 101/2018 regarding provisions for adapting the national legislation to the GDPR, also taking into account the most significant and relevant contributions sent by the participants in the public consultation.

In the same Regulation, the Guarantor specified that the General Authorization on the processing of judicial data by private individuals, public economic entities and public entities ceases to produce its effects, since it does not come under the situations of processing referred to in Art. 21 of Legislative Decree 101/2018.

General Authorisations 2, 4 and 5, concerning respectively the processing of (i) data disclosing health and sex life, (ii) sensitive data by self-employed professionals and (iii) sensitive data by different categories of data controllers, cease to have effect as they do not contain specific provisions.

Here we limit ourselves to examining the processing of data in employment relationships.

Scope

The Regulation applies to all those who, for various reasons (owner/manager of the processing), perform processing for the purpose of establishing, managing and terminating an employment relationship and, among others:

  1. employment agencies and other persons who, in accordance with the law, carry out, in the interest of third parties, activities of intermediation, research and selection of personnel or support for professional relocation, including accredited training bodies;
  2. natural and legal persons, companies, also social enterprises, bodies, associations and organisms that are part of an employment relationship or that use even atypical, partial or temporary employment services, or that in any case confer a professional assignment to the figures indicated in the following letters c) and d);
  3. the workers’ representative for safety, including territorial and site safety;
  4. persons who handle obligations in the field of employment, social security and social and tax assistance on behalf of other subjects who are part of an employment or self-employment relationship;
  5. the company doctor, who acts as a freelance professional or as an employee of the employer or of affiliated structures.

Interested parties to whom the data refers

The interested parties are:

  1. candidates for the establishment of employment relationships, even in the case of curricula spontaneously transmitted for the establishment of an employment relationship;
  2. employees;
  3. consultants and freelancers, agents and representatives;
  4. subjects who carry out collaborations organized by the client, or other self-employed workers in a collaborative relationship, including in the form of ancillary work services;
  5. natural persons holding corporate or other positions in the aforementioned legal entities, bodies, associations and organisations;
  6. third parties who have suffered damage in the course of their work or professional activities;
  7. third parties (family members or cohabitants of the persons referred to in letters b) and d) above) for the issue of benefits and permits.

Purpose of the data processing

Pursuant to Art. 9, paragraph 2, of the GDPR, the processing of special categories of personal data is carried out only if necessary:

  1. in order to fulfil or require the fulfilment of specific obligations, or to carry out specific tasks provided for by the legislation of the European Union, laws, regulations or collective agreements event corporate, in particular for the purpose of establishing, managing, and terminating an employment relationship, as well as the recognition of subsidiaries or the disbursements of contributions, the application of the legislations regarding social security and assistance even supplemental, or in matters of occupational health and safety, as well as in tax or trade union matters;
  2. also outside the cases referred to in point a), in compliance with the law and for specific and legitimate purposes, for the purposes of keeping accounts or paying salaries, cheques, bonuses, other emoluments, donations or accessory benefits;
  3. for the purpose of safeguarding the life or physical safety of the worker or a third party;
  4. to assert or defend a right, also by a third party in court, as well as within the context of an administrative proceedings or arbitration and conciliation procedures in the cases provided for by law, regulations or by collective or company contracts. This, provided that the data is processed exclusively for these purposes and for the period strictly necessary for their pursuit;
  5. to fulfil the obligations arising from insurance contracts aimed at hedging the risks associated with the liability of employer as regards occupational health and safety, occupational illness or harm caused to third parties during the performance of the work or professional activity;
  6. to ensure equal opportunities in employment;
  7. to pursue specific and legitimate aims identified by the statutes of associations, organisations, federations or confederations representing categories of employers or by collective agreements, with regard to trade union assistance to employers.

Specific requirements relative to different categories of data

  1. Processing carried out in the phase prior to the establishment of the employment relationship

The Regulation specifies that employment agencies and other persons who, in accordance with the law, carry out, in their own interest or that of third parties, activities of intermediation, recruitment and selection of personnel or support for professional relocation, may process data likely to reveal the state of health and racial and ethnic origin of candidates, only if their collection is justified by specific and legitimate purposes and is necessary to establish a working relationship/collaboration.

The Regulation also specifies that the processing carried out for the purposes of establishing the employment relationship, both through questionnaires sent electronically on the basis of predefined models, and in the event that candidates provide data on their own initiative, in particular by sending curricula, must refer only to information strictly relevant and limited to what is necessary for these purposes, also taking into account the particular tasks and / or the specific features of the professional profiles required.

If the CVs sent by the candidates contain data which is not relevant to the purpose pursued, the employers making the selection must refrain from using this information.

Genetic data may not be processed for the purpose of establishing the professional competence of a candidate for employment, even with the consent of the person concerned.

  1. Processing carried out in the context of the employment relationship

The employer processes data that reveals religious or philosophical beliefs or membership in associations or organizations of a religious or philosophical nature only in the case of use of leave during religious holidays or for the manner of provision of canteen services or, in cases provided for by law, for the exercise of conscientious objection.

The employer processes data that reveals political opinions or trade union membership, or the exercise of public functions and political duties, activities or trade union duties exclusively:

  • for the purposes of obtaining permits or leave of absence periods recognised by law or, where appropriate, by collective agreements, including company agreements; and
  • to allow the exercise of trade union rights including the processing of data relating to deductions for the payment of membership fees to associations or trade unions.

The Employer:

  • in the case of participation of employees in electoral operations as list representatives, in accordance with the principle of necessity, must not process data revealing political opinions in the documentation to be submitted for the purpose of recognising legal benefits; and
  • may not process genetic data for the purpose of establishing the professional competence of an employee, even with the consent of the person concerned.

Processing methods

With reference to the processing methods:

  1. as a general rule, the data must be collected from the data subject;
  2. in all communications to the interested party, containing special categories of data, forms of communication must be used, including individualised electronic communication with the interested party or his delegate, including through authorised personnel. If the paper document is sent, it must be sent, as a rule, in a closed envelope, except for the need to obtain proof of receipt of the document, including by signing it upon receipt of the document;
  3. documents containing special categories of data, where they are to be transmitted to other offices or departments of the same organizational structure as a result of their respective responsibilities, must contain only the information necessary for the performance of the function without attaching, where not strictly necessary, complete documentation or include excerpts within the text. To this end, methods of transmitting documentation must be selected and used to ensure that they are received and processed only by the competent offices or organisational structures and only by authorised personnel;
  4. when, for organisational reasons, and as part of the preparation of shifts, data is made available to parties other than the person concerned (for example, other colleagues) relating to attendance and absence from work, the employer must not explain, even through acronyms or acronyms, the reasons for the absence from which it is possible to infer the knowledge of particular categories of personal data (e.g. trade union permits or health data).

More insights