In its 15 April 2021 injunction order, the Italian Data Protection Authority fined a company operating in the manufacturing sector for failing to punctually and adequately inform the employees about the features of a computer system. In doing so, the company unlawfully processed workers’ data beyond the limits set by the authorisation of the local labour inspectorate and the purposes indicated in the provided policies.
The Data Protection Authority intervened following the complaint lodged by the FIOM CGIL, on behalf of some workers, requesting the adoption of an investigation and compliance measure against the employer company. It was alleged that the company’s system required a personal password on the workstation before starting work, which made it possible to store the data of individual workers relating to stoppages and production throughout the working day. Since the data collected relates to the work of individual employees following authentication with the password, the company, in the union’s opinion, collected data through this system and for purposes other than those outlined in the privacy policy.
As a result of the investigation carried out by the Data Protection Authority, it emerged that the computer system coexisted with the previous work organisation method, based on the completion of paper forms in which the names of employees were revealed in plain text. The forms were stored and recorded on the software, but without any form of separation, thus contradicting the privacy policies on the system functioning and the authorisation issued by the Labour Inspectorate, which had expressly prohibited using the data collected for disciplinary purposes. It had emerged that the data collected through this tool had been used to verify the truthfulness of the statements made by an employee during disciplinary proceedings initiated against them.
In addition, it emerged that there were irregularities in the retention periods of the data collected and processed, which, according to the company’s statement, should have been commensurate with what was necessary for the “monitoring/evaluating production cycles.”
In the light of the information gathered, the Data Protection Authority ordered the definitive limitation of the processing operations carried out using the data collected through this system, ordering the company (i) to bring its organisation and processing operations in line with Regulation (EU) 2016/679, including by updating the privacy policy provided to the employees concerned, (ii) adopt appropriate measures to segregate the data collected using paper forms and software and (iii) pay €40,000 as a financial penalty for the violations found.
Other related insights:
The FAQ(s) aim to support employers in the correct application of existing legislation resulting from the combination of personal data protection applicable law, workplace health and safety applicable law and emergency regulations.
On 17 February 2021, the Italian Data Protection Authority (the “Authority”) published on its institutional website some FAQ(s) (“Frequently Asked Questions”) concerning the processing of data related to Covid-19 vaccination in the work context.
First of all, the Authority clarified that the employer is not among the persons entitled to request employees to provide information on their vaccination status or, in any case, a copy of the documents proving that they have been vaccinated against Covid-19.
According to the Authority, such processing of personal health data by the employer would not be permitted either by the emergency provisions in force nor by the applicable legislation on health and safety in the workplace, currently contained in the “Consolidated Law on Health and Safety at Work” (“Legislative Decree No. 81/2008.
The FAQ(s) clarify that in the employment context not even the consent of the employee him- or herself legitimises such data processing; consent, in this case, cannot constitute a valid condition of lawfulness. This is because of the imbalance and lack of equality in the relationship between the employer, the Data Controller, and the employee (the data subject), whereby the latter’s expression of consent cannot be guaranteed to be freely given (on this point, see recital 43 of (EU) Regulation 2016/679 on the protection of personal data).
Continue reading the full version published in Norme & Tributi Plus Diritto de Il Sole 24 Ore.
On 23 June 2020, the Italian Data Protection Authority (“Garante“) published the “2019 Annual Report” (the “Report“) listing activities carried out during the previous calendar year.
With the publication of the Report, the Data Protection Authority has confirmed what had already been stated in the note ref. no. 7797, dated 27 February 2019, concerning the subjective qualification of the Company Physician (as defined by art. 38 of Legislative Decree 81/2008, the “Decree”)
It is necessary to make a brief introduction to better understand the issue.
Article 4 of the (EU) Personal Data Protection Regulation (the “Regulation“) defines the Data Controller as (i) “the individual or legal person, public authority, service or other body which, individually or jointly with others, determines the personal data processing purposes and means” and the Data Processor as (ii) “the individual or legal person, public authority, service or other body which processes personal data on behalf of the data controller.”
Since the first interpretations and applications of the Regulation, the legal theory opened a debate on the Company Physician’s correct subjective qualification for data processing carried out during the functions and tasks assigned by the Decree.
Part of the theory suggested that the Company Physician was a Data Processor (under art. 28 of the Regulation), and the employer was the sole Data Controller which has the task of determining the purposes and means of the processing carried out by the professional. This theory was based on the relationship between the employer and the Company Physician was regulated by a contract by which the latter was expressly authorised by the employer to carry out employee personal data processing (including data belonging to special categories, formerly “sensitive” data).
Conversely, a different part of the theory stated the Company Physician was an independent Data Controller, as the processing purposes were established by the Decree and not by the employer.
This latter idea was expressly confirmed by the Data Protection Authority, which qualifies the Company Physician as an independent Data Controller. The type of processing carried out by the professional (for example, health monitoring or preparing health records) is their prerogative and not the employer’s.
In terms of sanctions, according to the Data Protection Authority, the regulatory framework makes a precise distinction between the employer and Company Physician’s responsibilities.
Others Insights related:
On 16 July 2020, the Court of Justice of the European Union (“CJEU” or “Court”) in its ruling “Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, invalidated Decision no. 2016/1250 and the Agreement between the European Union and the United States of America on the protection and regulation of the European citizens’ personal data transfer to recipients located in the United States (“Privacy Shield”).
The European Data Protection Board or “EDPB”) has prepared “Frequently Asked Questions” (“FAQ“) which the Italian Data Protection Authority (“Garante”) translated into Italian.
These FAQs underlined that the other tools provided for by EU Regulation 2016/679 on the protection of personal data (“Regulation“) such as the “Standard Contractual Clauses” or “SCC“ and “Binding Corporate Rules” or “BCR” can still be considered adequate to legally transfer personal data to recipients outside the European Union. It is highlighted that it was the parties’ responsibility to assess transfers on a case-by-case basis with the clarification that: “The European Data Protection Board is analysing the Court’s judgement to determine additional measures whether legal, technical or organisational, could be provided with SCC or BCR, to transfer data to third-party countries where SCC or BCR cannot provide sufficient guarantees.”
The FAQs refer to an additional tool as the legal basis for such transfers – data subject consent. It is reiterated that consent language must be simple and clear and must transparently inform data subjects about the possible risks that a transfer to the US or other foreign jurisdictions could entail.
Further tools provided by the Regulation as legal bases to legitimise transfers abroad are: (i) an adequacy decision on European requirements on personal data protection and (ii) compliance with Codes of Conduct or certification mechanisms which must be applied by the party to whom the data are transferred.
◊◊◊◊
In the light of the Court’s ruling and the EDPB’s FAQs, it will be the task of any organisation that transfers data to recipients outside the EU to carry out processing assessments and identify related risks, and the appropriate tool to legitimise the transfer.
Others Insights correlati:
Privacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement
With a decision dated 1 April 2020, the Spanish Data Protection Authority (hereinafter, the “Agencia Española Protección Datos” – “AEPD”) sanctioned a Spanish company doing business in the home delivery sector following the relevant online booking, used by thousands of customers, due to the failure to designate a Data Protection Officer (hereinafter, the “DPO” or the “Head of Data Protection”) pursuant to Article 37 of Regulation (EU) 2016/679 on personal data protection (hereinafter, the “Regulation”).
One of the new developments introduced by the Regulation is the role of the DPO. Indeed, Articles 37, 38 and 39 include provisions in connection (i) with the designation of the DPO (ii) with the position held by such role within an organisation and (iii) with the reference as to the minimum duties to be assigned thereto in light of the nature, scope of application, context and aims of the processing carried out by the Data Controller or by the Data Processor.
However, if we stick to a literal interpretation of the Regulation, not all Data Controllers or Data Processors are under an obligation to designate any such role.
The above-mentioned line of interpretation arises out of the content of Article 37, based on which it is necessary to designate a DPO in any case where: “(i) the processing is carried out by a public authority or body (…)”, “(ii) the core activities (…) consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”, or (iii) “the core activities (…) consist of processing on a large scale of special categories of data (…) or personal data relating to criminal convictions (…).
From the very first interpretation of the Regulation, such cases have started considerable debate with the corresponding different stances on the side of law scholars. The expressions “large scale” “regular monitoring of data subjects on a large scale” are rather vague and, often, in the actual implementation of the Regulation, they may bring about interpretative doubts.
In this respect, the decision of the AEPD at issue is not only significant because it includes one of the first sanctions inflicted as from the entering into force of the GDPR following the ascertainment of the failure to designate the DPO, but also and moreover, because it constitutes a precedent in the definition and demarcation of the “large scale” concept. Indeed, the Spanish Authority emphasises the numerical significance of the data subjects affected by the processing as a necessary condition in order to ascertain the vague large scale concept.
Within our domestic scope, notwithstanding the rules under the Regulation, the Italian Data Protection Authority has clarified that it is also possible to designate a DPO even in those cases not falling within those imposed by the Regulation. Indeed, in light of any such clarification, it is good practice to accurately ground and document the reasons why the Data Controller, or the Data Processor, have made the decision to identify any such role or not.
Finally, we would like to recall that infringements of the obligations under the aforesaid Articles 37, 38 and 39 of the Regulation entails, pursuant to Article 83(4) of any such Regulation to the infliction of an administrative fine up to Euro 10,000,000.00 or, in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.
Others insights related:
FAQs of the Data Protection Authority on the Data Protection Officer of Personal Data