The Data Protection Authority, with “Measure no. 216 dated 4 December 2019“, confirmed an already consolidated position, according to which employers that keeps an employee’s company email account active after the termination of the employment contract and accesses the emails contained in the mailbox, commits an offence.

The case

A company used the labour court against a former employee because he offered products in direct competition with its own products. The information in support of the action had been collected by the applicant company by logging in to the email address account of the former employee even after the termination of the employment contract.

The worker thus complained to the Data Protection Authority, claiming that his former employer had not deactivated his email account and had accessed the messages he had received.

The company, in challenging the complaint filed by the employee, stated that the failure to deactivate the account and the simultaneous forwarding of emails to the address of the head of the Information Technology department had been arranged because (i) the former employee had failed to send customers a communication with the new company references. Adding, moreover, that (ii) only correspondence containing business messages had been opened and not personal messages and that (iii) the former employee was aware of the “business practice” according to which the employer, after the termination of the contract, would check correspondence addressed to him.

Acknowledging that the facts complained of are prior to the entry into force of EU Regulation 2016/679 and that the information was given to employees verbally, the Data Protection Authority in any case declared the repeated use of the individual company account of a person no longer belonging to that company organisation unlawful.

The Data Protection Authority, in fact, stated that the employer must act in accordance with the principles of lawfulness, necessity and proportionality, which are the foundations of the matter of personal data protection, ordering the removal of corporate email accounts attributable to identified or identifiable persons. At the same time as closing the account, according to the Authority, the employer is obliged, if necessary, to equip itself with automatic systems to inform third parties and provide them with alternative addresses to contact. In addition, the employer must take appropriate measures to prevent incoming messages from being displayed throughout the period when the automatic system is active.

According to the provisions of the Measure, it is the implementation of appropriate technical and organisational measures that makes it possible to balance, on the one hand, the interest of the owner (alias the employer) to access the information necessary for it to continue the management of the work activity and, on the other hand, to ensure respect for the legitimate expectation of the worker to confidentiality on correspondence. In addition, in the opinion of the Data Protection Authority, the adoption of internal rules on the basis of which information on technical and organisational management adopted is shared with employees is one of the correct measures to be implemented.

On 19 January, the Official Gazette published the “Regulation amending the Presidential Decree No. 178/2010 on the matter of the Do Not Call Registry concerning the use of snail mail” (Presidential Decree No. 149 dated 8 November 2018, hereinafter the “Regulation” or the “Presidential Decree”). The Do Not Call Registry (that is the registry where those who do not wish to receive “direct marking communications” hereinafter the “Registry”), in operation since 2010 regarding telephone marketing is now extended to marketing performed via snail mail. In order not to be “solicited” even by unwanted printed marketing material, one will have to register to the registry. If one does not register, the addresses listed in “public telephone number lists” may be used – and therefore also for promotional purposes – even without the explicit consent of the subject. All of the above is effective from 6 May 2019. In fact, the Regulation, in effect from 3 February, allows 90 days before becoming fully operational (the 90th day is Saturday, 4 May, therefore the actual date will be moved to Monday 6). Even the Italian Data Protection Authority recommended that in the final version of the Presidential Decree a transition period be taken into account. This, both to allow to the “subscribers/parties interested to the processing of data” to get informed and to register to the Registry before being “bothered” and to implement and finalise the Registry. In order to find out in details the operating and registration procedures (for example, it will not be possible to register to the Registry via fax, but it will be possible only via web, e-mail or phone), it will be necessary to browse the Registry website in the next few months. Moreover, the “effective period” of the consultation within which the marketing operator will have the possibility to use the address of interest found in the “subscribers list” is extended: compared to the previous 15 days, now the Registry consultation by the operator will be 30 days. Therefore, for companies that wish to operate in the marketing sector, it is important to consult the Registry. Moreover, the provision concerning the information notice towards the contacted subject has been integrated and amended. For example, the subject shall be informed regarding the source of data used as well as the instructions necessary to register to the Registry and this shall be done inside the marketing promotional material itself or in the invoicing documents. If failing to meet the requirements of the aforementioned “prior consultation obligation” the fine established will be charged up to a maximum of 20 million euros or 4% of the global yearly turnover. Information and awareness campaigns will be performed in the next few months to let people know about the news introduced by the legislation described above.

Last October, the Data Protection Authority provided a range of significant clarifications on two of the main requirements – extremely important aspects of accountability – introduced with European Regulation 679/2016 on data protection and privacy (“Regulation”):

(i)            the Data Processing Register, in response to the FAQs published on 8 October on the Data Protection Authority’s website, and

(ii)           the Data Protection Impact Assessment (“DPIA”), as provided in Measure No. 467 of the Data Protection Authority, issued on 11 October.

 

Data processing register

According to the Data Protection Authority, the “Register of processing activities” (“Register”) – as provided in article 30 of the Regulation – must contain all key information concerning the processing activities completed by the Controller. The document must be in written or electronic form and is the first document to be promptly made available on request of the Data Protection Authority or during an inspection.

The Data Protection Authority has extended the pool of subjects that are required to keep the Register, so as to include all businesses that process personal data on a non-occasional basis (regardless of the number of people employed), commercial or craft establishments with at least one employee, self-employed professionals, associations and foundations and, lastly, condominiums, where “special categories” of data are processed.

The Data Protection Authority has pointed out that the Register must contain the required level of “minimum information”, specifically:

–       the purpose of each processing operation. In this regard, the recommendation is to also indicate the legal basis for processing, in addition to specifying the purpose for each type of processing (processing of employee data to manage the employment relationship; processing of supplier contact details when managing orders). The following recommendations are also made, again in reference to the legal basis: where “special categories of data” are processed, indicate one of the conditions set out in art. 9, par. 2 of the Regulation; where data relating to criminal convictions and offences are processed, indicate the specific provisions (national or EU) under which the processing is allowed pursuant to article 10 of the Regulation;

–       the categories of data subjects (e.g. customers, suppliers and employees) and the categories of personal data (e.g. personal details, medical information, biometric data);

–       the categories of recipients to whom the data are disclosed (other controllers to whom the data are disclosed, including their category, for example, to social security institutions to fulfil payment obligations). The Data Protection Authority also advises that it would be appropriate to indicate any other persons to whom – as processors or sub-processors – the data are disclosed (e.g. to payroll processing companies). This is to ensure that the Controller has knowledge of the number and type of entities to whom data processing operations are assigned;

–       any transfer of data to third countries, indicating the Countries/the Third Parties to which the data are transferred and the safeguards applied in accordance with the Regulation;

–       the period for which the personal data are stored (e.g. in the case of employment relationships, the data must be stored for 10 years from the date they were last recorded) and, lastly, 

–       a general description of the (technical and organisational) security measures put in place for each processing operation, including the possibility to reference external documents of a generic nature (e.g. internal procedures) to allow a more comprehensive assessment.

 

The Data Protection Authority has reiterated that the Register must be updated on an ongoing basis so that its contents reflect the actual situation of the processing operations carried out. In essence, any changes must be immediately recorded in the Register and explained.

The Processor is also required to keep a Register of the processing operations. The Data Protection Authority has clarified that the keeping of such Register must comply with the following:

–       if the Processor is acting on behalf of customers who are separate and autonomous controllers (e.g. software house company), the information set out in article 30(2) of the Regulation must be recorded in the Register in reference to each of the aforesaid controllers. In this case, the Processor will divide the Register into the same number of sections as the number of autonomous controllers on behalf of which he/she is acting or, alternatively, a reference can be added, for example, to a customer (controller) information card or database containing a description of the services supplied to them. The customer information cards should in any event contain the information required under article 30(2) of the Regulation;

–       having regard to the “record of all categories of processing activities carried out”, a reference can be made to the contents of the contract of appointment as processor, which, pursuant to article 28 of the Regulation, should set out, in particular, the nature and purpose of the processing, the type of personal data and categories of data subjects and the duration of the processing;

–       likewise, in the case of sub-processors, the Register of the processing operations carried out by them can specifically reference the contents of the contact entered into between the sub-processor and the Processor pursuant to article 28 of the Regulation.

Data protection impact assessment

Measure No. 467 of the Data Protection Authority provides a list of 12 types of processing activities in relation to which a Data Protection Impact Assessment (DPIA) must be carried out. Such requirements are therefore in addition to the provisions contained in article 35 of the Regulation and in the guidelines issued by the WP29 (now European Data Protection Board), as provided in 2017.

The DPIA is a particularly delicate operation in terms of “privacy compliance”, since it requires the Controller to carefully assess and consider the related technical and organisational measures, which must be able to prevent risks to the rights and freedoms of the natural persons concerned.

In addition to the three examples given in article 35 of the Regulation – profiling, systematic monitoring of a publicly accessible area on a large scale and processing on a large scale of special categories of data (formerly, “sensitive data”) – there are nine other cases, as listed in the WP29 guidelines, for which the DPIA is mandatory. The Italian Data Protection Authority has provided further clarifications in this respect.

In detail, the Data Protection Authority requires that a DPIA is carried out in advance for the following categories of processing:

–       evaluation-type processing, scoring on a large scale and profiling;

–       Automated-decision making with legal or similar significant effect for the data subjects (e.g. screening customers of a bank using information obtained from a central credit register);

–       processing that enables the systematic use of data for observation and monitoring purposes (e.g. online or using apps);

–       processing on a large scale of strictly personal data (e.g. emails) or which have impacts on fundamental rights (location, which if collected may affect freedom of movement);

–       processing in the context of employment relationships, using technological means (e.g. video surveillance or geolocalisation) that enable the remote monitoring of an employee’s activity;

–       processing that involves vulnerable data subjects (minors, people with disabilities, etc.);

–       processing with innovative technologies (IoT or AI);

–       processing that involves the exchange of data between several controllers, on a large scale;

–       processing by means of interconnection or similar methods (e.g. mobile payments);

–       processing of “special categories” of data or, in any event, concerning criminal convictions;

–       systematic processing of biometric data and, lastly, genetic data.

From a “comparative” perspective, compared to the French Data Protection Authority (CNIL), the Italian Authority does not make specific reference to processing in relation to “whistleblowing systems”.

It should be noted, however, that the list of the 12 types of processing – due to be published on the Italian Official Journal – is not an exhaustive list: while the DPIA is required when at least one of the 9 cases listed in the WP29 guidelines is present, it can (and should) be also carried out whenever deemed necessary by the Controller.

 

 

Background

Opinion 12/2018 adopted on 25 September 2018 by the European Data Protection Board or “EDPB”, has recently been made public. The EDPB is the body that is mainly in charge of ensuring a uniform and consistent application of EU Regulation 679/2016 on the protection of natural persons with regard to the processing of personal data (”GDPR”) in all member States. The EDPB succeeded the previous “Working Party 29” or “WP29” and has broader powers and new duties.

As part of its work of aligning the various internal practices, in the last few months the Supervisory Authorities of the member States submitted to the EDPB their list of “types of data processing” which require a prior “data protection impact assessment” (DPIA) as a condition for legality of the processing.

The Italian case

The list submitted by the Italian Data Protection Authority defines six types of processing that require that a DPIA be conducted beforehand. Specifically, these are:(i) processing of biometric data; (ii) processing of genetic data; (iii) processing carried out using innovative technologies; (iv) monitoring of employees; (v) “further processing of personal data” and (vi) processing that refers to a “specific legal basis”.

The EDPB answered the Italian Data Protection Authority with its own observations, some of which were of a general nature while others were of a detailed “prescriptive” nature.

Specifically regarding the processing of biometric and genetic data or processing carried out using new technologies, the EDPB considers that this type of processing is not in and of itself able to create a clear risk to the rights and freedoms of the data subjects. In its opinion, for a DPIA to be required, the presence of at least one more of the nine cases listed in the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” adopted by Working Party 29 and commonly referred to as the WP248 guidelines (e.g.: processing that enables judgement of an individual based on profiling; systematic monitoring; matching of various data sets) is necessary.

On the other hand, the EDPB agrees with the Italian Data Protection Authority when the latter claims that systematic monitoring of individuals that are in and of themselves vulnerable, such as employees, constitutes processing that requires a DPIA.

Prospects

In conclusion, it will be interesting to see how the Italian Data Protection Authority will proceed: if it decides not to follow the “prescriptions” provided by the EDPB, Italy could be the first to be involved in a new dispute resolution mechanism by the Board, with the so-called “consistency mechanism” pursuant to Articles 63, 64 and 65 of the GDPR.

The Data Protection Authority, on 15 December 2017, published on its official website a series of clarifications regarding the appointment and duties of the Data Protection Officer (“DPO”). More specifically, the Data Protection Officer must have specific skills, preferably, whenever appointed internally, be a Manager or a high ranking professional to be appointed with a specific deed. The Data Protection Authority, in addition, clarifies that this task cannot be carried out neither by the corporate IT System’s Manager nor any other professional figure with conflict of interest. In addition, the Data Protection Authority points out that even though there are no diplomas or degrees suitable to train the Data Protection Officer, even if he/she must have specific legal knowledge, now there are a variety of courses that offer specific training on the matter and the Data Protection Authority recommends attending them. In fact, it is reminded that the appointment of a non-competent person or a person not suitable to carry out the role of Data Protection Officer could lead to fines for the Data Controller, among which the payment of administrative fines. Finally, it is specified that the role could be held also by a legal entity, as long as there is an individual within the company that acts as a reference.