Under the Law No. 81 of 22 May 2017 on “Measures for the protection of non-entrepreneurial self-employment and measures aimed to facilitate flexibility in regard to locations and times of subordinate work”, remote working has been recently regulated in the Italian legal regime for the first time. This is a flexible style of working, regulated within the employment relationship and characterised by the absence of time- and workplace constraints and by forms of organisation of work by stages, cycles and objectives.
When implementing remote working in their company, employers must take personal data protection regulations into account.
Regulation (EU) 2016/679 on the protection of personal data (the “GDPR”) introduced the principle of accountability, namely the requirement for the data controller (in our case the employer) to take proactive steps to show that concrete measures have been put in place to ensure the implementation of this Regulation. Essentially, the employer is obliged to identify and manage risks associated with the data processing carried out, in accordance with the principle of data protection “by design” (involving the protection of specific data processing operations) and “by default”.
This means that, in the case of remote working, the employer must carry out a proper risk assessment and, where necessary, an impact assessment in order to analyse all existing and potential risks and identify the technical and organisational data security measures that are required in order to guarantee secure data protection operations. The employer, accordingly, must adopt Regulations, Policies or Guidelines which set out the conduct that smart workers must adopt in order to ensure the confidentiality, integrity and availability of data processed in the course of their duties.
The employer must also ascertain and verify that remote controls are not invasive in nature, in contravention of Article 4 of Law 300/1970. This means that the systems that allow continuous monitoring of employees’ use of work tools and the company network must be subject to detailed scrutiny.
For this very reason, remote workers must receive detailed information on the various ways in which the employer exercises its power of control, and on what forms of conduct could potentially trigger or attract disciplinary sanctions.
Beyond this, the employer must train remote workers so that they are fully cognisant of and familiar with the tools available to them, the various risks, and the measures to be adopted while remote working.
The exit of the United Kingdom from the European Union (“Brexit“) will have an impact on international mobility for work purposes and personal data transfer to the United Kingdom.
The United Kingdom allows EU citizens already present in the UK for at least five years on 31 December 2020, to request confirmation of their right of residence (for work, study, etc.) beyond that date. The request can be made online by 30 June 2021 by filling the EU Settlement Scheme made available on the British Government website, obtaining the settled status.
If the permanence period is less than five years, it will be possible to apply to remain in the United Kingdom to complete it by obtaining the pre-settled status through the above form. Unlike the settled status, pre-settled status is lost when a person is absent from the country for two or more years.
This procedure will guarantee the same rights that an EU citizen residing in the UK had before Brexit. They will be able to stay in the UK indefinitely, work, use the health service, study, and have access to public funds such as social benefits and pensions.
For new entrants from 1 January 2021, however, it will be necessary to apply for a visa under the new points-based immigration system.
Italy has a procedure for confirming the rights acquired by British citizens present in the country on 31 December 2020. They can request the “residence document in electronic format” at the local Questura (police station). The same procedures as for non-EU citizens will be applied to those who will enter the country after 1 January 2021.
For the transfer of personal data to the United Kingdom, the Italian Data Protection Authority (the “Guarantor”) clarifies that it is necessary to refer to the “Trade and Cooperation Agreement” (“Agreement”) signed on 30 December 2020 by the European Union and the United Kingdom (“Trade And Cooperation Agreement Between The European Union And The European Atomic Energy Community, Of The One Part, And The United Kingdom Of Great Britain And Northern Ireland, Of The Other Part”).
Under the Agreement, the Regulation (EU) 2016/679 on the protection of personal data (“GDPR”) will continue to apply in the United Kingdom for a maximum of six months, i.e. until 30 June 2021. According to the Guarantor, “during this period, any communication of personal data to the UK may take place under the same rules that applied on 31 December 2020 and will not be considered a transfer of data to a third-party country.”
During this transitional period, the United Kingdom and the European Union have undertaken to adopt mutual adequacy decisions under this Agreement. In the absence of such decisions, the provisions of Chapter V of the GDPR governing the transfer of data from the EU to third-party countries will apply. These provisions require the existence of adequate safeguards, such as binding corporate rules, standard contractual clauses, and codes of conduct (see Art. 46 of GDPR). This is subject to exceptions, such as data subject consent or a transfer necessary for contract purposes or important reasons of public interest (Art. 49 of GDPR).
From 1 January 2021, Data Controllers and Processors based in the UK and who are subject to GDPR because they process data for offering goods and services or monitoring the behaviour of data subjects within the EU (see Art. 3, paragraph 2, GDPR), shall designate a Representative in the European Economic Area under Article 27 of GDPR.
Other insights related:
Martina De Angeli, from the Compliance Department of our Firm, took part in training sessions held last October 10 and 11 as part of the Module “Compliance Management. I Processi Di Compliance Aziendale” within the “Executive Master in Data Protection Management (GDPR) & Cyber Security for Digital Transformation” organized by Sida Group S.r.l.
The intervention focused on the principles, provisions and requirements necessary for a correct construction of the Organizational Model as provided by Legislative Decree no. 231/2001. The theme of the relationship between the regulations on the administrative liability of entities and the (EU) Regulation on the protection of personal data 2016/679 (so-called GDPR) was also discussed in depth and there were moments of analysis and sharing of specific Case Studies.
