Compliance, Agency Contracts, and Privacy Management: A Growing Complexity
The law firm De Luca & Partners and HR Capital have recently highlighted significant issues in strategic areas such as contract management, regulatory compliance, and data protection. These areas, critical for Italian companies, are confronted with evolving regulations that demand increasing attention to avoid economic and reputational consequences.
A recent ruling by the Court of Rome reclassified the commercial collaboration agreements between a company and certain influencers—entrusted with promoting the company’s products through social media channels—as agency contracts. As a result, the company was ordered to pay the omitted contributions to Enasarco following the reclassification.
The reclassification of commercial contracts as agency contracts may also entail a significant economic impact for companies, including the obligation to pay the influencer/agent an end-of-contract indemnity, typically calculated based on the average annual compensation earned by the influencer/agent over the past five years. In light of this, companies would be well-advised to update their financial statements with targeted provisions and properly classify existing contracts to address any irregularities.
However, according to the firm’s name partners, Vincenzo De Luca and Vittorio De Luca, many companies have yet to grasp the urgency of adequately regulating contractual relationships.
Compliance with the genuineness requirements for subcontracting agreements is now under close scrutiny by authorities. The legislator has recently tightened the consequences for both clients and contractors in cases of “non-genuine” subcontracting, where irregular labor provision occurs, introducing criminal penalties as well.
To be deemed compliant, a subcontract must meet three key criteria:
The reintroduction of criminal penalties in March 2024 adds further pressure on companies to ensure the transparency and independence of subcontracting relationships.
As of October 1, 2024, the new “Credit License” system has come into force, requiring a series of formalities for those operating on construction sites or significant engineering projects within Italy. This certification, which includes documents such as the DURC (certification of compliance with social security contributions) and the DURF (tax compliance certification), is essential for compliance with workplace health and safety regulations.
Foreign companies operating in Italy must also meet these requirements unless they hold an equivalent certification issued by their home country. Lawyer Vittorio De Luca explains that the “Credit License” applies to foreign companies involved in real estate and infrastructure projects or in data center installations.
Privacy and personal data management have become critical focal points for Italian companies, particularly given the stringent penalties for GDPR violations, which can reach up to 4% of the global annual turnover.
Dr. Martina De Angeli notes that recent investigations by the Milan Public Prosecutor’s Office have revealed that weak IT security systems can lead to unauthorized intrusions with severe consequences. In addition to reporting any data breach within 72 hours—a very short timeframe from an operational perspective—companies must constantly monitor their systems, train staff, and implement continuous control and monitoring processes.
Continue reading the full version published on Global Legal Chronicle Italia
The revelations from the investigation conducted by the Milan Prosecutor’s Office and the investigative unit of the Carabinieri of Varese—exposing unlawful activities involving the acquisition of confidential, sensitive, and personal information—have dominated Italy’s political and public debate in recent hours. These developments call for serious reflection.
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has responded by establishing an interdepartmental task force to promptly identify appropriate actions and implement stronger protections for databases. This task force aims, among other objectives, to define adequate technical and organizational security measures for database access by authorized personnel, as well as for the operations performed by those responsible for their management and maintenance.
As we await further updates, here’s what companies need to know and do in similar situations:
It is essential to emphasize that, if a data breach has occurred, pre-existing measures were insufficient and must be reassessed and enhanced. This is a fundamental goal of the Data Breach procedure.
As highlighted earlier, recent developments should prompt reflection. Information and data are increasingly valuable assets, and ensuring their technical and organizational security is a critical priority for businesses. Companies must view investments in advanced, continually updated security measures as vital, not optional. These efforts ultimately benefit business performance and corporate reputation.
Press Review:
“The employer cannot access the employee’s or collaborator’s e-mail or use software to store a copy of the messages. Such processing of personal data not only constitutes a breach of the data protection laws but also amounts to an unlawful control activity over the employee”.
This has been stated by the Italian Data Protection Authority, which sanctioned a company with a fine of EUR 80,000, with decision no. 472 of 17 July 2024, published in the institutional newsletter published on 22 October 2024.
The case originated from a complaint submitted to the Authority by a former collaborator of a company, who reported that the company had maintained his email account active and accessible even after the termination of his collaboration.
The investigation revealed that the company had commissioned a forensic engineering firm to investigate the contents of the collaborator’s email using the “Mail Store” application installed on company’s laptops. During the collaboration, the company had backed up the email inbox and had retained both the content and access logs for the mailbox and the management system. The e-mails collected through the application had then been used in a legal proceeding brought against the complainant before the Court of Venice.
Furthermore, the company, based on the document titled “Equipment used by the worker to perform work activities and tools for recording access and attendance – modalities and limits of use”, attached to the notice given to the complainant as a collaborator and directed at the company’s employees, processed data from corporate e-mail accounts in violation of data protection regulations. The document informed that the company could access the emails of employees and collaborators for the purposes of business continuity, in case of absence or termination of the relationship, but did not mention the backup process or the corresponding retention period.
The Authority stated that the systematic retention of e-mails – in this case, communications were stored for three years following the termination of the collaboration – and the systematic retention of access logs for the e-mail and management system used by the employees were not compliant with the applicable laws. The retention was deemed disproportionate and unnecessary for achieving the company’s stated purposes of ensuring the security of the IT network and the continuity of the company’s business activities.
This also allowed the company to reconstruct the complainant’s activities in detail. The Authority noted that “even if, hypothetically, such processing were aimed at achieving one of the purposes explicitly indicated in Article 4, (1), of Law no. 300/1970, it appears that the company did not activate the guarantee procedure provided therein (agreement with the workers’ representatives or, failing that, authorization by the Labor Inspectorate)”.
Lastly, as far as the use of the data in a judicial context is concerned, the Authority recalled that processing carried out by accessing an employee’s e-mail judicial protection purposes refers to disputes already in progress and not to abstract and indeterminate hypotheses of protection, as in the case under review.
The Court of First Instance of Udine (Labour Section, order no. 504 of 2 August 2024) declared lawful the measure of suspension from work and remuneration, imposed by a company on an employee who had refused to sign the letter sent to the person responsible for processing personal data, in accordance with the applicable data protection law (please also refer to Ntpluslavoro of 26 September).
The Court of First Instance stated that, as a result of a circumstance caused by the employee’s will and, in any event, beyond its control, the company found itself in a situation in which it was obliged to suspend the employee’s services and remuneration. If it had not done so, it would have breached the rules of guarantee provided for by the data protection legislation and would inevitably entail the risk of incurring the sanctions provided for.
The employer entrusts the employee not only with adequate resources and tools to ensure the correct processing of personal data, but also with the responsibility to process such data with confidentiality, fairness and diligence. While it is therefore true that the appointment of a designated person is unilateral in nature, since it is an act emanating from the employer, it is equally true that the employee’s failure to accept it, will have consequences for the management of the employment relationship, which will be felt at several levels:
Also because of these considerations, the Court of Udine stated that the refusal to accept the appointment as an authorized subject was sufficient to justify the adoption of the disciplinary measure of suspension from service and remuneration.
The specific case inevitably prompts the query as to what the effects and consequences are, or could be, for the employer who is faced with the hypothesis that an employee does not accept the assignment to a person authorized to process personal data or even expresses the intention to withdraw a previously provided acceptance.
Logically, but for the sake of completeness of the argument, it is also worth mentioning briefly, the question does not arise if the tasks assigned to an employee do not involve the processing of personal data. In the opinion of the author, the question does not arise for two reasons. On one hand, it would be illogical and unnecessary to authorize and instruct an employee who does not process personal data in performing his/her work activities. Article 29 of (EU) Regulation 2016/679 (the GDPR) and Article 2-quaterdecies of the Italian Legislative Decree no. 196/2003 provide that it is those who have “access to personal data” and not those who do not carry out any processing operations, who shall be instructed. On the other hand, the refusal of those who do not have access to personal data does not affect the performance of their daily work. Therefore, even in the latter case, no potentially relevant behaviour from a disciplinary standpoint would be identified.
Please continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.
Recently, the Italian Data Protection Authority (Autorità Garante) has returned to the issue of the use of biometric data in the context of managing employment relationships. “As things stand, current law does not allow the processing of employees’ biometric data for purposes of timekeeping”. This was reiterated by the IDPA in a ruling of 6 June 2024, in which it fined the employer, a dealership, EUR 120,000 for, among other things, unlawfully processing its employees’ biometric data.
The IDPA intervened following a complaint from an employee, who alleged:
With reference to the first ground of complaint, namely the processing of biometric data, the IDPA has again clarified that employers may not use biometric data. The current position is that there is no legal provision for the use of biometric data for attendance tracking, and at this point it should be remembered that even employee consent cannot be considered a suitable prerequisite for lawfulness. This is because of the asymmetry between the respective parties to the employment relationship.
On the other hand, with reference to the second ground of the complaint, the IDPA found that the company, through management software, had been collecting personal data related to the activities of employees for more than six years to prepare monthly reports to be sent to the parent company, containing aggregate data on the time spent by the workshops on the work performed. This activity had always been carried out without a proper legal basis and adequate disclosure, which, in the context of the employment relationship, are expressions of the principles of fairness and transparency.
It is worth mentioning that the latter activity could, among others, involve indirect remote monitoring of workers’ activities, which, as such, would require compliance with the safeguards provided by Article 4 of the Italian Workers’ Charter i.e., signing a union agreement or, failing that, obtaining authorisation from the National or Regional Labour Inspectorate.
Other related insights:
