In a press release dated 9 December 2022, the Italian Council of Ministers announced the approval of the draft Italian legislative decree transposing Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law. The new legislation extends the obligation to establish reporting channels to all private sector companies with more than 50 employees.

The main measures introduced provide, among other things, that:

• reports of breaches must relate to national or EU regulatory provisions that harm the public interest or the integrity of the private entity;
• in addition to employees who report breaches, the extension of protection was confirmed to collaborators, consultants, volunteers or trainees, shareholders and those with administrative, management, control, supervisory or representative functions, as well as to ‘probationary’ or former workers, if information on breaches was acquired in the course of the employment relationship;
• private sector companies will have to ensure internal and external reporting channels that ensure the confidentiality of whistle blowers and any processing of personal data will have to comply with Regulation (EU) 2016/679 (the ‘GDPR’);
• retaliation includes, but is not limited to, change of duties, dismissal, change of workplace, reduction of salary, change of working hours, non-renewal or early termination of a fixed-term employment contract;
• the application by Italian National Anti-Corruption Authority (Autorità Nazionale Anti-Corruzione, ‘ANAC’) of administrative fines of up to EUR 50,000.

Other related insights:
Whistleblowing: la nuova scadenza per il Governo italiano  

Il commento di Vittorio De Luca sul tema Whistleblowing e tutela della privacy

Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.

GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.

The Authority assessed the processing carried out using this tool and showed that website operators (such as the sanctioned company) use cookies transmitted to the user’s browser to collect information on how these interact with the website, individual pages, and services offered. The data collected consists of: unique online identifiers that allow the identification of the user’s browser or device while visiting the website, and the website operator (through the Google Account ID); address, website name and navigation data; IP address of the user’s device; information on the browser, operating system, screen resolution, language selected, and date and time of website visit.

This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.

The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.

For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.

At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.

◊◊◊◊

While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.

Other related insights:

• Cookies and other tracking tools: the new Data Protection Authority Guidelines
• Cookies and other tracking tools: the Guarantor launches a public consultation

Economic growth is slowing down, and it is feared that many companies will have to close in the months to come. However, structural changes that are taking place in society are leading to an increasing demand for professional profiles that are difficult to find on the market because training is evolving too slowly. Employment continues to be at the top of the political agenda, with possible reforms in search of a difficult balance between guaranteeing decent pay for everyone and the flexibility needed to avoid stifling market energies. The changes taking place do not only concern the dynamics of supply and demand and legislator choices, but case law rulings, which have played a key role. The latest example of this kind dates to a few weeks ago, with the Constitutional Court intervening on dismissal regulation (ruling no. 125/2022). Studio Legale De Luca & Partners managing partner Vittorio De Luca said: “Dismantling the reforming effort started by the legislator in 2012 continues,” referring to the Fornero law and the measures launched by the Renzi government. “Already in the past, two rulings have affected the contract with increasing protections, implementing the reform known as Jobs Act, declaring the illegitimacy of the automatic mechanism for determining the indemnity calculated based solely on seniority.” As for Art. 18 of the Workers’ Statute, the Constitutional Court intervened on the part concerning dismissals for justified objective reason.

Click here to read more.

The Italian Data Protection Authority (“Garante”), in its 28 April 2022 injunction of 28 April 2022, imposed on a company in charge of managing the municipal waste collection service for the Municipality of Taranto (the “Municipality”), a € 200,000 fine for having entrusted processing personal data to a sub-processor without having requested and obtained specific or general written authorisation from the Municipality – the data controller.
Following widespread waste abandonment within the area under its responsibility, the municipality entrusted an owned company the task to verify and contest any offences arising from the violation of the municipal regulations on waste disposal. The municipality and the company agreed on installing video surveillance systems at sites considered particularly sensitive, as they were the places where the illegal dumping of waste occurred more frequently.
From a report received by the Data Protection Authority, it emerged that the company disseminated, through the publication on its Facebook profile of videos and images, collected through the above video surveillance systems, from which the offending citizens were or could be identified.

Following the report received, the Authority opened a preliminary investigation which revealed that the company started processing in March 2012 under a municipal ordinance without the relationship regulated under the previous legislation.
Since November 2020, it had used a supplier (designated as data controller) for the collection of video surveillance images without the “prior specific or general written authorisation of the data controller (ed. the Municipality)” as required by art. 28 of the GDPR. In January 2022, the Municipality and the company signed an “agreement for the protection of personal data and appointment as an external data controller” under art. 28 of the GDPR. In that agreement, the Municipality specified that “upon its prior written authorisation, the company may make Municipality-owned personal data available to third parties (as sub-processors), to entrust them with part of the processing activities.”

Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore

Following a report by a group of worker-members of a cooperative, the Data Protection Authority (“Garante”) established the unlawfulness of certain processing operations carried out through the publication of information on the assessment of their work, on the company notice board.

As part of a “contest with prizes for worker-members, entitled “Guardiamoci in faccia…soci!” (Let’s look at each other…members!) to incentivise the most deserving members and […] discouraging inefficiencies”, the cooperative used to share the recipients’ assessment on a weekly basis using emoticons accompanied by summary evaluations (such as, “absenteeism”, “sickness simulation”) placed next to the image and name of each employee. This information was visible not only to the worker concerned but anyone who accessed the premises where the company notice board was placed, including external persons occasionally present on the premises, and provided a cash reward for the first three winners.

Inspections carried out by the Data Protection authority established the processing illegitimacy for violation of the fundamental principles of lawfulness, correctness, transparency and data minimisation. The Authority confirmed that the employer may lawfully process the information necessary and pertinent to the management of the employment relationship – including the data necessary to carry out an assessment of the work performance or exercise disciplinary power (in the manner and within the limits provided for by the sector’s regulations). However, the authority noted that the systematic provision of such information by posting it on the notice board allowed the processing of data to persons (such as other colleagues or third parties) who are not entitled to know information on disciplinary assessments and remarks.

In addition, the Authority confirmed that the collection of consent, in circumstances such as this case, cannot be considered a legal basis for legitimising the processing of personal data. This is because the disproportionateness between the employment relationship parties cannot presuppose consent given expressly, freely and specifically and referring to an identified processing. The consent given at the time of the approval of the members’ resolution, as claimed by the company, is “functionally different” from the consent to the processing carried out by the company for the assessment of the members’ actions.

For these reasons, the Authority confirmed that “[…] continuously submitting the assessments on the quality of the work carried out or on the performance correctness to the observation of colleagues, even if it is part of a public competition” infringes the workers’ personal dignity, freedom and privacy.

◊◊◊◊

The company appealed against the Authority’s decision first to the local court and then the Court of Cassation. In ruling no. 17911/2022, published on 1 June, the Court of Cassation rejected the appeal – confirming the Data Protection Authority’s arguments – and confirmed the principle according to which “the processing legitimacy presupposes a valid consent given expressly, freely and specifically, with reference to a clearly identified processing operation; this general principle is relevant and prevails in every relationship.”

Other related insights:

• Labour law is linked to ESG