In its 15 April 2021 injunction order, the Italian Data Protection Authority fined a company operating in the manufacturing sector for failing to punctually and adequately inform the employees about the features of a computer system. In doing so, the company unlawfully processed workers’ data beyond the limits set by the authorisation of the local labour inspectorate and the purposes indicated in the provided policies.
The Data Protection Authority intervened following the complaint lodged by the FIOM CGIL, on behalf of some workers, requesting the adoption of an investigation and compliance measure against the employer company. It was alleged that the company’s system required a personal password on the workstation before starting work, which made it possible to store the data of individual workers relating to stoppages and production throughout the working day. Since the data collected relates to the work of individual employees following authentication with the password, the company, in the union’s opinion, collected data through this system and for purposes other than those outlined in the privacy policy.
As a result of the investigation carried out by the Data Protection Authority, it emerged that the computer system coexisted with the previous work organisation method, based on the completion of paper forms in which the names of employees were revealed in plain text. The forms were stored and recorded on the software, but without any form of separation, thus contradicting the privacy policies on the system functioning and the authorisation issued by the Labour Inspectorate, which had expressly prohibited using the data collected for disciplinary purposes. It had emerged that the data collected through this tool had been used to verify the truthfulness of the statements made by an employee during disciplinary proceedings initiated against them.
In addition, it emerged that there were irregularities in the retention periods of the data collected and processed, which, according to the company’s statement, should have been commensurate with what was necessary for the “monitoring/evaluating production cycles.”
In the light of the information gathered, the Data Protection Authority ordered the definitive limitation of the processing operations carried out using the data collected through this system, ordering the company (i) to bring its organisation and processing operations in line with Regulation (EU) 2016/679, including by updating the privacy policy provided to the employees concerned, (ii) adopt appropriate measures to segregate the data collected using paper forms and software and (iii) pay €40,000 as a financial penalty for the violations found.
Other related insights:
“The new national protocol for the creation of company plans aimed at activation of extraordinary SARS-COV-2/ Covid-19 vaccination points in workplaces proposes new challenges but also new responsibilities for employers that take part in the project”.
The attorney Vittorio De Luca, managing partner of Studio Legale De Luca & Partners specialised in Labour Law and Gdpr (General Data Protection Regulation), recalls that “vaccines are firstly healthcare treatments for which, as stated in the Constitution, only the government can require mandatory administration”.
Moreover, the protocol of 6 April 2021 allows employers to provide their assent to implementing company plans in their facilities to set up extraordinary Covid-19 vaccination points for workers who have requested them voluntarily and of their own free will. “Employers, who decide to participate in the initiative – explained the attorney -, have the opportunity to actively contribute to the national vaccine campaign through active involvement of their own resources and production site but they are required to ensure adequate guarantees to protection the personal data of the workers involved in the campaign, ensuring the security and confidentiality of the processed information and preventing any type of discrimination”.
In terms of the employer’s liability, the position held by the “company doctor” is significant. The doctor needs to be involved in the preliminary phase, providing the workers with adequate information on the advantages and risks connected with the vaccine and the specific type of vaccine administered, including setting up a preventive triage related to their health conditions and making sure to obtain an “informed consent” from them. And in the next phase: administration of the vaccine which, once performed, must be registered through the channels and instruments made available by the Regional Healthcare Services (Ssr).
“In light of this, it seems necessary, and appropriate, to examine the Data Protection Authority’s position on the topic,” De Luca added referring to the date of 17 February 2021 when the Authority published some FAQ on its website relating precisely to processing data regarding the Covid-19 vaccination in the workplace context. “The explanations from the Authority reiterate that the employer is not one of the subjects authorised to ask employees to provide information on their vaccine status or a copy of documents proving employees have been vaccinated,” De Luca explained that “the only subject authorised to know and process, confidentially, the healthcare data of workers is the company doctor”.
The attorney then underlined that “the employer may not even ask the company doctor to divulge the list employees’ names who participated in the vaccine campaign in progress. This cannot happen in the case where the subject participates in the campaign organised by the National Healthcare System, or in the case where the subject takes part in any extraordinary plan organised by the employer pursuant to the vaccine protocol signed last 6 April”. De Luca observed that “in compliance with the current legislation on occupational health and safety, the employer may only obtain a “fit to work” opinion for specific jobs and any instructions and/or limitations reported in it as defined by the company doctor”.
The attorney concluded: “The provisions of the new protocol signed by the Ministry of Labour and Social Policies and the Ministry of Health, in agreement with the social partners, proposes new challenges but, at the same time, new responsibilities for employers that manifest their willingness to implement the company plans contained therein, whose implementation, in any case, remains closely connected to evaluation of factors such as plan costs, which the employer must bear, as well as the availability of vaccines”.
Source Affari & Finanza – La Repubblica.
Martina De Angeli, from the Compliance Department of our Firm, took part in training sessions held last October 10 and 11 as part of the Module “Compliance Management. I Processi Di Compliance Aziendale” within the “Executive Master in Data Protection Management (GDPR) & Cyber Security for Digital Transformation” organized by Sida Group S.r.l.
The intervention focused on the principles, provisions and requirements necessary for a correct construction of the Organizational Model as provided by Legislative Decree no. 231/2001. The theme of the relationship between the regulations on the administrative liability of entities and the (EU) Regulation on the protection of personal data 2016/679 (so-called GDPR) was also discussed in depth and there were moments of analysis and sharing of specific Case Studies.
The Court of Cassation, with order No. 18292 issued on 3 September 2020, has pointed out that failure to arrange the relevant technical and organisational measures safeguarding the protection of the personal data of the data subject is comparable to the organisational fault linked to the failure to adopt an organisational model pursuant to Legislative Decree No. 231/2001.
In the case at issue, a local authority lodged an appeal before the Court of Cassation against an injunction order of the Italian Data Protection Authority with which a sanction had been inflicted thereto for having published the personal data of one of its civil servants beyond the 15 day term provided for under article 124 TUEL (“Local Authorities Consolidation Act”) in the online municipal notice board.
Indeed, it was ascertained that the City had kept some decisions visible for more than one year, from which the following were clear (i) name and surname of the data subject, (ii) existence of litigation between the data subject and the City, (iii) family certificate and (iv) the circumstances that the data subject lived by herself, had made a request for paying the amount due by instalments and that the request had not been accepted.
To back its own position, the City objected that the fault for the failure to cancel the data of the data subject from the online municipal city board needed to be attributed to an outside consultant who had been instructed to configure the Internet Website in compliance with the laws and regulations currently in force.
In rejecting the appeal, the Court of Cassation clarified that the employee’s data did not concern any “aspect of the organisation”, they did not amount to “indicators concerning the operating trend and the use of resources”, nor did they even represent “results of the activity related to the measurement and assessment carried out by the competent bodies”. Therefore, the respective publication beyond the term fixed by law could not be deemed to be lawful.
Then, in so far as the liability of the outside consultant is concerned, the Court of Cassation has specified that the Data Controller, pursuant to article 4 of Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “GDPR”) is the legal entity and not the legal representative or the director, therefore, standalone liability precisely on the legal entity’s side takes shape. This liability, the judges carry on, must be understood as “fault on the organisation’s side”, that is “reprimand arising out of the breach by the authority of the obligation to take the necessary organisational and operating precautions to prevent the perpetration of the breaches of the law”, “just like under Legislative Decree No. 231/2001 on liability of entities arising out of crime”.
In light of the foregoing, the Court of Cassation reached the conclusion that the delay in removing the published data from the online municipal notice board is “may be fully traced back to the scope of authority of the Entity and of its own apparatus”.
With the order under examination, the Court of Cassation finds an important similarity between the subject matter of the protection of personal data and that of liability of entities arising out of crime, by precisely comparing and making the failure to adopt adequate technical and organisational measures (under article 32 GDPR) equal to the so-called “fault on the organisation’s side” foreseen by Legislative Decree No. 231/2001.
Others Insights related:
On 23 June 2020, the Italian Data Protection Authority (“Garante“) published the “2019 Annual Report” (the “Report“) listing activities carried out during the previous calendar year.
With the publication of the Report, the Data Protection Authority has confirmed what had already been stated in the note ref. no. 7797, dated 27 February 2019, concerning the subjective qualification of the Company Physician (as defined by art. 38 of Legislative Decree 81/2008, the “Decree”)
It is necessary to make a brief introduction to better understand the issue.
Article 4 of the (EU) Personal Data Protection Regulation (the “Regulation“) defines the Data Controller as (i) “the individual or legal person, public authority, service or other body which, individually or jointly with others, determines the personal data processing purposes and means” and the Data Processor as (ii) “the individual or legal person, public authority, service or other body which processes personal data on behalf of the data controller.”
Since the first interpretations and applications of the Regulation, the legal theory opened a debate on the Company Physician’s correct subjective qualification for data processing carried out during the functions and tasks assigned by the Decree.
Part of the theory suggested that the Company Physician was a Data Processor (under art. 28 of the Regulation), and the employer was the sole Data Controller which has the task of determining the purposes and means of the processing carried out by the professional. This theory was based on the relationship between the employer and the Company Physician was regulated by a contract by which the latter was expressly authorised by the employer to carry out employee personal data processing (including data belonging to special categories, formerly “sensitive” data).
Conversely, a different part of the theory stated the Company Physician was an independent Data Controller, as the processing purposes were established by the Decree and not by the employer.
This latter idea was expressly confirmed by the Data Protection Authority, which qualifies the Company Physician as an independent Data Controller. The type of processing carried out by the professional (for example, health monitoring or preparing health records) is their prerogative and not the employer’s.
In terms of sanctions, according to the Data Protection Authority, the regulatory framework makes a precise distinction between the employer and Company Physician’s responsibilities.
Others Insights related:
