“The new national protocol for the creation of company plans aimed at activation of extraordinary SARS-COV-2/ Covid-19 vaccination points in workplaces proposes new challenges but also new responsibilities for employers that take part in the project”.
The attorney Vittorio De Luca, managing partner of Studio Legale De Luca & Partners specialised in Labour Law and Gdpr (General Data Protection Regulation), recalls that “vaccines are firstly healthcare treatments for which, as stated in the Constitution, only the government can require mandatory administration”.
Moreover, the protocol of 6 April 2021 allows employers to provide their assent to implementing company plans in their facilities to set up extraordinary Covid-19 vaccination points for workers who have requested them voluntarily and of their own free will. “Employers, who decide to participate in the initiative – explained the attorney -, have the opportunity to actively contribute to the national vaccine campaign through active involvement of their own resources and production site but they are required to ensure adequate guarantees to protection the personal data of the workers involved in the campaign, ensuring the security and confidentiality of the processed information and preventing any type of discrimination”.
In terms of the employer’s liability, the position held by the “company doctor” is significant. The doctor needs to be involved in the preliminary phase, providing the workers with adequate information on the advantages and risks connected with the vaccine and the specific type of vaccine administered, including setting up a preventive triage related to their health conditions and making sure to obtain an “informed consent” from them. And in the next phase: administration of the vaccine which, once performed, must be registered through the channels and instruments made available by the Regional Healthcare Services (Ssr).
“In light of this, it seems necessary, and appropriate, to examine the Data Protection Authority’s position on the topic,” De Luca added referring to the date of 17 February 2021 when the Authority published some FAQ on its website relating precisely to processing data regarding the Covid-19 vaccination in the workplace context. “The explanations from the Authority reiterate that the employer is not one of the subjects authorised to ask employees to provide information on their vaccine status or a copy of documents proving employees have been vaccinated,” De Luca explained that “the only subject authorised to know and process, confidentially, the healthcare data of workers is the company doctor”.
The attorney then underlined that “the employer may not even ask the company doctor to divulge the list employees’ names who participated in the vaccine campaign in progress. This cannot happen in the case where the subject participates in the campaign organised by the National Healthcare System, or in the case where the subject takes part in any extraordinary plan organised by the employer pursuant to the vaccine protocol signed last 6 April”. De Luca observed that “in compliance with the current legislation on occupational health and safety, the employer may only obtain a “fit to work” opinion for specific jobs and any instructions and/or limitations reported in it as defined by the company doctor”.
The attorney concluded: “The provisions of the new protocol signed by the Ministry of Labour and Social Policies and the Ministry of Health, in agreement with the social partners, proposes new challenges but, at the same time, new responsibilities for employers that manifest their willingness to implement the company plans contained therein, whose implementation, in any case, remains closely connected to evaluation of factors such as plan costs, which the employer must bear, as well as the availability of vaccines”.
Source Affari & Finanza – La Repubblica.
Martina De Angeli, from the Compliance Department of our Firm, took part in training sessions held last October 10 and 11 as part of the Module “Compliance Management. I Processi Di Compliance Aziendale” within the “Executive Master in Data Protection Management (GDPR) & Cyber Security for Digital Transformation” organized by Sida Group S.r.l.
The intervention focused on the principles, provisions and requirements necessary for a correct construction of the Organizational Model as provided by Legislative Decree no. 231/2001. The theme of the relationship between the regulations on the administrative liability of entities and the (EU) Regulation on the protection of personal data 2016/679 (so-called GDPR) was also discussed in depth and there were moments of analysis and sharing of specific Case Studies.
The Court of Cassation, with order No. 18292 issued on 3 September 2020, has pointed out that failure to arrange the relevant technical and organisational measures safeguarding the protection of the personal data of the data subject is comparable to the organisational fault linked to the failure to adopt an organisational model pursuant to Legislative Decree No. 231/2001.
In the case at issue, a local authority lodged an appeal before the Court of Cassation against an injunction order of the Italian Data Protection Authority with which a sanction had been inflicted thereto for having published the personal data of one of its civil servants beyond the 15 day term provided for under article 124 TUEL (“Local Authorities Consolidation Act”) in the online municipal notice board.
Indeed, it was ascertained that the City had kept some decisions visible for more than one year, from which the following were clear (i) name and surname of the data subject, (ii) existence of litigation between the data subject and the City, (iii) family certificate and (iv) the circumstances that the data subject lived by herself, had made a request for paying the amount due by instalments and that the request had not been accepted.
To back its own position, the City objected that the fault for the failure to cancel the data of the data subject from the online municipal city board needed to be attributed to an outside consultant who had been instructed to configure the Internet Website in compliance with the laws and regulations currently in force.
In rejecting the appeal, the Court of Cassation clarified that the employee’s data did not concern any “aspect of the organisation”, they did not amount to “indicators concerning the operating trend and the use of resources”, nor did they even represent “results of the activity related to the measurement and assessment carried out by the competent bodies”. Therefore, the respective publication beyond the term fixed by law could not be deemed to be lawful.
Then, in so far as the liability of the outside consultant is concerned, the Court of Cassation has specified that the Data Controller, pursuant to article 4 of Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “GDPR”) is the legal entity and not the legal representative or the director, therefore, standalone liability precisely on the legal entity’s side takes shape. This liability, the judges carry on, must be understood as “fault on the organisation’s side”, that is “reprimand arising out of the breach by the authority of the obligation to take the necessary organisational and operating precautions to prevent the perpetration of the breaches of the law”, “just like under Legislative Decree No. 231/2001 on liability of entities arising out of crime”.
In light of the foregoing, the Court of Cassation reached the conclusion that the delay in removing the published data from the online municipal notice board is “may be fully traced back to the scope of authority of the Entity and of its own apparatus”.
With the order under examination, the Court of Cassation finds an important similarity between the subject matter of the protection of personal data and that of liability of entities arising out of crime, by precisely comparing and making the failure to adopt adequate technical and organisational measures (under article 32 GDPR) equal to the so-called “fault on the organisation’s side” foreseen by Legislative Decree No. 231/2001.
Others Insights related:
On 23 June 2020, the Italian Data Protection Authority (“Garante“) published the “2019 Annual Report” (the “Report“) listing activities carried out during the previous calendar year.
With the publication of the Report, the Data Protection Authority has confirmed what had already been stated in the note ref. no. 7797, dated 27 February 2019, concerning the subjective qualification of the Company Physician (as defined by art. 38 of Legislative Decree 81/2008, the “Decree”)
It is necessary to make a brief introduction to better understand the issue.
Article 4 of the (EU) Personal Data Protection Regulation (the “Regulation“) defines the Data Controller as (i) “the individual or legal person, public authority, service or other body which, individually or jointly with others, determines the personal data processing purposes and means” and the Data Processor as (ii) “the individual or legal person, public authority, service or other body which processes personal data on behalf of the data controller.”
Since the first interpretations and applications of the Regulation, the legal theory opened a debate on the Company Physician’s correct subjective qualification for data processing carried out during the functions and tasks assigned by the Decree.
Part of the theory suggested that the Company Physician was a Data Processor (under art. 28 of the Regulation), and the employer was the sole Data Controller which has the task of determining the purposes and means of the processing carried out by the professional. This theory was based on the relationship between the employer and the Company Physician was regulated by a contract by which the latter was expressly authorised by the employer to carry out employee personal data processing (including data belonging to special categories, formerly “sensitive” data).
Conversely, a different part of the theory stated the Company Physician was an independent Data Controller, as the processing purposes were established by the Decree and not by the employer.
This latter idea was expressly confirmed by the Data Protection Authority, which qualifies the Company Physician as an independent Data Controller. The type of processing carried out by the professional (for example, health monitoring or preparing health records) is their prerogative and not the employer’s.
In terms of sanctions, according to the Data Protection Authority, the regulatory framework makes a precise distinction between the employer and Company Physician’s responsibilities.
Others Insights related:
On 16 July 2020, the Court of Justice of the European Union (“CJEU” or “Court”) in its ruling “Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, invalidated Decision no. 2016/1250 and the Agreement between the European Union and the United States of America on the protection and regulation of the European citizens’ personal data transfer to recipients located in the United States (“Privacy Shield”).
The European Data Protection Board or “EDPB”) has prepared “Frequently Asked Questions” (“FAQ“) which the Italian Data Protection Authority (“Garante”) translated into Italian.
These FAQs underlined that the other tools provided for by EU Regulation 2016/679 on the protection of personal data (“Regulation“) such as the “Standard Contractual Clauses” or “SCC“ and “Binding Corporate Rules” or “BCR” can still be considered adequate to legally transfer personal data to recipients outside the European Union. It is highlighted that it was the parties’ responsibility to assess transfers on a case-by-case basis with the clarification that: “The European Data Protection Board is analysing the Court’s judgement to determine additional measures whether legal, technical or organisational, could be provided with SCC or BCR, to transfer data to third-party countries where SCC or BCR cannot provide sufficient guarantees.”
The FAQs refer to an additional tool as the legal basis for such transfers – data subject consent. It is reiterated that consent language must be simple and clear and must transparently inform data subjects about the possible risks that a transfer to the US or other foreign jurisdictions could entail.
Further tools provided by the Regulation as legal bases to legitimise transfers abroad are: (i) an adequacy decision on European requirements on personal data protection and (ii) compliance with Codes of Conduct or certification mechanisms which must be applied by the party to whom the data are transferred.
◊◊◊◊
In the light of the Court’s ruling and the EDPB’s FAQs, it will be the task of any organisation that transfers data to recipients outside the EU to carry out processing assessments and identify related risks, and the appropriate tool to legitimise the transfer.
Others Insights correlati:
Privacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement
