In the last few days, Italian online services and sites, including the websites of the Senate and the Ministry of Defence, have suffered a cyber-attack from a group of Russian cybercriminals. Vittorio De Luca, from Studio De Luca & Partners said:

“Cyber-attacks are a daily occurrence and no one can consider themselves safe. Attacks on institutions cause a stir, but for years hundreds of companies suffered daily attacks from cybercriminals. These attacks have a considerable impact on productivity and lead to data theft, service disruption and image damage. Robust cyber security is essential to protect a company’s knowledge assets and ensure business continuity. GDPR requires small and large companies to conduct a survey of their cyber risk exposure and the impact they could have on their business. An “incident” response plan must be prepared, security policies and measures to protect the IT system must be adopted. There must be periodic audits. It is essential to raise employee awareness on cyber security through training sessions, so that they can recognise and deal with the various threats. Protection from cyber-attacks takes place in two phases – prevention and protection.  If there is a successful attack, companies must inform the data protection authority, and initiate a data breach procedure within 72 hours of becoming aware of the violation.” 

Based on the principles in the Court of Justice Schrems II judgement of 16 July 2020, with Decision no. 2021/914 of 4 June 2021, the European Commission has approved two new sets of Standard Contractual Clauses (“SCCs“) which, from 27 September, must be included in contracts to regulate a transfer of personal data to non-EU countries or international organisations. For contracts signed before this date, there will be a transition period ending on 27 December 2022, provided that the processing operations covered by the contracts remain unchanged and the “old” clauses ensure that the transfer of personal data is subject to adequate safeguards. After this deadline, these contracts will need to be updated based on the new SCCs. The new SCCs will cover cases where personal data is transferred to non-EU countries or international organisations that do not offer a system of protection equivalent to that provided by the Data Protection Regulation (EU) 2016/679 (the “GDPR“). The new SCCs must be adopted for personal data transfers: (i) between data controllers; (ii) between a controller and its processor; (iii) between a processor and its (sub) processor; and (iv) between a processor and its controller where the latter is not subject to the GDPR scope.

Other related insights:

In its 15 April 2021 injunction order, the Italian Data Protection Authority fined a company operating in the manufacturing sector for failing to punctually and adequately inform the employees about the features of a computer system. In doing so, the company unlawfully processed workers’ data beyond the limits set by the authorisation of the local labour inspectorate and the purposes indicated in the provided policies. 

The complaint and investigation

The Data Protection Authority intervened following the complaint lodged by the FIOM CGIL, on behalf of some workers, requesting the adoption of an investigation and compliance measure against the employer company. It was alleged that the company’s system required a personal password on the workstation before starting work, which made it possible to store the data of individual workers relating to stoppages and production throughout the working day. Since the data collected relates to the work of individual employees following authentication with the password, the company, in the union’s opinion, collected data through this system and for purposes other than those outlined in the privacy policy.

As a result of the investigation carried out by the Data Protection Authority, it emerged that the computer system coexisted with the previous work organisation method, based on the completion of paper forms in which the names of employees were revealed in plain text. The forms were stored and recorded on the software, but without any form of separation, thus contradicting the privacy policies on the system functioning and the authorisation issued by the Labour Inspectorate, which had expressly prohibited using the data collected for disciplinary purposes. It had emerged that the data collected through this tool had been used to verify the truthfulness of the statements made by an employee during disciplinary proceedings initiated against them.

In addition, it emerged that there were irregularities in the retention periods of the data collected and processed, which, according to the company’s statement, should have been commensurate with what was necessary for the “monitoring/evaluating production cycles.”

The Data Protection Authority’s decision

In the light of the information gathered, the Data Protection Authority ordered the definitive limitation of the processing operations carried out using the data collected through this system, ordering the company (i) to bring its organisation and processing operations in line with Regulation (EU) 2016/679, including by updating the privacy policy provided to the employees concerned, (ii) adopt appropriate measures to segregate the data collected using paper forms and software and (iii) pay €40,000 as a financial penalty for the violations found.

Other related insights:

“The new national protocol for the creation of company plans aimed at activation of extraordinary SARS-COV-2/ Covid-19 vaccination points in workplaces proposes new challenges but also new responsibilities for employers that take part in the project”.

The attorney Vittorio De Luca, managing partner of Studio Legale De Luca & Partners specialised in Labour Law and Gdpr (General Data Protection Regulation), recalls that “vaccines are firstly healthcare treatments for which, as stated in the Constitution, only the government can require mandatory administration”.

Moreover, the protocol of 6 April 2021 allows employers to provide their assent to implementing company plans in their facilities to set up extraordinary Covid-19 vaccination points for workers who have requested them voluntarily and of their own free will.  “Employers, who decide to participate in the initiative – explained the attorney -, have the opportunity to actively contribute to the national vaccine campaign through active involvement of their own resources and production site but they are required to ensure adequate guarantees to protection the personal data of the workers involved in the campaign, ensuring the security and confidentiality of the processed information and preventing any type of discrimination”.

In terms of the employer’s liability, the position held by the “company doctor” is significant. The doctor needs to be involved in the preliminary phase, providing the workers with adequate information on the advantages and risks connected with the vaccine and the specific type of vaccine administered, including setting up a preventive triage related to their health conditions and making sure to obtain an “informed consent” from them. And in the next phase: administration of the vaccine which, once performed, must be registered through the channels and instruments made available by the Regional Healthcare Services (Ssr).

“In light of this, it seems necessary, and appropriate, to examine the Data Protection Authority’s position on the topic,” De Luca added referring to the date of 17 February 2021 when the Authority published some FAQ on its website relating precisely to processing data regarding the Covid-19 vaccination in the workplace context. “The explanations from the Authority reiterate that the employer is not one of the subjects authorised to ask employees to provide information on their vaccine status or a copy of documents proving employees have been vaccinated,” De Luca explained that “the only subject authorised to know and process, confidentially, the healthcare data of workers is the company doctor”.

The attorney then underlined that “the employer may not even ask the company doctor to divulge the list employees’ names who participated in the vaccine campaign in progress. This cannot happen in the case where the subject participates in the campaign organised by the National Healthcare System, or in the case where the subject takes part in any extraordinary plan organised by the employer pursuant to the vaccine protocol signed last 6 April”. De Luca observed that “in compliance with the current legislation on occupational health and safety, the employer may only obtain a “fit to work” opinion for specific jobs and any instructions and/or limitations reported in it as defined by the company doctor”.

The attorney concluded: “The provisions of the new protocol signed by the Ministry of Labour and Social Policies and the Ministry of Health, in agreement with the social partners, proposes new challenges but, at the same time, new responsibilities for employers that manifest their willingness to implement the company plans contained therein, whose implementation, in any case, remains closely connected to evaluation of factors such as plan costs, which the employer must bear, as well as the availability of vaccines”.

Source Affari & Finanza – La Repubblica.

Martina De Angeli, from the Compliance Department of our Firm, took part in training sessions held last October 10 and 11 as part of the Module “Compliance Management. I Processi Di Compliance Aziendale” within the “Executive Master in Data Protection Management (GDPR) & Cyber Security for Digital Transformation” organized by Sida Group S.r.l.

The intervention focused on the principles, provisions and requirements necessary for a correct construction of the Organizational Model as provided by Legislative Decree no. 231/2001. The theme of the relationship between the regulations on the administrative liability of entities and the (EU) Regulation on the protection of personal data 2016/679 (so-called GDPR) was also discussed in depth and there were moments of analysis and sharing of specific Case Studies.