Authorisations for processing employee data revised

General authorisations under GDPR

Following the General Data Protection Regulation's (GDPR's) entry into force, the Italian legislature asked the Italian Data Protection Authority to review and update all of the so-called 'general authorisations' that it had previously issued under Articles 26 and 40 of the now rescinded Legislative Decree 196/2003 (the Privacy Code) to allow the processing of sensitive data even in the absence of the data subject's consent.

The provisions that allowed such authorisations were repealed by Legislative Decree 108/2018 (an amendment to the Privacy Code), which was based on the EU Data Protection Directive (95/46/EC) and the GDPR following its entry into force. However, in the view of this regulatory lacuna, the legislature has also asked the Data Protection Authority to clarify:

the provisions contained in general authorisations already adopted, relating to data processing referred to in Article 6, paragraph 1, letters c) [of the GDPR referring to processing carried out on the basis of a legal obligation] and e) [of the GDPR referring to processing carried out for the performance of a task in the public interest], 9, paragraph 2, point b) [of the GDPR referring to the processing of sensitive data under labour laws] and 4 [of the GDPR referring], as well as in Chapter IX of Regulation (EU) 2016/679 [provisions relating to specific processing situations], which are compatible with the provisions of the same Regulation and this Decree and, where necessary, shall ensure that they are updated [see Article 21 of Legislative Decree 108/2018].

The Data Protection Authority's Provision 497/2018 identified the general authorisations which are compatible with the GDPR and the updated version of the Privacy Code. As a result, the following general authorisation categories were amended:

• General Authorisation 1/2016 on the processing of special categories of data in employment relationships;
• General Authorisation 3/2016 on the processing of special categories of data by associations, foundations, churches and religious associations or communities;
• General Authorisation 6/2016 on the processing of special categories of data by private investigators;
• General Authorisation 8/2016 on the processing of genetic data; and
• General Authorisation 9/2016 on the processing of personal data for scientific research.

Provision 497/2018 and its proposed amendments to the above general authorisations were submitted for public consultation. Following this procedure, the Data Protection Authority adopted Provision 146/2019, which is examined in detail below with regard to the processing of sensitive employee data.

Neither Provision 497/2018 nor Provision 146/2019 update the general authorisations that the Data Protection Authority issued in 2016 – namely, those concerning the processing of:

• data on the health and sex life of data subjects (General Authorisation 2/2016);
• sensitive data on self-employed professionals (General Authorisation 4/2016); or
• sensitive data by different categories of data controllers (General Authorisation 5/2016).

As of 19 September 2018, these general authorisations are ineffective under Article 21 of Legislative Decree 108/2018. However, the question arises of whether it is possible to continue to process the abovementioned data in the absence of the required authorisations.

Special categories of personal data in employment relationships

Provision 146/2019 sets out the requirements for processing special categories of data in employment relationships. The provision draws on Article 9(1)(b) of the GDPR, which allows the processing of data in particular categories without the data subject's consent when:

it is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of labour law and social security and social protection, in so far as it is authorised by Union law or Member States or by a collective agreement in accordance with the law of the Member States, in the presence of appropriate safeguards for the fundamental rights and interests of the data subject.

In accordance with Article 9(1) of the GDPR, the provision covers the personal data of employees, independent collaborators, consultants, representatives, holders of corporate offices, third parties (when they suffer damages in the performance of their work activities) and family members of the aforesaid data subjects (eg, in order to grant benefits or permits) where such processing reveals:

racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Under the provision, the following data controllers and processors can handle sensitive employee data:

• employers in the public and private sectors, with the latter being subject to ad hoc regulations;
• employment agencies;
• trade associations;
• compliance officers with labour, social security, tax or welfare obligations towards employers or clients (eg, employment consultants);
• doctors; and
• safety representatives.

The Data Protection Authority allows the abovementioned data controllers and processors to process the data of those data subjects referred to in Article 9 of the GDPR when it is necessary to meet certain criteria arising from the establishment, execution or termination of an employment relationship – namely:

• the fulfilment of specific obligations deriving from Italian or EU regulations regarding the start, management and termination of an employment relationship (including employee benefits, insurance and social security management and the risks connected with safety at work);
• meeting specific and legitimate needs (eg, accounting and the payment of wages, bonuses and other contributions);
• preserving the health and safety of workers and third parties;
• enforcing or defending rights provided by law or collective agreements ("provided that the data is processed exclusively for this purpose and for the period strictly necessary to pursue them" and it refers "to ongoing litigation or pre-litigation situations");
• the management of insurance linked to employee liability for workplace health and safety; or
• pursuing specific and legitimate aims identified in:
  • an employer's articles of association;
  • a trade union's constitution; or
  • collective agreements on trade union assistance.

Requirements for processing sensitive employee data

The Data Protection Authority has identified certain requirements that data controllers and processors must adopt when processing data referred to in Article 9 of the GDPR.

In particular, genetic data cannot be used to ascertain a candidate's aptitude for a job even with their consent. However, during the hiring process, employers can examine data relating to an applicant's health or racial origin provided that it is required to meet criteria arising from the establishment, execution or termination of an employment relationship. Further relevant information can be requested from candidates if it is limited to assessing their aptitude for a job, as provided for by Article 8 of Law 300/1970 and Article 10 of Legislative Decree 276/2003. That said, employers must refrain from processing the personal data of candidates who have been excluded from the recruitment process.

Conversely, during the course of an employment relationship, authorised data controllers can process data concerning:

• the religious and philosophical beliefs of employees in order to grant leave for religious holidays or to organised special canteen services; or
• the political opinions or trade union membership of employees in order grant leave provided by law or collective agreements and to facilitate the payment of trade union membership fees, where appropriate.

However, the principle of necessity still applies; for example, in order to justify the absence of an employee on a trade union voting list, employers must receive satisfactory notification from the president of the relevant seat while maintaining the employee's confidentiality.

From an operational point of view, the Data Protection Authority has set limits on the internal circulation of sensitive employee data. Such data should be obtained directly from employees and any communications exchanged internally that contain sensitive employee data should take place between the data subjects concerned and the competent data controllers (via email or sealed envelope) in order to prevent illegal access by third parties, including other company employees.

A practical application of the Data Protection Authority's provisions is the communication of employee absences, which must be communicated in a way that prevents anyone other than the data subject concerned from knowing the reasons for an employee's absence.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.