We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
04 October 2019
Following the General Data Protection Regulation's (GDPR's) entry into force, the Italian legislature asked the Italian Data Protection Authority to review and update all of the so-called 'general authorisations' that it had previously issued under Articles 26 and 40 of the now rescinded Legislative Decree 196/2003 (the Privacy Code) to allow the processing of sensitive data even in the absence of the data subject's consent.
The provisions that allowed such authorisations were repealed by Legislative Decree 108/2018 (an amendment to the Privacy Code), which was based on the EU Data Protection Directive (95/46/EC) and the GDPR following its entry into force. However, in the view of this regulatory lacuna, the legislature has also asked the Data Protection Authority to clarify:
the provisions contained in general authorisations already adopted, relating to data processing referred to in Article 6, paragraph 1, letters c) [of the GDPR referring to processing carried out on the basis of a legal obligation] and e) [of the GDPR referring to processing carried out for the performance of a task in the public interest], 9, paragraph 2, point b) [of the GDPR referring to the processing of sensitive data under labour laws] and 4 [of the GDPR referring], as well as in Chapter IX of Regulation (EU) 2016/679 [provisions relating to specific processing situations], which are compatible with the provisions of the same Regulation and this Decree and, where necessary, shall ensure that they are updated [see Article 21 of Legislative Decree 108/2018].
The Data Protection Authority's Provision 497/2018 identified the general authorisations which are compatible with the GDPR and the updated version of the Privacy Code. As a result, the following general authorisation categories were amended:
Provision 497/2018 and its proposed amendments to the above general authorisations were submitted for public consultation. Following this procedure, the Data Protection Authority adopted Provision 146/2019, which is examined in detail below with regard to the processing of sensitive employee data.
Neither Provision 497/2018 nor Provision 146/2019 update the general authorisations that the Data Protection Authority issued in 2016 – namely, those concerning the processing of:
As of 19 September 2018, these general authorisations are ineffective under Article 21 of Legislative Decree 108/2018. However, the question arises of whether it is possible to continue to process the abovementioned data in the absence of the required authorisations.
Provision 146/2019 sets out the requirements for processing special categories of data in employment relationships. The provision draws on Article 9(1)(b) of the GDPR, which allows the processing of data in particular categories without the data subject's consent when:
it is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of labour law and social security and social protection, in so far as it is authorised by Union law or Member States or by a collective agreement in accordance with the law of the Member States, in the presence of appropriate safeguards for the fundamental rights and interests of the data subject.
In accordance with Article 9(1) of the GDPR, the provision covers the personal data of employees, independent collaborators, consultants, representatives, holders of corporate offices, third parties (when they suffer damages in the performance of their work activities) and family members of the aforesaid data subjects (eg, in order to grant benefits or permits) where such processing reveals:
racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Under the provision, the following data controllers and processors can handle sensitive employee data:
The Data Protection Authority allows the abovementioned data controllers and processors to process the data of those data subjects referred to in Article 9 of the GDPR when it is necessary to meet certain criteria arising from the establishment, execution or termination of an employment relationship – namely:
The Data Protection Authority has identified certain requirements that data controllers and processors must adopt when processing data referred to in Article 9 of the GDPR.
In particular, genetic data cannot be used to ascertain a candidate's aptitude for a job even with their consent. However, during the hiring process, employers can examine data relating to an applicant's health or racial origin provided that it is required to meet criteria arising from the establishment, execution or termination of an employment relationship. Further relevant information can be requested from candidates if it is limited to assessing their aptitude for a job, as provided for by Article 8 of Law 300/1970 and Article 10 of Legislative Decree 276/2003. That said, employers must refrain from processing the personal data of candidates who have been excluded from the recruitment process.
Conversely, during the course of an employment relationship, authorised data controllers can process data concerning:
However, the principle of necessity still applies; for example, in order to justify the absence of an employee on a trade union voting list, employers must receive satisfactory notification from the president of the relevant seat while maintaining the employee's confidentiality.
From an operational point of view, the Data Protection Authority has set limits on the internal circulation of sensitive employee data. Such data should be obtained directly from employees and any communications exchanged internally that contain sensitive employee data should take place between the data subjects concerned and the competent data controllers (via email or sealed envelope) in order to prevent illegal access by third parties, including other company employees.
A practical application of the Data Protection Authority's provisions is the communication of employee absences, which must be communicated in a way that prevents anyone other than the data subject concerned from knowing the reasons for an employee's absence.
For further information on this topic please contact Luca Daffra at Ichino Brugnatelli e Associati by telephone (+39 (0)2 48193249) or email (email@example.com). The Ichino Brugnatelli e Associati website can be accessed at www.ichinobrugnatelli.it.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.