Categories: Insights, Practice

Tag: Autorità Garante, GDPR, Medico Competente


31 Aug 2020

Company Physician: Independent data controller

On 23 June 2020, the Italian Data Protection Authority (“Garante“) published the “2019 Annual Report” (the “Report“) listing activities carried out during the previous calendar year.

With the publication of the Report, the Data Protection Authority has confirmed what had already been stated in the note ref. no. 7797, dated 27 February 2019, concerning the subjective qualification of the Company Physician (as defined by art. 38 of Legislative Decree 81/2008, the “Decree”)

It is necessary to make a brief introduction to better understand the issue.

Article 4 of the (EU) Personal Data Protection Regulation (the “Regulation“) defines the Data Controller as (i) “the individual or legal person, public authority, service or other body which, individually or jointly with others, determines the personal data processing purposes and means” and the Data Processor as (ii) “the individual or legal person, public authority, service or other body which processes personal data on behalf of the data controller.”

Since the first interpretations and applications of the Regulation, the legal theory opened a debate on the Company Physician’s correct subjective qualification for data processing carried out during the functions and tasks assigned by the Decree.

The legal theory

Part of the theory suggested that the Company Physician was a Data Processor (under art. 28 of the Regulation), and the employer was the sole Data Controller which has the task of determining the purposes and means of the processing carried out by the professional. This theory was based on the relationship between the employer and the Company Physician was regulated by a contract by which the latter was expressly authorised by the employer to carry out employee personal data processing (including data belonging to special categories, formerly “sensitive” data).

Conversely, a different part of the theory stated the Company Physician was an independent Data Controller, as the processing purposes were established by the Decree and not by the employer.

The Data Protection Authority’s position

This latter idea was expressly confirmed by the Data Protection Authority, which qualifies the Company Physician as an independent Data Controller. The type of processing carried out by the professional (for example, health monitoring or preparing health records) is their prerogative and not the employer’s.

In terms of sanctions, according to the Data Protection Authority, the regulatory framework makes a precise distinction between the employer and Company Physician’s responsibilities.

Others Insights related:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…