On Wednesday 24 April 2024, MEPs adopted the text of the new Directive on the working conditions of platform workers. As can be learned from the press release published on the Parliament’s institutional website, the Directive “aim[s] to ensure that platform workers have their employment status classified correctly and to correct bogus self-employment”by introducing “a presumption of an employment relationship (as opposed to self-employment) that is triggered when facts indicating control and direction are present, according to national law and collective agreements […]”.

Among the initiatives introduced by the Directive, as far as is of interest here, there are limitations on the processing of personal data carried out by means of automated monitoring or decision-making or systems. For example, the following may not be subject to any processing operation: (i) data on the emotional or psychological state of the person performing platform work; (ii) personal data in relation to private conversations; (iii) data belonging to the category of special data (former sensitive data) or biometric data or, again, (iv) the data of the worker who carries out activities through a digital platform may not be collected when he or she is not carrying out his or her activity through the platform itself.

These provisions will apply from the start of the recruitment and selection procedures and for the entire duration of the relationship. It is understood that, given the type of processing and the high risk to the rights and freedoms of natural persons, processing of personal data by a digital work platform will be subject to specific impact assessments under Article 35 of Regulation (EU) 2016/679. The impact assessments carried out by the employer will then have to be shared with the workers’ representatives.

Another key element is the transparency obligations. Persons who perform work through digital platforms will have to be promptly made aware, in a transparent, intelligible and easily accessible form using clear and plain language, about the categories of decisions that are taken or supported or by automated decision-making or monitoring systems. The Italian national legal system is already familiar with this aspect following the introduction of the provisions of Regulation (EU) 2016/679 and the adoption of the so-called “Transparency Decree”.

Finally, it is understood that Member States will have to ensure that digital work platforms guarantee sufficient human resources to effectively monitor and assess the impact of individual decisions taken or supported by automated decision-making or monitoring systems.

◊◊◊◊

Next steps

The text approved by the European Parliament will now also have to be formally adopted by the Council and then published in the Official Journal of the European Union. After publication, each Member State will have two years to incorporate the new provisions into its national law.

Other related insights:

• Italian Transparency Decree obligations continue to apply to fully automated systems (Norme e Tributi Plus Lavoro of Il Sole 24 Ore, 7 August 2023 – Vittorio De Luca, Alessandra Zilla, Martina De Angeli)
• Violation of the Transparency Decree on the matter of automated tools entails anti-union conduct also if it concerns riders (Norme & Tributi Plus Diritto of Il Sole 24 Ore, 5 May 2023 – Alberto De Luca, Luigi Picciarelli)

From 1 October 2024, businesses and self-employed workers operating on temporary or mobile construction sites, as defined by the Consolidated Safety Act (specifically, Article 89, paragraph 1, letter a), of Italian Legislative Decree no. 81/2008), are required to have a licence, in digital format, issued by the competent local office of the Italian National Labour Inspectorate.

This requirement was recently introduced by Article 29, paragraph 19, letter a), of Italian Decree Law of 2 March 2024, no. 19, not yet converted into law, which, replacing Article 27, paragraph 1) of the Consolidated Safety Act, introduces a credits accreditation system for businesses, and self-employed workers. The licence will be issued subject to satisfying the requirements specifically identified by the law, namely: (i) registration with the Chamber of commerce; (ii) compliance with the training obligations provided for in Article 37 of the Consolidated Safety Act applicable to company employers, executives, managers and workers; (iii) compliance by self-employed workers with the training obligations; (iv) holding a valid Certificate of Contributions Compliance (Documento Unico di Regolarità Contributiva, ‘DURC’); (v) holding a Risk Assessment Document or (vi) holding a Certificate of Tax Compliance Documento unico di regolarità fiscale (DURF).

Pending the issuance of a licence, unless otherwise notified by the Inspectorate, businesses and self-employed workers will still be able to operate within construction sites.

The new system provides for an initial balance of 30 credits and a minimum of 15 credits. If the score falls below the minimum threshold, subject to exceptions, it is not possible to operate on temporary or mobile construction sites. The accreditation system provides for credit reductions in the face of certain events, assessments or measures issued against company employers, executives, managers or the self-employed worker. Without prejudice to this, it is also provided that reduced credits can be reinstated.

Verification of the holding of the licence is delegated to the principal or to the works manager. Carrying on work in the absence of a licence or while holding a licence with a score lower than the minimum gives rise to an administrative fine of up to EUR 12,000 and exclusion from participation in public works for a period of six months.

◊◊◊◊

Prior to 1 October 2024, and considering that there may be amendments to the decree before it is converted into law, companies and self-employed workers who are subject to the new obligations must take steps as to ensure compliance with the provisions of the new accreditation system.

Other related insights:

• Accidents at work resolved through settlement: future damages remain compensable if unforeseeable nature of health deterioration is proven
• Occupational injuries: Employer liability is not automatic

With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.

The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.

To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:

• verify that the computer programs and services for e-mail management allow the basic settings to be changed, preventing the collection of metadata or limiting the retention period to a maximum of seven days, which can be extended by a further 48 hours under specific conditions;
• alternatively, carry out the guarantee procedures provided for in Article 4 of the Workers’ Charter, i.e. sign a trade union agreement or obtain an authorisation from the National or Area Labour Inspectorate. This is because extending the retention period beyond the seven/nine day time frame may lead to indirect remote control of the worker’s activity;
• in any event, the necessary transparency must be ensured in relation to workers, providing them in advance with specific information on the processing of personal data.

In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.

In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used. ​

Other related insights:

• Italian Court of Cassation: Defence checks on employee’s company e-mail
• Controls: company information found on former employee’s company PC can be used

Among the topics we explored at our Team Meeting this week was the area of employer checks carried out through investigative agencies, analysing Court of Cassation judgment of 11 October 2023, no. 28378. In that case a dismissal based on evidence collected by a private investigator who had not been indicated by name in the appointment document was declared null and void.

If you would like to learn more about this topic, contact us or request our slides here.

With Ruling of 14 September 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, ‘DPA’) found that the processing of data carried out by a company appointed to read gas, electricity and water meters (the ‘Company’) was unlawful, confirming that the employer has an obligation to provide a full response to requests to exercise the right of access, including by communicating geolocation data.

The facts of the case

The case arose from a complaint submitted to the DPA by three Company employees who had not received a satisfactory response to a request for access to their personal data collected through the company’s smartphone, on which a geolocation system had been installed that allowed workers to identify the route to take to reach the meters to be dealt with.

In particular, the employees asked for the information used to process mileage reimbursements and the monthly hourly wage, as well as the procedure for establishing the remuneration due to verify the accuracy of their pay slip.

The DPA, during the preliminary investigation, found that the Company had not provided an adequate response to the three workers’ request, despite the fact that the request was clear and detailed. In fact, it had not provided the employees with the data processed through the GPS system, but had limited itself to indicating the methods and purposes for which they were processed and to providing the privacy policy already signed by the concerned workers.

The outcome of the preliminary investigation

At the outcome of the preliminary investigation, the DPA found that the Company, in its capacity as Controller, carried out the processing in breach of:

• Article 15 of Regulation (EU) 2016/679 (the ‘GDPR’), for failing to provide, including through the attached documentation, a complete and exhaustive response with respect to what was requested through the requests. The exercise of the right of “access to personal data” must, in fact, allow effective access to any personal data processed, which is not a general description of the same, nor a mere reference to the categories of personal data processed by the controller (as also specified in “Guidelines 01/2022” on Data Subject Rights (EDPB, 28 March 2023).

The Company should have provided all the data collected through the geolocation system, responding to the specific requests received from the three complainants;

• Article 12 of the GDPR, because a data Controller, in response to a request to exercise rights by a data subject, must facilitate their exercise by providing “information on action taken on a request […] without undue delay and in any event within one month of receipt of the request” and “if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay […] of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”;

• Article 5, paragraph 1, letter (a) of the GDPR, because personal data must be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The data subject’s right of access to his or her own data cannot be considered to be satisfied by mere reference to what is contained in the information notice, without any reference to the processing actually carried out.

The DPA’s decision

At the outcome of the preliminary investigation, the DPA clarified that, since the Company processed, among other things, data relating to the geolocation of smartphones provided to employees for the performance of their work, such processing “indirectly provided the geolocation of the complainants themselves”: for this reason, the Company should have provided a complete and exhaustive response to the requests to exercise the right of access, indicating, in particular, the data relating to the employees’ geolocation or explaining the reasons for any failure to comply with the requests received.

In light of all the above, the DPA fined the Company EUR 20,000, and also ordered the publication of the Ruling on its website.

Other related insights:

• European Court rules that employee tracking through company car geolocator is lawful (Norme e Tributi Plus Diritto, 23 January 2023 – Alberto De Luca, Claudia Cerbone)
• Italian Data Protection Authority: employee has right to access report of investigative agency appointed by employer