Data has become the new oil and its role is likely to grow further as digital becomes more central to our lives. This has important implications for privacy, as Vittorio De Luca, founder of the law firm De Luca & Partners, points out. “the EU legislator has intervened significantly in this area over the last few years. However, at corporate level the position is divided into companies that have implemented and structured real internal compliance models and over time have managed to change the culture and sensitivity of all those who make up the organisation, while others continue to consider data protection as a company cost rather than an investment”, he points out.

Personal data protection legislation and employment law are now closely linked, not only with regard to the processing of human resources data. “Increasingly, we are assisting companies in how to correctly manage requests for access to documents and personal files that are – legitimately – submitted by employees as part of disciplinary proceedings against them”, he points out. “In addition to the consequences on the employment law front, a data subject (in this case, the worker) has always the right to make a report to the Italian Data Protection Authority”, explains Mr De Luca.

Continue reading the full version published in La Repubblica.

Other related insights:

• Dismissal unlawful if based on location data collected without adequate notice
• Artificial Intelligence and Human Resources: what challenges should an HR Manager prepare for?

The Italian Data Protection Authority (‘IDPA’), with a Ruling of 7 March 2024 [announced in the Newsletter of 3 May 2024] upheld a complaint filed by a worker who had asked her former employer company for access to her personal file to find out what information could have given rise to a disciplinary sanction against her.

The company had not given an adequate response to the request and had only provided an incomplete list of the documentation collected, omitting information which formed the basis of the disciplinary sanction which was then imposed. The omitted information was only provided to the worker after the start of the IDPA’s investigation.

In its note of reply, the company claimed that it had not provided the worker with the above-mentioned documentation in order to protect its right of defence in court as well as the confidentiality of the third parties involved. The company also alleged that the complainant lacked standing to access the information, since it had been requested at a time when the disciplinary proceedings could no longer be challenged.

The IDPA reiterated that the right of access recognised by Regulation (EU) 2016/679 (‘GDPR’) is intended to allow the data subject to exercise control over his or her personal data and to verify its accuracy. Consequently, this right cannot be denied or limited depending on the purpose of the request. In fact, according to the provisions of the GDPR, data subjects are not asked to indicate a reason or a particular need to justify their requests to exercise their rights, nor can the data controller verify the reasons for the request.

Therefore, access to personal data cannot be denied because the data requested could be used by the data subject to defend himself or herself in court in the event of dismissal.

“The jurisprudence has on several occasions reiterated that the right of access derives, in addition to the legislation on personal protection data, from the ‘respect for the principles of good faith and fairness incumbent on the parties to the employment relationship under Articles 1175 and 1375 of the Italian Civil Code. This is confirmed by the fact that, for some time, the relevant sector’s collective bargaining agreement has provided that the employer must keep, in a special personal file, all the deeds and documents produced by the entity or by the employee himself or herself, which relate to his or her professional development, the activity performed and the most significant facts concerning him or and that the employee has the right to freely view the deeds and documents included in his or her personal file’ (Italian Court of Cassation, 7 April 2016, no. 6775)”.

Based on the points set out above, the IDPA imposed a fine of EUR 20,000.00 on the company.

◊◊◊◊

Summary of the right of access:

• The right of access may be exercised by the data subject (i.e. the natural person to whom the data refer) or by his/her delegate.
• The request can be submitted directly to the Data Controller (aka, for example, the employer) or, if appointed, to the DPO.
• Through an access request, the data subject may request access to his or her personal data and obtain the following information: the purposes of the processing, the categories of data, the recipients or categories of recipients to whom the data are or will be disclosed, the period for which the data will be stored or the criteria used to determine it, the origin of the data, and whether there is an automated decision-making process, including profiling or transfers of his or her data outside the European Union.
• The request for access does not have to be justified by the applicant.
• The right to access personal data must not adversely affect the rights and freedoms of others.
• A response must be provided within 30 days (extendable by a further 30 days if the request is particularly complex which, in any case, must be justified).

Other related insights:

• The right to have access to the records throughout the disciplinary procedure
• Court of Cassation: right of access to personal records

On Wednesday 24 April 2024, MEPs adopted the text of the new Directive on the working conditions of platform workers. As can be learned from the press release published on the Parliament’s institutional website, the Directive “aim[s] to ensure that platform workers have their employment status classified correctly and to correct bogus self-employment”by introducing “a presumption of an employment relationship (as opposed to self-employment) that is triggered when facts indicating control and direction are present, according to national law and collective agreements […]”.

Among the initiatives introduced by the Directive, as far as is of interest here, there are limitations on the processing of personal data carried out by means of automated monitoring or decision-making or systems. For example, the following may not be subject to any processing operation: (i) data on the emotional or psychological state of the person performing platform work; (ii) personal data in relation to private conversations; (iii) data belonging to the category of special data (former sensitive data) or biometric data or, again, (iv) the data of the worker who carries out activities through a digital platform may not be collected when he or she is not carrying out his or her activity through the platform itself.

These provisions will apply from the start of the recruitment and selection procedures and for the entire duration of the relationship. It is understood that, given the type of processing and the high risk to the rights and freedoms of natural persons, processing of personal data by a digital work platform will be subject to specific impact assessments under Article 35 of Regulation (EU) 2016/679. The impact assessments carried out by the employer will then have to be shared with the workers’ representatives.

Another key element is the transparency obligations. Persons who perform work through digital platforms will have to be promptly made aware, in a transparent, intelligible and easily accessible form using clear and plain language, about the categories of decisions that are taken or supported or by automated decision-making or monitoring systems. The Italian national legal system is already familiar with this aspect following the introduction of the provisions of Regulation (EU) 2016/679 and the adoption of the so-called “Transparency Decree”.

Finally, it is understood that Member States will have to ensure that digital work platforms guarantee sufficient human resources to effectively monitor and assess the impact of individual decisions taken or supported by automated decision-making or monitoring systems.

◊◊◊◊

Next steps

The text approved by the European Parliament will now also have to be formally adopted by the Council and then published in the Official Journal of the European Union. After publication, each Member State will have two years to incorporate the new provisions into its national law.

Other related insights:

• Italian Transparency Decree obligations continue to apply to fully automated systems (Norme e Tributi Plus Lavoro of Il Sole 24 Ore, 7 August 2023 – Vittorio De Luca, Alessandra Zilla, Martina De Angeli)
• Violation of the Transparency Decree on the matter of automated tools entails anti-union conduct also if it concerns riders (Norme & Tributi Plus Diritto of Il Sole 24 Ore, 5 May 2023 – Alberto De Luca, Luigi Picciarelli)

On Wednesday 13 March 2024, the European Parliament approved the draft text of the so-called “AI Act”, the first Regulation on artificial intelligence. The Regulation establishes obligations in relation to the use of AI on the basis of possible risks and level of impact with the aim of protecting individuals’ fundamental rights, democracy and environmental sustainability from “high-risk” systems. 

“High risk” means AI systems intended to be used:  

1. for the recruitment or selection of natural persons, to place targeted job advertisements, to analyse and filter applications, and to evaluate candidates; 
2. to make decisions affecting terms of work-related relationships, the promotion or termination of work-related contractual relationships, to allocate tasks based on individual behaviour or personal traits or characteristics or to monitor and evaluate the performance and behaviour of persons in such relationships.  

For more information on this topic, please contact us at info@delucapartners.it

With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.

The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.

To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:

• verify that the computer programs and services for e-mail management allow the basic settings to be changed, preventing the collection of metadata or limiting the retention period to a maximum of seven days, which can be extended by a further 48 hours under specific conditions;
• alternatively, carry out the guarantee procedures provided for in Article 4 of the Workers’ Charter, i.e. sign a trade union agreement or obtain an authorisation from the National or Area Labour Inspectorate. This is because extending the retention period beyond the seven/nine day time frame may lead to indirect remote control of the worker’s activity;
• in any event, the necessary transparency must be ensured in relation to workers, providing them in advance with specific information on the processing of personal data.

In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.

In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used. ​

Other related insights:

• Italian Court of Cassation: Defence checks on employee’s company e-mail
• Controls: company information found on former employee’s company PC can be used