On 25 May 2018, Regulation (EU) 2016/679, known as GDPR (General Data Protection Regulation) – on the protection of natural persons (‘data subjects’) with respect to the processing and transfer of personal data – became completely applicable in all EU member states.
As an EU regulation, the GDPR is a provision to be directly applied in its entirety throughout the EU territory. As clarified by the European Commission, it originates from the desire, and the need, to harmonise and simplify the rules on the processing and transfer of the personal data of natural persons, providing both data controllers (and processors) and data subjects with legal certainty.
However, it would be a mistake not to consider the legislation and peculiarities of each member state in which the GDPR is applicable. Indeed, the principles and provisions provided for by the GDPR must be applied taking into account the implementation rules of each member state, adapting to local compliance obligations in each case.
Specifically, for example, to adapt national law to the new regulation, the Italian law maker adopted Legislative Decree no 101/2018 of 10 August 2018, adapting the GDPR to the relevant national legislation, represented by Legislative Decree no 196/2003 (the Privacy Code, and together with the GDPR, the Data Protection Law).
Data protection and the employer-employee relationship
With respect to the above, Article 88 of the GDPR provides that each member state may lay down more specific rules by law and national collective bargaining agreements (NCBA) to ensure the protection of the rights and freedoms regarding the processing of employees’ personal data in employment relationships.
The above, for instance, allows a continuity in terms of individual and trade union protection and prerogatives, as provided for by Italian law, in primis by the Statuto dei Lavoratori (Law no 300 of 20 May 1970, the Statute).
As a matter of fact, by means of Article 4, the Statute preserves the confidentiality of employees, defining the cases in which audio-visual equipment or other instruments from which the possibility of a remote control of employees’ activities may derive, even only potentially. The same Article 4 requires the employer to provide workers with adequate information on how to use the tools submitted and requires a full compliance with the Data Protection law by referring directly to the provisions of the Italian Privacy Code.
Under Italian Law, the employees’ control is not only limited to the ‘workplace’, eg, where it could be implemented through the installation of a video surveillance system (Video-surveillance Provision – 8 April 2010 and the European Data Protection Board (EDPB) Guidelines no 3/2019 on processing of personal data through video devices) but also extends to devices, apps and general tools used to perform the employment services. In this respect, before the application of the GDPR, the Italian Data Protection Authority issued Guidelines for the use of internet and e-mail in public and private workplaces, which clearly define the limits between legal and illegal controls.
Please note that this is only an example of how a correct and compliant application of the provisions of the EU Regulation should be implemented considering local legislation.
In compliance with both the Statute and the Data Protection Law (Article 25(1) of the GDPR), the employer must implement measures to protect employees’ personal data ‘from the design’ of the processing (privacy by design) and by default (privacy by default), in compliance with the ‘accountability principle’. And compliance with the principle of accountability also means adapting to local regulations.
The five most common underestimated tasks in the application of the GDPR in Italy
Based on the experience of our GDPR team, corporations fail to comply with the EU and Italian provisions in particular in the following five cases more often.
i) Adoption of security measures and policies. As reported on 2 June 2021 by the Italian Data Protection Authority during the presentation of the report on the activities carried out during the past year: ‘2020 was characterised, at global level, by the negative record of cyber-attacks, facilitated by the increased use of telematic channels as a result of the pandemic and which, a few weeks ago, became real hostile acts in the context of the conflict for the cyber domain’.
The high number of cyber attacks and personal data breaches have undoubtedly raised the awareness of both data controllers (and processors) and data subjects about the importance of the issue, but on the other hand they have revealed a low level of compliance by the actors involved, which goes through the importance of adopting security measures, policies and tools that help prevent them.
Specifically, the adoption of internal policies is one of the tasks that is too often underestimated.
ii) Appointments. Adopting internal policies that regulate the security of the information processed and define roles and responsibilities is a tool that not only serves to ensure the compliance of the organisation with the applicable Data Protection Law, but also reduces the risk of any damage that may directly affect the business of the company. The internal policies and procedures to be adopted must be tailored for each case, based on the characteristics and risks that each situation presents and must comply with any additional procedures already applied by the company. For economic reasons or due to a lack of thought, it often happens that to comply with the obligations deriving from the applicable law, standardised internal policies or procedures are adopted which, in fact, are not suitable for the organisation adopting them.
iii) Training. Once policies and procedures have been adopted, training and raising the awareness of staff on the correct application of these policies and procedures is essential. Systematically educating and updating who must daily apply it contributes to reducing the risks to which the data controllers or processors are exposed.
Defining roles and responsibilities, also through the adoption of internal procedures and policies, makes it possible, among other things, to meet another requirement that is often underestimated by both data controllers and processors and which concerns the ‘records of processing activities’.
iv) Monitoring. Introducing monitoring plans that take the form of continuous verification of the actions taken by the data controller to ensure compliance with the Data Protection Law – as well as effective implementation and compliance with policies, procedures, organisational and security measures – is one of the tools aimed at ensuring full compliance with the so-called accountability principle. The principle requires the data controller to proceed with the identification and management of risks relating to the processing operations carried out.
v) Continuous updating processes. It is frequent to find records adopted in order to comply with the GDPR but which are never reviewed and updated and which often no longer correspond to the actual reality to which they refer, which has changed and evolved in the meantime.
With respect to the above mentioned, since the entry into force of the GDPR, the Data Protection Law has certainly represented an interesting challenge for Europe, for the recipients of what is prescribed in the Regulation and for the subjects that it wants to protect. A challenge which, in view of a constantly evolving scenario, does not seem destined to end and which, although with common objectives, the legislators and the authorities of each member state will have to continue to meet.