Personal data protection
Recent developments in Italy
30 January 2019
Italy's data protection authority (the Italian DPA) has now reviewed for compliance with the GDPR the various codes of conduct and professional practice that applied, and the general authorisations that had been issued, under the previous legislation. The rules thus approved will be binding, and their breach will be punished by the imposition of the toughest available administrative penalty (a fine of up to €20 million or 4% of global annual revenues).
Other key developments have occurred since the entry into force of Legislative Decree 101/2018 (the GDPR Decree), which last September brought Italy's domestic law into line with the GDPR: the Italian DPA provided a list of categories of processing operations that are subject to the requirement for a data protection impact assessment and signed a memorandum of understanding with the Rome prosecution service, so that investigations into personal data protection offences may be carried out more quickly and effectively.
THE REVISED CODES OF CONDUCT
Under five decisions issued over November and December 2018, the Italian DPA had reviewed the compliance with the General Data Protection Regulation, No. 2016/679 (the GDPR) of the terms of various pre-existing codes of conduct and professional practice. These related to the processing of personal data in the conduct of journalism, for the purposes of historical, statistical or scientific research, and in the preparation of a case in a lawsuit, and had formed Schedules A.1, A.2, A.3, A.4 and A.6 to Legislative Decree 196/2003 (the Data Protection Code).
These codes of conduct and professional practice have been revised to make them consistent with the GDPR, and renamed "rules of professional practice" pursuant to article 20(4) of the GDPR Decree. They have been passed to the Ministry of Justice in order that it may issue a decree for their inclusion in Schedule A to the Data Protection Code, as amended by the GDPR Decree. The rules of professional practice related to the processing of personal data in the conduct of journalism and for the purposes of statistical or scientific research were published in Italy's Official Gazette No. 3 of 4 January 2019 and No. 11 of 14 January 2019, respectively, while those relating to preparation of a case in a lawsuit were published on No. 12 of 15 January 2019.
Starting from publication in the Italy's Official Gazette, compliance with the rules of professional practice constitutes an essential condition for processing of personal data within these fields to be considered to have been carried out lawfully and properly (article 2-quater(4) of the Data Protection Code, as amended). Their breach shall be punishable by an administrative fine of up to €20 million, or, for enterprises, up to 4% of total global annual revenues in the previous financial year, where this is higher (article 166(2) of the Data Protection Code, as amended).
With respect to the content of the rules of professional practice, the Italian DPA made changes both formal and substantive.
The remaining two pre-existing Schedules, A.5 and A.7, related to information systems managed by nonpublic entities in connection with consumer credit, and payment reliability and punctuality, and data processing for the purposes of commercial information. Pursuant to article 20.1, these will remain in force until 19 September 2019, provided that:
- By 19 March 2019, the associations and other bodies that represent the kinds of companies that are data controllers and data processors for these kinds of activities submit codes of conduct compliant with article 40(2) of the GDPR to the Italian DPA for its approval; and
- Such approval is forthcoming within the six months thereafter.
Failure to comply with either of those deadlines will mean the terms of those Schedules shall cease to be effective from the expiry of any such term.
Aside from the differences in the procedures that have been established for those two sets of Schedules, there are also differences of structure and function between rules of professional practice, and codes of conduct under article 40(2) of the GDPR.
In a decision of 13 December 2018, the Italian DPA (i) identified the provisions among the authorisations set out in the general authorisations (adopted pursuant to articles 26 and 40 of the Data Protection Code, now abolished) that were compatible with the GDPR and the GDPR Decree, and (ii) opened a 60-day public consultation procedure in connection with those compatible provisions.
Article 21(1) GDPR Decree established that the Italian DPA would only review the GDPR compliance of those general authorisations that relate to processing situations covered by articles 6(1)(c), 9(2)(b) and (4), and Chapter IX of the GDPR, meaning processing:
- Necessary for compliance with a legal obligation to which the controller is subject;
- Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or of genetic data, biometric data or data concerning health; or
- That is made in relation to particular sectors, such as specific employment relationships, or of personal data from archives, registers, lists, instruments and documents kept by public registries, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Therefore, the Italian DPA only reviewed general authorisations 1/2016 3/2016 6/2016, 8/2016 and 9/2016, which concerned the processing of sensitive (now special categories of) personal data: within employment contexts; by associations, foundations, churches, or religious associations or communities; by private investigators; and concerning processing of genetic data or for the purposes of scientific research.
In identifying those provisions that were compatible with the GDPR, the Italian DPA made a number of other statements. For example:
- The Italian DPA has set out specific modalities for the processing of special categories of personal data during the pre-hiring phase, providing, inter alia as follows:
- Pre-hiring questionnaires must request only limited information that is strictly necessary to create the employment relationship, also taking into account the specific responsibilities or professional roles at issue (also from an employment law perspective, Art. 8 of Law No. 300/1970 prohibits enquiries on facts that are not relevant for the purpose of assessing the worker's professional aptitude);
- If a candidate's CV includes data that is irrelevant for such purpose, those reading the CV must abstain from using the irrelevant information;
- Genetic data cannot be processed for the purposes of establishing whether the candidate is professionally suitable, not even with the candidate's consent;
- In relation to processing during the employment relationship, the Italian DPA has stated inter alia the following:
- The employer can process data that reveals political opinion or membership of a labour union or the exercising of related responsibilities exclusively for purposes relating to use of permits/leave time and the exercise of union rights (e.g. salary withholdings);
- Making express reference to the principle of necessity, the Italian DPA has provided that for the purposes of carrying activities in polling stations during elections, a certification from the polling station's president will suffice and therefore the employer cannot request any document which would reveal the employee's political opinion.
- Achieving the same safeguard as above, the Italian DPA had already previously stated that the employer merely needs to inform the labour union that one of its employees has revoked his or her affiliation to the labour union, and thus –- the Italian DPA deemed it unlawful for the employer to reveal the employee's concurrent enrolment in another labour union (see doc. web no. 9065999, newsletter dated 7 December 2018).
- In all authorisation reviewed, the Italian DPA eliminated those provisions that had merely stated that data could not be stored "for a period exceeding that necessary.... to pursue the purposes mentioned therein".
Article 20(5) of the GDPR Decree specifies that breaches of the provisions of general authorisations are subject to the same administrative fines as would be imposed for breaches of rules of professional practice under article 166 of the Data Protection Codes (as already mentioned, a fine of up to €20 million or 4% of global annual revenues).
The general authorisations that the Italian DPA had adopted prior to 19 September 2018, related to processing not within the above, ceased to be in effect from that date forward (article 21(3) of the GDPR Decree.
THE KINDS OF PROCESSING THAT ARE SUBJECT TO IMPACT ASSESSMENT
In accordance with its duty under article 35(4) of the GDPR, the Italian DPA in a decision of 11 October 2018 set out a list of the kinds of personal data processing operations that would be subject to a data protection impact assessment (a DPIA). As acknowledged by the Italian DPA, the DPIA implements the considerations of the European Data Protection Board and is without prejudice to the guidelines of WP 248, rev. 01, with a view towards harmonisation and consistent application of the GDPR also in cross-border processing.
The non-exhaustive list of the data processing operations by the Italian DPA includes:
- Processing that implies the profiling of the data subjects, and activities involving predictions, in relation to, for example, professional performance, economic condition, health, reliability, relocations;
- Automated processing with the aim of making decisions that prevent exercise of a right or the use of an asset or service or that cause the expiry of the status as a party under a contract (among these the Italian DPA includes a bank's screening of its customers by using data stored in a centralised risk databank);
- Large-scale processing of highly personal data, such as data relating to a data subject's family status or private sphere (including electronic communications and related data the confidentiality of which must be protected), data concerning physical location, and financial data that could be used fraudulently;
- More generally, processing of special categories of personal data pursuant to Article 9 of the GDPR or data relating to criminal convictions and offences pursuant to Article 10 of GDPR when interconnected with other personal data collected for other purposes;
- Processing that implies the large-scale, electronic exchange of data between different data controllers.
Thus, the existing, widely-used practice providing for a broad application of the DPIA has been confirmed.
The above list also includes processing in the context of an employment relationship performed using technology systems (such as video surveillance and geolocalisation) that allow remote monitoring of the employees. Use of such systems must also be agreed with the labour union representatives and/or the Labour Inspectorate pursuant to Article 4 of Law 300/1970, as amended bt Article 23 of Legislative Decree 151/2015, except in relation to instruments used by the employee to perform the working activity and for instruments that record access and physical presence at the workplace.
We highlight a recent ruling in the judicial employment law dispute involving the Foodora bicycle couriers who worked using an app installed on their smartphones. The couriers had sought compensation for damages as a result of the alleged breach of Article 4 of Law 300/1970, as well as of Articles 7, 11 and 171 of the Data Protection Code previously in force, given they had not been clearly and fully informed of the nature of the data processed, of the characteristics of the device and of the monitoring and the circumstances when the geolocalisation could be deactivated during work performance. In the first instance proceedings all of the couriers' claims had been denied by the Court of Turin (Ruling No. 778/2018).
The Court of Appeal of Turin, with Ruling No. 26/2019 of 11 January 2019 (for which the opinion and reasoning has not yet been issued) granted the couriers' appeal in part, recognising they should receive the same compensation as employees on the basis of the parity of treatment principle pursuant to Article 2 of Legislative Decree 81/2015, although the Court did not classify their work relationship as subordinate employment. In relation to the privacy claims, the Court of Appeal did not reverse the first instance ruling, which held that the notice given to the couriers was not overly general and that "the apps on the smartphone were used by the plaintiffs to perform the work activities and as such they did not require an agreement with the labour union representatives."
The couriers, neverthless, have publicised that they in December 2018 filed a complaint with the Italian DPA pursuant to Art. 77 of the GDPR, bringing forth new claims, including in relation to the continuous and unauthorised monitoring and geolocalisation of the couriers even outside of their working hours.
THE MEMORANDUM OF UNDERSTANDING MADE BETWEEN THE ROME PROSECUTION SERVICE AND THE REGULATOR
On 8 January 2019, the Rome prosecution service and the Italian DPA entered into a memorandum of understanding for the implementation of the new rules on personal data protection that the GDPR Decree had introduced (the MoU). The MoU is effective for a period of two years, and subject to automatic renewal.
It governs how effect will be given to articles 167(4), 167-bis(3), and 167-ter(2), of the Data Protection Code, as introduced by the GDPR Decree. Those provisions require public prosecutors to notify the Italian DPA "without delay" if it learns that specific offences may have been committed in connection with personal data protection, offences which are set out in the aforementioned articles. The intention is to ensure that investigations into possible offences proceed quickly, and to ensure that the criminal and administrative processes for punishing breaches of the law benefit from effective coordination. Accordingly, the MoU provides that:
- It is the public prosecutor in charge of a particular investigation that informs the Italian DPA, rather than the head of the prosecution service, so that information is shared quickly and without bureaucratic deferrals; and
- As soon as the suspect being investigated and their counsel have been formally notified that the preliminary investigations have been completed, the public prosecutor in charge must notify the Italian DPA of such evidence as would be necessary for it to examine whether there have been breaches of the law on personal data protection in connection with the offence.12 This procedure is intended to enable the Italian DPA to act more efficiently, while ensuring that appropriate investigative secrecy is maintained.