All questions

Data protection

Employers must comply with the obligations on data processing included in the Privacy Code (Legislative Decree No. 196/2003), as amended by Legislative Decree No. 101/2018 on the harmonisation of Italian data protection provisions with the new obligations and changes introduced, from 25 May 2018, by Regulation (EU) No. 679/2016 (the General Data Protection Regulation (GDPR)). One of the controller's duties is to appoint a data protection officer (DPO). The controller is required to appoint a DPO only in certain cases, outlined in the GDPR, in which the processing is carried out for specific purposes or for specific categories of data. For example, the processing may be carried out by a public authority or body (except for courts acting in their judicial capacity); the core activities of the controller may consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller may consist of large-scale processing of special categories of data, or personal data relating to criminal convictions and offences. The DPO can be a staff member of the controller, or fulfil the tasks on the basis of a service contract. While the appointment of a DPO is required only in some cases, the delivery – orally or in writing (in this latter case, the controller must retain evidence of its delivery) – of the information notice to the data subject (applicant, employee, etc.) is always necessary. When the personal data are collected directly from the data subject (e.g., when the employment relationship is established), the notice must include:

  1. the identity and contact details of the controller and, for controllers established outside the European Union, of the controller's representative;
  2. the contact details of the DPO, where applicable;
  3. the purposes for processing the data as well as the legal basis for processing, including the legitimate interests pursued by the controller or by a third party;
  4. the recipients or categories of recipients of the personal data, if any;
  5. where applicable, the transfer of personal data to a non-EU country or international organisation and the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate or suitable safeguards adopted by the controller to lawfully carry out the transfer and the means by which to obtain a copy of them or where they have been made available;
  6. the period for which the data will be stored, or if that is not possible, the criteria used to determine that period;
  7. the data subject's rights;
  8. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  9. the right to lodge a complaint with a supervisory authority;
  10. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
  11. the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences, of data processing for the data subject.

In addition, the processing of personal data may require the consent of the data subject. The consent is valid only if it is given freely and specifically, and is provable. In this respect, however, the EU authorities do not recommend that employers ask directly for employees' consent, as employees are considered 'vulnerable subjects'. Consent is not required, inter alia, when the data is necessary for the performance of a contract to which the data subject is party; when the data is necessary for compliance with a legal obligation to which the controller is subject; or when the data is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Sensitive data, defined in the GDPR as 'particular categories of data', may be processed with the written consent of the data subject or if, for example, the data is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, insofar as it is authorised by the European Union or national law, or a collective agreement pursuant to national law.

The GDPR grants to the employee the right to access his or her personal data. This must be easy and free. The employer is required to adopt adequate security measures, namely security measures that, based on technical progress, prove to be adequate to avoid any risk of destruction, loss or unauthorised access of the data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. Transfers to non-EU countries are subject to some conditions, including:

  1. the consent of the data subject (provided that, if there is no adequacy decision or appropriate safeguards, he or she is aware of the possible risks of the transfer);
  2. the necessity of the transfer for the execution of an agreement to which the data subject is a party or the implementation of pre-contractual measures taken at the data subject's request; and
  3. the necessity of the transfer in order to establish, exercise or defend legal claims.

The transfer of data to third countries is, however, always allowed if the controller has implemented the measures provided by the GDPR (e.g., standard contractual clauses approved by the European Commission or binding corporate rules) or if there is an applicable EU decision (e.g., Swiss and Canadian authorisations, American companies adhering to the Privacy Shield principles). In such cases, no further action to seek consent (with the exception of the information notice) is required.

There are also restrictions on background checks. From both a privacy and a labour standpoint background checks may only be carried out provided that:

  1. the purposes of the investigation are previously identified and are legitimate;
  2. the relevant information is not excessive in relation to its purpose; and
  3. the data to be collected is strictly related to the functions and responsibilities connected to the employment relationship.

The investigations must be preceded by an adequate information notice to the applicant or employee illustrating some details of the data processing and in some cases requesting express consent. Judicial data (e.g., criminal records) may be collected only if there are laws or regulations authorising its processing.