Blog : Privacy Law



The reformulation of Article 4 of the Italian Charter of Workers on remote control of employees has created a specific distinction between monitoring procedures, on the one hand through video surveillance installations and other labour systems, and on the other hand through specific instruments used by every worker in order to perform the job and to register access and presence. The reformulated Art. 4 provides for the employer to refer to the first monitoring procedures only through a previous labour union deal or an authorisation by the “Direzioni Terrritoriali del Lavoro” (hereinafter D.T.L), whereas for the second monitoring procedures such authorisations are unnecessary. In both cases, providing workers with adequate information is compulsory in accordance with the Privacy Legislative Decree 196/03, in absence of which every evidence obtained cannot be used.

The issue has been left unsolved with regard to the use of a G.P.S. system1, if it is to be considered or not as a mean used by the employee to offer a working performance, and all that derives from it within the meaning of authorisation requests to the competent organs. Therefore, on 8th November 2016, the “Ispettorato Nazionale del Lavoro” published a notice containing operative instructions on the use of GPS systems in accordance with Article 4, paragraphs 1 and 2, law 300/1970.

The “Ispettorato” clarified how in general the GPS is to be considered an additional element of the working tools, since the localization instrument has further purposes with regard to the performance of duties (insurance, organisation, production or as a guarantee of employees’ safety). It is evident how in such cases, as the GPS does not constitute an essential instrument in order to perform duties, the provisions of paragraph 4 of the same Article apply according to which a deal with unions or a D.T.L. authorisation is necessary.

However, in certain specific occasions, the GPS can be considered as a necessary tool to perform working duties; in such case only a notification to the concerned employees is required. This happens when the localization system permits the concrete and effective feasibility of the working activity, which cannot be performed without the use of a GPS system, or in case such use is requested by specific regulations.

With regard to the latter point, the Court of Cassation, in judgment number 19922 of 5th October 2016, declared illegitimate the dismissal of an employee on the base of distant monitoring performed by the employer through a GPS system installed on the company car. In the specific case, the subject was a private surveillance agency which, through data detected on the GPS, had found that his employee had performed personal tasks instead of the assigned routine rounds.

In the referring case, the company had previously agreed with the labour unions to the use of a GPS system on company cars, excluding its use for employment purposes such as dismissal and disciplinary procedures.

The Supreme Court held that the control put forward by the surveillance company was set as a generalized mechanism ex ante, therefore not to be considered as a “defensive” mechanism. Please note that, if the working performance control is put forward after solid suspects of illegal employee’s behaviour, these are to be considered as “defensive controls” and can be used at court (please refer to my article published on dating 23/08/2016).

Because of the abovementioned considerations, the reformulation of Article 4 of the Workers’ Statute, also in the light of the most recent case law, cannot be considered as a sort of liberalisation of distant control but as a clarification on the modalities of use of systems connected to employment purpose and on the limits on the use of collected data. Therefore, the employer is authorized to perform distant control and to use such data also for disciplinary purposes, but will always need to provide employees with all the safeguards set in the privacy Legislative Decree.

1 The Global Positioning System is a global navigation satellite system (GNSS) that provides geo-location and time information to a GPS receiver in all weather conditions, anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites. Localization occurs through the transmission of a radio signal from each satellite and the processing of the signals received by the receiver.

Privacy of enterprises: transfer abroad of personal data through a delegate in outsourcing resident in a third country.

Privacy of enterprises: transfer abroad of personal data through a delegate in outsourcing resident in a third country.

Being able to transfer personal data in third countries has become of fundamental importance for companies, given the transversal internationalization of most of the commercial enterprises.

If, on the one hand, Art. 43 of Legislative Decree 196/03 allows data transfer outside national borders with previous express consent by the subject concerned, on the other hand it is quite difficult to assume that a multinational enterprise with thousands of employees is able to acquire everyone’s consent.

Moreover, data is frequently not treated directly by the company itself but, especially with regard to human resources, processed in outsourcing. In such case, what are the controller’s fulfillments when a processor in outsourcing also entrusts such process to a delegate in a third country?

The company can go through the following steps:

  • Presence of an adequacy decision by the European Commission

  • Use of standard contractual clauses predisposed by a decision of the European Commission

  • Adoption of Binding Corporate Rules

  • Adoption of Binding Corporate Rules for the Processor

Currently, the European Commission’s adequacy decisions only involve 13 States: the protection assured with regards to data treatment in such countries is considered to be satisfactory and it is therefore possible to transfer personal data. Lastly, the issue of data transferred to the USA was solved last 12th July with the adoption of the Privacy Shield by the European Commission, already discussed in a previous article of the blog.

The standard contractual clauses are predisposed by the European Commission and, once inserted in the text of a commercial contract, consent data transfer to third countries. These provide for specific technical and organizational safety measures that need to be strictly applied by the delegate of the treatment based in a third country that does not guarantee an adequate level of protection.

The European Commission, with a decision dated 5 December 2010, has decided for the standard clauses’ application in case the controller, resident in Europe, delegates the treatment to a European company which, in turn, subcontracts to a business enterprise based in a third country.

The decision has confirmed that for the processor of data treatment residing in the European Union, it will be sufficient to follow the standard contractual clauses in order to provide adequate guarantees for the transfer to a third country delegate. The contract needs to be subject to the legislation of the member’s residence country in order to guarantee any eventual actions of the interested party on personal data protection.

It goes beyond doubt that the data protection authorities of each Member State need to continue executing their main guarantee role by supervising that personal data is adequately controlled after transfer outside the European Union borders.

The Italian data protection authority has transposed the European Commission’s decision (Gazzetta Ufficiale n.141 of 19th June 2010) and, afterwards, with the measure of 15th November 2012 has given further clarifications on the issue. In particular, it has provided the controller to confer upon the processor residing in the European Union a specific mandate, in accordance with art. 1704 of the Italian Civil Code, for the subscription of specific contractual clauses given by the European Commission; however, the Italian data protection authority has left a choice to the controllers who do not intend exercising the mandate to request the same data protection authority a specific authorization according to art.44, 1st comma of Legislative Decree 196/03.

In its last annual report, the Italian data protection authority has given particular attention to data transfer to third countries. This has underlined the increased use of Binding Corporate Rules (hereinafter BCR), that are being discovered as the most privileged way of transferring data to third countries among groups of enterprises.

Accordingly, the BCR for Processors represent a valid option: these permit transfer, within the same group company, of personal data on which a processor operates for the controllers residing in a European Member State. In such way, the controllers have a guarantee deriving from the presence of BCR for Processors, which prove transfer’s lawfulness carried out by the processor enterprises in outsourcing. For more information on BCR please consult our previous article.

In the light of such drastic increase of personal data transfer to third countries, the Italian data protection authority has focused its inspections on subjects that carry out data transfer abroad, “in order to verify the treatment typos, the security measures adopted, together with the legal conditions, the scope and the modality of personal data transfer in non-EU countries”1.

The new European Regulation on the protection of natural persons with regard to the processing of personal data has provided for a general prohibition, except in the presence of an adequacy decision of the European Commission2. Moreover, the Commission has an obligation to evaluate overall third countries’ legislation with regard to privacy of personal data.

In case of absence of an adequacy decision by the Commission, the controller must compensate such deficiency with adequate guarantees to the interested subject. Such guarantees can consist of the BCR’s application, of standard clauses adopted by the Commission, of clauses regarding data protection adopted by a national supervisory authority or of contractual clauses authorized by a supervisory authority.

Many are the safeguard measures adopted, deriving from national and European legislation as a guarantee of safe transfer to third countries. It is well said that an adequate knowledge and a punctual application of such measures will allow companies to operate, by transferring data in third countries, without many obstacles and without having any limits to their own actions.

2 Recital 103 and art.45 of the EU Regulation 679/2016