Since 1986 we are specialized in International Law and Commercial Law
Monographs, Publications and Seminars
Expert and specialized legal advice
calendar_today 30 May 2023
The purpose of the present discussion is to provide – on the one hand - an up-to-date picture of the recent provisions on labor and personal data, as well as - on the other hand - operational guidelines to be observed in working environments in order to pursue the best application of the legislation on the protection of personal data. This task is as arduous as ever since, with the spread of the coronavirus epidemic in Italy, different provisions have followed one another, not always in line with each other, which we are going to explore below. È however, it is possible to identify within them precepts whose compliance allows companies to put in place the behaviors, from time to time, more suitable.
The Privacy Guarantor with an information note, following the spread of the epidemic, inhibited the use of do-it-yourself initiatives in data collection, specifying that public and private entities must follow the instructions of the Ministry of Health and relevant institutions. The guarantor felt it was necessary to clarify the terms of the issue since numerous entities (both public and private) have begun, at the time of registration of visitors and users, to request to be able to collect information about the presence of Coronavirus symptoms and news about recent movements, as a measure of prevention from infection. As many requests were received from public and private employers, who asked the Guarantor for the possibility of acquiring a “self-declaration” from employees regarding the ’absence of flu symptoms, and events related to the private sphere. The aforementioned requests waited for no response, and throughout the country the practice spread, as quickly as spontaneously, thus making intervention even more necessary, in light of the widespread practice, in several companies that had prepared similar questionnaires. The Authority specified in this regard that such behavior is absolutely illegitimate. It should be noted, however, that this indication è in contrast to the previous orientation spread by consultants who, instead, on the basis of the combined provisions of Art. 2087 cc and Art 9 GDPR, had considered possible such control by the employer, thus favoring the proliferation of the mostù widespread questionnaires. The Guarantor, in contrast to this previous orientation, held that the employer has duties, butthese duties may be exercised only and exclusively through the mostù appropriate tools provided by the’system. This approach is in line with the government's attempt to identify a common line, avoiding uneven practices among different areas of our territory. In Conclusion, “employers must therefore refrain from collecting, a priori and in a systematic and generalized manner, including through specific requests to the individual worker or impermissible investigations, information on the presence of any flu symptoms of the worker and his closest contacts or otherwise falling within the non-work sphere”, explains the Guarantor.
Article 14 dictates in the emergency context extraordinary provisions on the processing of personal data. It stipulates that for reasons of public interest and, in particular, to ensure protection from the public health emergency brought about by the spread of COVID-19 through appropriate prophylactic measures, as well as to ensure the diagnosis and health care of the infected or the emergency management of the National Health Service, the entities operating in the National Civil Protection Service, as well as the offices of the Ministry of Health and the Ministry of Health;Istituto Superiore di Sanita', public and private facilities operating within the National Health Service, and all entities implementing extraordinary measures, may carry out processing, including communication between them, of personal data, including those related to Articles 9 and 10 of the gdpr, which are necessary for the performance of the functions assigned to them in the context of the emergency determined by the spread of COVID-19. These entities may omit the information referred to in article 13 of the same regulation or provide a simplified information, after oral communication to the interested parties of the limitation. In the same way, authorizations may be given. The rule specifies that the communication of personal data to public and private entities, other than those referred to in Articles 9 and 10 of Regulation (EU) 2016/679, is carried out, in cases where it is indispensable for the performance of activities related to the management of the ongoing health emergency. The provision specifies that the processing of personal data shall be carried out in accordance with the principles of Regulation (EU) 2016/679, taking appropriate measures to protect the rights and freedoms of the data subjects and limited to the period of the state of emergency, at the end of which appropriate measures will be taken to bring the processing of personal data carried out in the context of the emergency, within the ordinary powers and rules governing the processing of personal data. For some this provision represents a step backward in the protection of privacy, however, it should be noted that the preeminent interest at this time and that is worthy of protection at this time è public health, therefore, always respecting the dignity of individuals the rule allows, in very exceptional and emergency cases to temporarily derogate from the good rules of the GDPR. In conclusion, if the’company falls into one of the categories referred to in the aforementioned art. 14, in case of necessity, it can’carry out the processing in the manner described above.
The social partners have arrived at a protocol that provides operational guidance aimed at increasing, in non-healthcare workplaces, the’effectiveness of precautionary containment measures to counter the COVID-19 outbreak. Confirmed within the document is the provision for the reduction and/or temporary suspension of activities, along with the possibility for the company to use agile work and social shock absorbers. The stated objective of the Protocol è to combine the continuation of production activities with the guarantee of health and safety conditions of working environments and working methods. In the context of this objective, the continuation of production activities can in fact take place only in the presence of conditions that ensure adequate levels of protection for workers. Below we see the operational implications of the Protocol within the’company.
To them è dedicated the first point of the Protocol. The’company, must inform all workers and anyone who enters the premises of the same, of the content of the provisions of the Authorities’by delivering and/or posting at the’entrance and in the most visible places of the company premises, appropriate information documents from which it must be evident:
The taking of body temperature constitutes the processing of personal data and, therefore, must be done in compliance with the European Regulation on Personal Data Protection (EU Reg. 2016/679). The Protocol also suggests the operational modalities of data processing: 1) take the temperature and not record the acquired data. 2) provide the’information on the processing of personal data in accordance with the’art. 13 GDPR
- with reference to the purpose of processing may be indicated the prevention from COVID-19 infection, - with reference to the legal basis may be indicated the’implementation of anti-contagious security protocols in accordance with Art. Art. 1, no. 7, lett. d) of the Prime Ministerial Decree of March 11, 2020 (Art. 6, lett. e), as well as Art. 9, lett. b), GDPR; - with reference to the timing of any data retention è it will be possible to indicate the end of the state of emergency.
The Protocol reminds that data may be processed exclusively for purposes of prevention from COVID-19 infection and should not be disseminated or disclosed to third parties outside the specific regulatory provisions.
With reference to the legal basis, the above processing represents an explicit derogation from the prohibition under Art. 9, para. 1, GDPR to process the special categories of personal data – including data related to health – falling under the case of para. 2, lett. (b), of the same article where “the processing è necessary to comply with the obligations and exercise the specific rights of the data controller or the data subject in the field of labor law and social security and social protection, insofar as it is authorized by Union or Member State law or by a collective agreement under the law of the Member States, where there are appropriate safeguards for the fundamental rights and interests of the data subject.”
The Regulatory Protocol also suggests that appropriate security and organizational measures be defined to protect the data. In particular, from the organizational point of view, it is necessary to identify the persons in charge of processing and provide them with the necessary instructions. Those in charge are understood to be professionals subject to professional secrecy. In fact, the Protocol specifies that “the competent doctor shall report to the’company situations of particular fragilityà and current or past pathologies of employees and the’company shall provide for their protection in respect of privacy the competent doctor shall apply the indications of the Health Authorities”. As for the measures those who carry out the aforementioned treatments must always operate with reference to the provisions of paragraph 1 of the’art. 25 GDPR in relation to the pseudonymization of data, as well as all the provisions of’art. 32 GDPR.
In this regard è the Guarantor intervened, specifying that if the issuance of a statement attesting to the fact that one does not come from epidemiological risk areas and the absence of contact, in the last 14 days, with subjects who have tested positive for COVID-19, è the same Protocol to remember to pay attention to the regulations on the processing of personal data, sinceé the’acquisition of the statement constitutes data processing. To this end (in accordance with the so-called principle of minimization ex art. 5, par. 1, lett. c), GDPR) it is suggested to collect only the data necessary, adequate and relevant with respect to the prevention of COVID-19 infection.
On March 16, 2020, the Chairwoman of the European Data Protection Board (EDPB) è through the issuance of a Statement, on how to apply data protection legislation in the context of the coronavirus crisis. This intervention has become necessary in order to attempt to harmonize the previous guidance provided by the numerous European Data Protection Authorities, which in recent days have expressed their often discordant views on the matter. First, the EDPB clarified that privacy legislation, does not constitute a limitation on the’adoption of measures to combat the coronavirus pandemic. On the contrary, the Committee emphasizes how its own European Regulation offers a variety of legal bases that can be used, as an alternative to consent, to be able to process personal data as a measure to contain the contagion.
In the light of the above regulations and indications, and pending, to receive more punctual indications, both at the national and EU level, it is recommended to limit processing to those deemed strictly necessary, and to always carry it out in compliance with the provisions of the GDPR regulations as well as with respect for human dignity.
We and selected third parties use cookies or similar technologies for technical purposes and, with your consent, also for other purposes as specified in the cookie policy. If you close this banner with a tick or click on "Decline", only technical cookies will be used. If you want to select the cookies to be installed, click on 'Customise'. If you prefer, you can consent to the use of all cookies, including cookies other than technical cookies, by clicking on "Accept all". You can change your choice at any time.