Decree on Transparency And Workers’ Privacy

In a recent notice sent to the Ministry of Labour and National Labour Inspectorate, the Italian Privacy Authority communicated their first guidelines with regards to the protection of workers’ personal data, for the application of the Legislative Decree no. 104 of 27 June 2022 (the so-called ‘Transparency Decree’) on transparent and predictable working conditions, which came into force on the 13th of August 2022.

Indeed, Article 4(2) of the aforementioned Decree incorporates Article 1-bis into Legislative Decree No. 152/1997 (on the employer’s disclosure obligations towards the employee), thus introducing additional disclosure requirements for the employer in the event of the use of automated decision-making or monitoring systems, i.e. for systems that, via data collection and processing conducted by algorithms or artificial intelligence, are capable of making a number of automated decisions.

Thus, since the use of such systems involves the handling of personal data, the entry into force of the Transparency Decree requires the employer to provide the data subject with more specific and more extensive information than that already provided for in Articles (13) and (14) of Regulation (EU) 2016/679 (GDPR), so as to ensure even greater certainty and transparency when processing each employee’s personal data.

In specific terms, if the conditions for the implementation of the new disclosure obligations are met, the employer, in his capacity as data controller, will have to disclose to the data subject, in addition to what is already required by Articles 13 and 14 of the GDPR: the elements of the employment relationship that are affected by the use of automated decision-making or monitoring systems, the functioning of such systems and the parameters used to programme or configure them; the control measures adopted for automated decisions, any correction processes and the person responsible for the quality management system; the level of the systems’ accuracy, robustness and cybersecurity, the metrics used to measure such parameters, and the potentially discriminatory impacts of said systems.

The new employer disclosure obligations apply, above all, to subordinate, administered and intermittent employment contracts, to collaborative working relationships with predominantly personal and continuous services arranged by the client, to coordinated and continuous collaboration contracts, and to occasional service contracts. Moreover, for all employment relationships, these obligations must be fulfilled prior to the commencement of employment, and for those employment relationships pre-existing the 1st August 2022, employees will be able to make a specific written request to the employer in order to obtain the additional information, without the right of access to their personal data, under the conditions and within the timeframe provided for by Article 15 of the GDPR.

To this end, the Guarantor for the Protection of Personal Data requests that the specific information on the decision-making or monitoring systems be disclosed to the employee along with the information referred to in Articles 13 and 14 of the GDPR, in a concise, transparent, intelligible and easily accessible form, and using simple and clear language, in accordance with the provisions of Article 12 of the GDPR. This is both to avoid the fragmentation of information for data subjects, and to simplify the employer’s obligations.

Moreover, the Authority emphasises in its guidelines that the employer, as data controller, must:

  • verify the existence of an appropriate lawful basis pursuant to Article 6 of the GDPR before proceeding to process workers’ personal data through automated decision-making systems;
  • comply with the conditions for the lawful use of technological devices in the sphere of labour relations, pursuant to Article 88 of the GDPR, ensuring at all times the existence of a lawful basis established by Article 4 of Law no. 300/1970;
  • comply with the general principles of processing, pursuant to Article 5 of the GDPR, and put in place all the obligations provided for by current legislation on the protection of personal data;
  • assess whether the processing operations it intends to carry out are likely to present a high risk to the rights and freedoms of individuals, such that a prior data protection impact assessment is necessary, pursuant to Article 35 of the GDPR;
  • respect the principles of data protection by design (privacy by design) and by default (privacy by default), provided for in Article 25 of the GDPR.

In these first guidelines on the Transparency Decree, the Guarantor also specifies that the employer, in his capacity as data controller, subject to the conditions set out in Article 30 of the GDPR, must draw up a register of processing activities, in order to record all the processing operations performed and to document their compliance with data protection rules, although the employer is not obliged to inform the data subjects of this preparation procedure or of any updates.

Finally, the Guarantor emphasises that, should the use of the aforesaid systems give rise to a wholly automated decision-making process, including profiling, which would have legal implications for the data subject or would significantly affect them, consideration must be given, pursuant to Article 22 of the GDPR, as to the circumstances in which it would be permitted to waive the data subject’s right to not be subjected to such processing as well as the safeguards to protect them, including the right to seek human intervention from the data processor, to express their opinion on the matter and to contest the processing decision.