Here is the article by Giusella Finocchiaro and Laura Greco, published in Agenda Digitale on 1st September 2017.
Much has already been said on the new data protection requirements introduced by Regulation (EU) 2016/679 of the European Parliament and the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (and coming into full force from 25th May 2018).
At first reading, the stringent and precautionary nature of the new legislation was already evident, being characterised by an approach based on the risk assessment of data processing and the accountability of the processing subjects.
As confirmation, it is enough to take a look at the considerable number of obligations the Regulation imposes on data controllers and processors. Compliance with the Regulation particularly aims to organise the entire data processing procedure on the principles of privacy by design and default, with the objective of ensuring that both technological and organisational security measures are adequate compared to the potential risks to which data are exposed during processing.
In the framework of the obligations directed at measuring the risks relating to processing activities, one (particularly) stands out for its relevance and challenging nature, namely, the so called Data Protection Impact Assessment (DPIA), a preventive measure that obliges controllers to verify whether processing might expose personal data to high risk, taking into consideration the specific characteristics of the processing itself involved: namely, its nature, subject, context and purpose as well as the use of new technologies. Although strongly recommended for all types of processing, the DPIA is not mandatory except in cases specifically indicated in the Regulation or in the legislation of Member States.
One particular field in which the DPIA appears not only to be suitable but also essential for data controllers is the work sector. In fact data processing carried out in a work environment seems to fall into under the heading of systematic monitoring of data regarding vulnerable subjects.
The term “vulnerable” is not used at random. Working Party art. 29 uses this term to define employees in the “Guidelines on Data Protection Impact Assessment (DPIA)” adopted on 4th April 2017, where the work environment is considered at risk for the rights of data subjects when taking into account the imbalance of bargaining power in favour of the data controller. Working Party art. 29, which had already given indications in the past with regard to the rights of employees in the field of data protection (see opinion 8/2001, WP48 and working document WP55 of 2002) dedicates its recent opinion 2/2017 to the subject of data processing in the work environment.
In this document the Group of European DPAs updated its considerations on the subject matter in light of the new provisions and in particular, of the new obligations introduced by the Regulation.
Confirming that data processing in the work environment must necessarily comply with the principles of transparency, necessity and minimisation, the Group underlines that consent cannot be considered a requirement for safe and reliable legitimacy since workers cannot consider themselves completely free to give consent to or oppose data processing due to the contractual relationships that bind them to their employer. Hence, in the Group’s opinion, other legal bases would be preferable such as the implementation of the work contract, the controller-employer’s compliance with a legal obligation or his legitimate interest.
However, identifying the conditions which make data processing legal is not sufficient where employee monitoring is concerned: there is the need for a clear, understandable and comprehensive policy – the Group confirms – which keeps employees fully informed of monitoring activities and their related purposes.
And it is right here, between the pillars of lawfulness of data processing and transparency that the DPIA fits in, the risk-based safeguard measure, which combines a proportionality test of the legitimate interest of the employer, the technologies used to assure protection of this and the rights of privacy and secrecy of employee communications. According to the Working Party, the introduction of any technology designed to monitor and control workers should be preceded by a DPIA in order to verify whether the data processing (and the ways in which it is carried out) are commensurate with the risk the employer must face.
Following a theoretical presentation of the framework of the Regulation, its fundamental principles and innovations, the Group of DPAs closely examines a series of data processing scenarios that may occur in an organisation’s routine procedure, with particular reference to the use of new technologies. The Group focuses in particular on those technologies that permit the monitoring of employees not only at their work place but also at their homes and, more generally, in their private lives. This happens for example where BYOD (Bring Your Own Device) technologies are used, which allow workers to use their own personal devices for work purposes. The mixed use of such devices might create the risk of processing information outside the work sphere. Therefore, in order to avoid such an eventuality, the Group recommends adopting appropriate measures which would make identifying the use of the device possible.
Finally, in outlining the protection afforded to workers, the European DPAs not only take into account the advanced technological context but also the business world: processing carried out by a business group based in different Member States may mean the transfer of employee data to third countries. In such cases – as well as in the case of the use of applications and cloud-based services that imply a cross-border flow of personal data – data transfer will be legal on condition that the third country data importer assures an adequate level of data protection.
To summarise: legality, transparency, proportionality, balancing of interests, minimisation. These are the key words (and the pillars) of data processing in the work environment.
In addition, it is worth keeping in mind that art. 88, paragraph 1 of the Regulation provides that Member States may “by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context”. This leads to a further reflection on the adequacy of the modifications made to law no. 300, 20th May 1970, (“Workers’ Statute”) by the recent Jobs Act reform. Therefore, there needs to be evaluation of whether the new provisions are in effect sufficient in light of the Working Party recommendations and given the scenarios envisioned, or whether further action by the Italian legislator will be necessary.