New Health and Safety Protocol between firms and trade unions to contain the spread of COVID-19

Search by...

After almost two months of lockdown, Italy is going to (partially) reopen its economy and establish a “new normal” for the everyday life of firms and citizens. On April 24, employers and employee representatives (firms and trade unions) agreed on an updated version of the health and safety protocol (the “H&S Protocol”) issued on March 14 to prevent the spread of COVID-19 in the workplace by regulating access to company premises and work-shift schedules, as well as sanitization of work environments and cleaning of offices and IT devices.

The measures listed in the H&S Protocol of March 14 and in the updated version are binding for companies whose activities are not suspended (see Art. 2 (10) Prime Minister Decree April 10, 2020 and Art. 2 (6) Prime Minister Decree April 26, 2020).

The updated H&S Protocol introduces several new significant measures that companies need to take into consideration when tackling the challenge of reopening; it also indicates that if an adequate level of protection is not provided, a company’s business may be suspended until safe conditions are restored.

New measures included in the H&S Protocol are as follows:

  • involvement of company medical service: it is opportune to engage the company medical service in decisions regarding reopening with reference to identifying particularly vulnerable employees and the planned return of those who have contracted COVID-19 infections;
  • employees who have contracted COVID-19 infections: these employees are allowed to come back to work only after the company has received a medical certificate verifying negative swab-test results; in addition, before giving the green light to employees returning to work, the company medical service should carry out examinations to confirm that they are in condition to perform their roles;
  • remote working and social distancing: remote working is still encouraged and social distancing in the workplace is mandatory; the H&S Protocol suggests implementing measures such as reorganization of workspaces, staggered work shifts, and relocation of employees to empty rooms;
  • oversight for contractors: companies are required not only to inform contractors working at their premises about the safety measures adopted, but also to monitor their compliance with the same procedures;
  • use of personal protective equipment: it is mandatory that employees who work at a distance of less than one meter from each other wear protective masks; other protective personal equipment may be used, based on the risk assessment for each individual company; it is critical to provide appropriate information to personnel on the correct use of personal protective equipment.

Comparable measures are also listed in the technical document that INAIL published on April 23, which clarified the requirement that those actions be included in the risk assessment document (“DVR“).


The implementation of these measures — many of which involve the processing of personal data — triggers the adoption of certain safeguards in order to make them compliant with applicable data protection laws.

Companies may require personnel to have their temperatures taken before they access company premises and can forbid those whose temperatures are higher than 37.5°C (or who refuse to have their temperatures taken) from entering. In doing so, however, they shall:

  • Not record the temperatures of all employees, but only those higher than 37.5°C;
  • Provide employees with information concerning the processing of their data for this purpose: the legal basis for the processing could be the implementation of health and safety protocols provided by the relevant decree of the Italian prime minister;
  • Implement proper security measures: employees who are in charge of taking the temperatures of other employees shall be duly identified and authorized; data shall not be disclosed unless required and regulated by law, etc.;
  • If an employee has a body temperature higher than 37.5°C and must be isolated, or if an employee notifies the company that they have been in contact with individuals who have tested positive, all measures to protect the anonymity of the employee must be taken.

If a company decides to submit questionnaires to employees asking for information about their contacts or movements in the previous 14 days, it shall collect only information that is strictly necessary to take preventive measures (for example, avoid collecting detailed information or the names of those who have been in contact with the employee), in accordance with the minimization principle under data protection laws.

The H&S Protocol also clarifies that the same rules apply to visitors accessing company premises.

Based on the above, it is clear that — when adopting the measures aimed at containing the spread of the virus — an integrated approach that takes into account labor law requirements, compliance with health and safety requirement, and data protection law provisions should be employed when planning to reopen business activities while effectively limiting the risk of infection.


As outlined in our previous alert, failing to protect employees from workplace transmission of COVID-19 could translate into the risk of severe injury to or death of employees, which, in turn, may trigger corporate criminal liability pursuant to Legislative Decree No. 231/2001.

The risk of facing corporate criminal liability provided by Legislative Decree No. 231/2001 amid the COVID-19 emergency exists if:

  • an employee gets a COVID-19 infection at work and as a consequence dies or suffers severe injury (e.g., disease lasting more than 40 days);
  • contagion is made possible due to a company’s failure to adopt adequate protective measures;
  • a company somehow benefits from the lack of safeguards, for example, it sees cost savings due to not adopting all necessary safety measures.

Relevant to this angle of analysis is that Art. 42 of Law Decree No. 18 dated March 17, 2020 stipulates that getting a COVID-19 infection “during working activity” is a work accident pursuant to Legislative Decree No. 81/08, thus confirming the potential relevance of contagion in the workplace in terms of corporate criminal liability deriving from the breach of H&S regulations.

Therefore, companies must take special care in handling COVID-19 during the reopening phase. From a compliance perspective, it will be critical not only to adopt and properly document all the required safety measures, but also to oversee them and ensure that they are successfully implemented, which entails specific audits of adequacy and effectiveness, training sessions, sanctions for noncompliant behaviors, and periodic reviews and updates of the safeguarding actions taken in light of the current fast-changing situation.

Article filed under: COVID-19, Data Protection
Follow us on