Following interpretive memos from the National Labor Inspectorate (INL) and the Ministry of Labor (please refer to our previous article on these clarifications), the Italian Data Protection Authority (Garante per la protezione dei dati personali, hereinafter also the “Garante”) is taking steps to coordinate the opposing positions and interpretations regarding application of Legislative Decree No. 104/2022 (hereinafter the “Transparency Decree”) by offering a comprehensive interpretation of its provisions in light of EU Regulation 2016/679 (hereinafter the “GDPR”).
By means of Art. 4 of the Transparency Decree, Article 1-bis was introduced into Legislative Decree No. 152 of May 26, 1997. It includes specific obligations when an employer uses “automated decision-making or monitoring systems designed to provide indications relevant to the recruitment or assignment, management, or termination of employment, assignment of tasks or duties, as well as indications affecting the supervision, evaluation, performance, and fulfillment of contractual obligations of workers.”
Since use of these systems triggers processing of personal data as defined in Article 4 of the GDPR, the provisions in the Transparency Decree need to be coordinated with the GDPR. Indeed, the Transparency Decree, in accordance with Article 88 of the GDPR, introduces more specific and protective measures for employees in the work context, and those apply to both pre-employment processing and to processing in the course of the employment relationship.
Below is a summary of the guidelines’ main points.
1. INFORMATION TO BE PROVIDED
The new Article 1-bis of the Transparency Decree requires the employer (as data controller) to disclose certain information to the worker when automated decision-making or monitoring systems are used. Some obligations supplement those in Articles 13 and 14 of the GDPR, while others are more detailed versions of obligations in the GDPR provisions.
The first category includes the following:
- aspects of the employment relationship that are affected by the use of automated decision-making or monitoring systems
- the operating modalities of the systems
- the main parameters used to program or train automated decision-making or monitoring systems, including performance evaluation mechanisms
- control measures for automated decisions, any corrective processes, and the person responsible for the quality management system
- the levels of accuracy, robustness, and cybersecurity of the automated decision-making or monitoring systems and the metrics used to measure these parameters, as well as any potentially discriminatory impact of these metrics
The following elements fall into the second category, meaning they further clarify information that is already covered by Articles 13 and 14 of the GDPR:
- indication of the categories of data processed
- the logic of the automated decision-making or monitoring systems
The provisions of the Transparency Decree apply to all new employment relationships as of August 1, 2022. An employee in an employment relationship established prior to that date may obtain the above information within 60 days of specific written request addressed to the employer.
For employment relationships established after that date, additional information requirements must be fulfilled by express regulatory provision prior to the commencement of employment.
The widely known recommendations of the Garante apply here. These consist of application of the principles of lawfulness, fairness, and transparency with an eye to simplifying obligations placed on the employer, and the recommendation that all information be provided to the worker before processing begins in concise, transparent, intelligible, and easily accessible form, in simple and clear language, and in a structured, commonly used machine-readable format.
In accordance with Articles 13 and 14 of the GDPR, specific information on automated decision-making or monitoring systems will need to be incorporated into the data processing information notice.
3. EMPLOYER OBLIGATIONS
Employers that use automated decision-making systems are subject to certain obligations under the new Article 1-bis.
First, the data controller must confirm the existence of an appropriate prerequisite for lawfulness under Article 6 of the GDPR before processing employees’ personal data through such systems. In addition, the requirements for lawful use of technological devices at work must be met (Article 88(2) of the GDPR).
Second, the data controller is required to follow general processing principles (Article 5 of the regulations) and to meet all personal data protection legal requirements.
Furthermore, according to the principle of accountability, which requires that appropriate technical and organizational measures be implemented to ensure that the data controller can demonstrate that the processing is carried out in accordance with the applicable law, it is the responsibility of the data controller to assess whether the proposed processing operations—based on the technology used and the nature, subject, context, and intended purposes—are likely to pose a high risk to the rights and freedoms of natural persons, which requires a prior data protection impact assessment (Article 35 of the GDPR).
Even when using technological systems created by third parties, the data controller, with the support of the data protection officer, if any, must perform a risk analysis and make sure that functions with no legal basis and those incompatible with processing purposes are deactivated.
In addition, among the general obligations related to personal data processing activities, the GDPR specifically requires the data controller to draw up a register of processing activities when the relevant conditions are met (Article 30 of the GDPR).
Finally, it must be determined whether or not the systems in question perform solely automated decision-making (including profiling) that has legal implications or significantly affects data subjects. If so, Article 22 of the GDPR applies. This article outlines the circumstances in which the right to be exempt from such processing may be waived, as well as protections for the data subject, including the right of the data subject to request human intervention, to express an opinion, and to challenge the decision.
4. ACCESS TO PERSONAL DATA
The Italian Data Protection Authority specifies that an employee’s right to access their personal data pursuant to Article 15 of the GDPR, including the additional information prescribed by the Transparency Decree, is unaffected by the Transparency Decree clause providing that an employee in an employment relationship established before August 1, 2022 may obtain the above information by submitting a specific written request addressed to their employer that the employer shall answer within 60 days.
In light of the Garante’s guidelines, as well as previous memos from the National Labor Inspectorate (INL) and the Ministry of Labor, it is increasingly necessary for an employer to analyze the extent of any automated system in order to identify steps to be taken to ensure compliance with the law from both an employment and a data protection standpoint.