Employment/Labour- Italy
Introduction
Pursuant to the Privacy Code (Legislative Decree 196/2003), an employer is generally free to use personal information relating to employees insofar as such use is necessary to ensure the day-to-day functioning of the employment relationship (eg, for the preparation and delivery of pay slips).
A resolution issued by the Authority for Personal Data Protection and published in the Official Gazette on December 7 2006 acknowledges the delicate nature of privacy issues and the increasing number of requests for clarification received by the authority from employer and employee associations. The resolution sets out rules and guidelines aimed at clarifying the most common areas of concern. The rules, which will be updated periodically, are described as:
"a framework of measures and basic behaviour to be adopted by employers and employees, aimed at providing useful tips and guidelines on issues of processing personal data in connection with the management of the employment relationship, and focusing on the most appropriate action to be taken in connection with such data."
Partly in light of the criminal penalties provided for in the code, the rules focus particularly on the use of new technologies in the workplace. However, as the rules do not cover certain areas, such as internet use and email monitoring, the authority has announced that further measures will be enacted.
The rules make reference to the general principles set out in the code, according to which an employer may process an employee's data on condition that:
-
such processing is carried out lawfully, in as non-intrusive a manner as possible and with the sole aim of fulfilling obligations arising from the individual's employment agreement;
-
the employee is given adequate advance notification of such processing by means of an information notice, as required by Article 13 of the code;
-
the employer has previously requested and obtained the employee's consent - this is necessary only in cases where other conditions, such as contractual obligations or conditions relating to economic data, do not supervene;
-
the employer complies with the authority's instructions in relation to data which is sensitive for legal or other reasons; and
-
the employer adopts appropriate security measures and appoints specialized personnel to protect sensitive data.
Biometric Technology and Medical and Physical Data
The rules prohibit the uncontrolled use of biometric data, particularly data derived from digitally recorded fingerprints. By its nature, such data requires that the employer adopt certain measures aimed at preventing prejudice to its employees. Such measures are particularly aimed at preventing attempts to reproduce an employee's fingerprints for wrongful purposes and other actions aimed at using such material against an employee's will or without his or her consent.
The use of biometric data is permitted only in particular cases, which must be assessed with reference to the employment context and the professional reasons for such use, in order to prevent unlawful access to premises defined as 'sensitive' on the basis of the activities carried out therein (eg, hazardous production processes, work of military importance and storage of secret goods or documents).
The contents of employees' medical files compiled by the medical personnel of the company or facility in the course of their activities are covered by professional confidentiality obligations. Such personnel bear sole responsibility for the responsible processing of such data; the employer must not have access to it.
Intranets
Consent is required if an employer wishes to publish personal information about an employee (eg, a picture, a curriculum vitae or other biographical data) on a company intranet. However, an employer is not required to obtain consent before posting the following items on the company's bulletin board:
Security Requirements, Badges and Personal Identification
An employer must (i) appoint specialized personnel with adequate training in the processing of confidential data, and (ii) adopt measures to prevent third parties (ie, parties not designated as having responsibility for such processing) from obtaining employees' personal information without authorization.
The obligation to wear a clearly visible badge while at work is usually connected to a need to identify an employee and his or her employer in dealings with the public. The authority states that such an obligation is lawful, but that an employer's wish that an employee wear a badge must be weighed against the employee's right to privacy. Therefore, the employee's full name should be replaced by some other means of identification (eg, his or her first name or a specific identification code) wherever possible.
| 
