Authorisation No. 1/2014 Concerning Processing of Sensitive Data in the...
Authorisation No. 1/2014 Concerning Processing of Sensitive Data in the Employment Contex 
[doc. web n. 3800330]
Authorisation No. 1/2014 Concerning Processing of Sensitive Data in the Employment Context
Published in Italy´s Official Journal No. 301 of 30 December 2014
The Italian Data Protection Authority
Having convened today, with the participation of Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code (hereinafter, the "Code");
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Having regard to Section 26(4), letter d), of the Code, providing that sensitive data may be processed without the data subject´s consent, subject to the Garante´s authorisation, if the processing is necessary to fulfil specific tasks or duties that are set out in laws, regulations, or Community legislation in connection with management of the employer-employee relationship, as also related to occupational and/or population hygiene and safety, social security and assistance, in accordance with the limitations laid down in the relevant authorisation and without prejudice to the provisions set out in the Code of conduct and professional practice referred to in Section 111 of the Code;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas it is appropriate to grant new authorisations replacing those due to expire on 31 December 2014 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for twenty-four months;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;
Whereas the processing of sensitive data is carried out, to a considerable extent, in the employment context;
Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;
Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;
Having regard to Section 41 of the Code;
Having regard to Section 42 and subsequent ones of the Code regarding cross-border flows of personal data;
Having regard to Section 167 of the Code;
Having regard to official records;
Having regard to the considerations made by the Secretary General in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Prof. Licia Califano;
the processing of sensitive data referred to in Section 4(1), letter d), of the Code for the purpose of managing employer-employee relationships, in compliance with the following requirements.
Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.
This authorisation shall be granted:
a) to natural and legal persons, businesses, bodies, associations and organisations that are parties to a labour relation or hire employees also under atypical, part-time or temporary arrangements, or anyhow entrust the persons referred to under item 2), subheadings b) and c), with professional tasks;
b) to equal representation bodies or other bodies running observatories on labour matters as provided for by Community legislation, laws, regulations, or collective agreements, even when related to individual businesses.
This authorisation shall also apply to the activities performed by
c) medical doctors competent for occupational hygiene and safety, regardless of their being self-employed professionals or employees either of the entities referred to under a) or of bodies operating under contract with the National Health Service;
d) the employees´ representative for safety matters, also at territorial and/or site level;
e) associations, organisations, federations or confederations representing categories of employer, exclusively in view of achieving the purposes referred to under point 3), letter h).
2) Data Subjects
Processing may concern sensitive data in respect of:
a) employees – including those that are parties to contracts for traineeship, apprenticeship, occupational inclusion, job sharing, intermittent and/or on-request jobs –, individuals working within the framework of a staff leasing contract, trainees, (joint) partners, and where necessary as per 3) and 4) below, the respective family members and cohabiters;
b) consultants and self-employed professionals, agents, representatives and mandataries;
c) any person carrying out co-ordinated activities during a continuance of time also in the form of a project-based job, and any other self-employed professionals co-operating with the entities as per point 1) also in the form of occasional jobs;
d) applicants for the positions referred to above except as provided for in Section 26(3)b-bis) of the Code regarding such indispensable sensitive data as are contained in CVs/biographies that are submitted autonomously by data subjects with a view to obtaining employment;
e) natural persons holding offices in the legal persons, bodies, associations and organisations referred to under 1);
f) third parties who have been harmed in the exercise of labour or professional activities by the entities referred to above.
3) Purposes of the Processing
The processing of sensitive data must be indispensable
a) in order to perform or enforce performance of specific obligations, or else to discharge specific tasks as provided for by Community legislation, laws, regulations or collective agreements, as also related to individual businesses, particularly with a view to setting up, managing and terminating employment relationships or else in order to grant benefits or contributions, or to apply provisions related to social security and assistance, including social allowances, occupational or population hygiene and safety, taxation, trade unions, health care, and public order and security;
b) for account-keeping purposes or the payment of salaries, allowances, premia, other kinds of remuneration, gifts or fringe benefits, also irrespective of the cases referred to under a), in accordance with the law and for specific, legitimate purposes;
c) for the protection of either the employee´s or a third party´s life or bodily integrity;
d) for the establishment or defence of a legal claim, also by third parties, before judicial authorities, administrative authorities, and in arbitration or settlement proceedings in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that the data are only processed for said purposes and for no longer than is absolutely necessary to achieve these purposes. If the data are suitable for disclosing health and sex life, the said claim shall have to be of an equal level compared with the data subject´s one or must consist in a personal right and/or another fundamental, inviolable right or freedom;
e) in order to exercise the right of access to administrative records in compliance with the relevant laws and regulations;
f) in order to fulfil obligations resulting from insurance contracts against risks related to employers´ liability for occupational health and safety and occupational diseases, or against any damage caused to third parties in the exercise of labour or professional activities;
g) with a view to affirmative action policies in the employment sector;
h) in order to pursue specific, legitimate purposes as set out in the by-laws of associations, organisations, federations or confederations representing employers´ categories or else in collective agreements with regard to the support provided by trade unions to employers.
4) Data Categories
Processing may concern the data that are closely relevant to the aforementioned obligations, tasks or purposes where the latter cannot be fulfilled, on a case by case basis, by processing either anonymous data or personal data of a different kind, and in particular:
a) with regard to data disclosing religious, philosophical or other beliefs, or membership of associations or organisations with a religious or philosophical aim, any data concerning leave of absence, religious holidays or use of canteen services as well as those relating to conscience objection where this is provided for by the law;
b) with regard to data disclosing political opinions, membership of parties, trade unions, associations or organisations with a political or trade-union aim, any data concerning exercise of public functions and holding of political offices as well as any data relating to trade-union activities or offices (provided the processing is carried out in order to grant (temporary) leave of absence pursuant to laws or collective agreements, even when related to individual businesses), the organisation of public initiatives, and the deduction of fees due for trade-union services and/or membership of political or trade-union associations or organisations;
c) with regard to data suitable for disclosing health, any data that is collected and processed further in respect of disabilities, sickness, pregnancy, child-bearing or breast-feeding, accidents, risk factor exposure, physical and mental qualifications to perform specific tasks, inclusion in certain disadvantaged categories, and any data that is contained in medical certificates attesting to a data subject´s sickness, also in connection with occupational diseases, or anyhow specifying the disease accounting for an employee´s sick leave.
5) Processing Arrangements
Without prejudice to the obligations set out in Sections 11 and 14 as well as in Section 31 and following ones of the Code, and in Annex B to the latter, processing of sensitive data shall only be carried out via such operations and on the basis of such logic and organisational data arrangements as are absolutely indispensable with regard to the obligations, tasks and purposes referred to above.
The data shall be collected, as a rule, from the data subject.
Data shall be communicated as a rule either directly to the data subject or to the latter´s delegate subject to the provisions made in Section 84(1) of the Code, by using a closed envelope; alternatively, suitable measures shall be taken in order to prevent unauthorised persons from having access to said data, including the requirement of waiting to be served at a reasonable distance.
This authorisation shall be without prejudice to the requirement of informing the data subject and obtaining his/her consent in writing whenever necessary as per Sections 13, 23 and 26 of the Code.
6) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, sensitive data may be kept for no longer than is necessary to fulfil the obligations or discharge the tasks referred to under 3), or else to achieve the purposes mentioned therein. To that end it shall be verified, also by way of regular controls, that the data are closely relevant, not excessive, and indispensable with regard to the existing, planned or terminated relationship, performance or tasks as also regards the data supplied on the data subject´s initiative. Any data that is found to be either excessive or irrelevant or non indispensable, also based on said verification, may not be used except with a view to keeping – as required by law – the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by fulfilment of the abovementioned obligations and/or tasks.
7) Data Communication and Dissemination
Sensitive data may be communicated and, if necessary, disseminated to public and private bodies including health care organisations, private health insurance funds also where set up by individual businesses, employee support institutions and welfare services, tax support centres, employment and recruitment agencies, employers´ and employees´ trade-union associations and organisations, self-employed professionals, external companies acting as autonomous controllers of data processing operations, and the data subject´s family members – insofar as this is closely relevant to the obligations, tasks, and purposes referred to under point 3).
Under Section 26(5) of the Code, data suitable for disclosing health may not be disseminated.
8) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the processing to be performed is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.
9) Final Provisions
Any laws, regulations or Community rules imposing prohibitions or restrictions on the processing of personal data shall be left unprejudiced, especially as regards:
a) Section 8 of Act no. 300 of 20.05.70, prohibiting employers from investigating, also by the agency of third parties, a worker´s political, religious or trade-union opinions or any circumstances that are irrelevant to the assessment of a worker´s professional qualifications, whether with a view to recruitment or in the course of labour relations;
b) Section 6 of Act no. 135 of 05.06.90, prohibiting employers from investigating seropositivity of employees and applicants for/candidates to employment;
c) the provisions against discrimination and those applying to equal opportunity policies;
d) Section 10 of legislative decree no. 276 of 10 September 2003, which prohibits recruitment agencies and any other authorised and/or accredited private entities from carrying out any and all investigations and/or processing operations and/or pre-selection activities concerning workers, also with the workers´ consent, on the basis of personal beliefs, membership of trade unions or political parties, religious beliefs, sex, sexual orientation, matrimonial and/or family status, pregnant status, age, presence of disabilities, race, ethnic origin, skin colour, ascendants, national origin, language group, health status, and disputes with previous employers, as well as from processing workers´ personal data that are not closely relevant to said workers´ professional qualifications and work placement, without prejudice to Section 8 of Act no. 300 of 20.05.70.
This authorisation shall be effective as of 1 January 2015 until 31 December 2016 subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 11th day of December 2014.
THE SECRETARY GENERAL