February 2018

ITALIAN PRIVACY CASE LAW: Privacy is not a mere tick-the-box formality but calls for adequate governance

Download the newsletter: ita eng
Practice area: Compliance
Lawyers: Andrea Fedi,

ITALIAN PRIVACY CASE LAW: Privacy is not a mere tick-the-box formality but calls for adequate governance

Recently, interesting decisions have been taken by the Italian Data Protection Authority (“DPA”)1 and the Italian Supreme Court2, which shed some light on the approach that such authorities will take on important issues, also in light of the coming into force of the General Data Privacy Regulation3 (“GDPR”) on 25th May, 2018. Briefly, and in anticipation of what will be set out below, companies are required to redefine their internal organisation in order to assess, inter alia, whether and how to (i) create new corporate functions (such as the DPO – see para. 1 below); (ii) review relationships with employees pursuant to new privacy policies (see para. 2 below); and (iii) implement specific protection regarding relationships with external suppliers (see para 3. 3 below).

 

1. The Data Protection Officer

On 15th December 2017, the Italian DPA published a new set of FAQs aimed at better defining the role of the Data Protection Officer (“DPO”) in the public sector. Even if the FAQs have specific focus on the role of DPOs within public administrations, they lay down a number of general clarifications that could be useful for all companies that will have to appoint a DPO before 25th May 2018. 

In particular, the FAQs give the following clarifications:

  • Art. 37 of the GDPR provides that a DPO shall in any case be appointed where the data processing is carried out by a public authority or body. However, the regulation does not provide a definition of “public authority or body”. The FAQs clarify that, besides public administrations and bodies, it is highly recommended that private companies performing public functions (such as, for instance, companies providing public services) also appoint a DPO.

  • Should a public body decide to appoint one of its employees as a DPO, the DPO should be a manager or an officer with a high degree of professional expertise, in order to ensure that he/she performs his/her duties in an independent manner. The FAQs also clarify that no specific certification is required to validate the appointment.

  • The DPO should be appointed by a public administration by means of a formal appointment, which shall include the name and s of the DPO, his/her duties and functions, and a summary of the reasons behind his/her appointment.

  • The GDPR provides that the DPO shall have sufficient resources to perform his/her duties. According to the FAQs, each public body should assess if it is necessary to set-up a dedicated office to support the DPO and hire additional resources. However, the FAQs clarify that it is not possible to appoint more than one DPO for each public entity.

  • The FAQs provide that a DPO is allowed to carry out additional tasks and duties if this does not imply a conflict of interest and does not take time away from his/her role as DPO. Consequently, public entities that process large amounts of complex data shall not require a DPO to carry out additional duties, since this could have a negative impact on his/her performance. The FAQs also clarify that a DPO should not carry out additional tasks or cover other roles that would require him/her to define the objectives and modalities of the data processing, in order to avoid situations of conflict of interest.

As previously mentioned, the FAQs indicate that, besides public administrations and bodies, it is highly recommended that private companies also appoint a DPO. In both cases, the appointment of a DPO is encouraged by the Italian DPA even when it is not strictly mandatory under the GDPR. It is likely that, in the event of litigation, the failure to appoint a DPO may be looked upon unfavourably by Courts as a lack of compliance with obligations by the directors of the legal entity (as has already happened regarding the failure to appoint Supervisory Authorities provided for by Legislative Decree 231/2001).

The FAQs clearly indicate that the DPO will need to have expertise, skills, resources and a corporate position which allows him/her to carry out his/her functions adequately. This will mean that the Board of Directors of legal entities will have to proceed with the appointments on the basis of adequately motivated decisions and provide that the DPOs are given adequate powers and resources. Moreover, these decisions must carefully evaluate the new organisational structure to avoid risks of overlap between the functions of the DPO and those of the other supervisory and control authorities.

 

2. Employees

Through decision no. 25147, dated 24th October 2017, the Italian Supreme Court has recently declared that the firing of an employee for having copied onto a USB certain commercially valuable data owned by the employer as legitimate and – in such regard - it also took the chance to reiterate the following principles:

a) an employee can be fired legitimately by an employer for having breached duty of loyalty4; and

b) a breach of duty of loyalty occurs, inter alia, when an employee takes out commercially valuable data (which are a company’s asset) from the employer’s control and supervision.

The Italian Supreme Court also states that, the employee’s unfaithful conduct aimed at taking out commercially valuable data entails a breach of the duty of loyalty regardless of (i) the reason pursued by the employee in taking commercially valuable data from the employer; (ii) the existence of an actual loss suffered by the employer5; and (iii) the circumstance that the employee had free access to the data, which had not been (directly or indirectly) marked as confidential, through the use of passwords or by other forms of protection6.

From a legal standpoint, employers are nonetheless always encouraged to implement certain measures aimed at protecting their commercially valuable information from employees’ unfaithful conduct. This matter was also addressed by the Italian legislator through the approval of the so called Jobs Act7 which, inter alia, allows the use of the defensive remedies (controlli difensivi) aimed at securing the company’s valuable data from employees’ unfaithful conduct. Most of the time, such defensive remedies imply the use of electronic devices (e.g. audio-visual equipment)8, which do not constitute a problem if and to the extent, employers adopt9 an ad hoc privacy policy aimed at regulating, among others:

a) the permitted use of the company’s assets (including personal computers, smartphones, electronic mail, internet, etc.);

b) the use of the employer’s confidential information; and

c) the employer’s right to process employee’s personal data (e.g. by accessing employees’ e-mail business accounts) in order to ensure their compliance with the duty of loyalty and – in case of unfaithful conduct – to apply the relevant sanctions (including lawful dismissal for misconduct).

Privacy law is not an isolated fragment of compliance rules but interacts strongly with labour law.

Companies should be sure to have implemented all tools and policies necessary to comply with data protection restrictions but to also have the possibility to carry out investigations and use the outcome of their audits as evidence in labour proceedings10. To that effect, appropriate privacy policies and, when necessary, agreements with trade unions are of the essence.

 

3. Outsourcers

The Italian DPA has also recently scrutinized the data processing by an Italian political party whose online platform, used by its members to e-vote for the selection of candidates at elections, had been repeatedly hacked in a short period of time. The decision of the Italian DPA, although it was taking into account a specific case, reiterated some general principles. More specifically, the provision of the DPA has:

a) emphasised once again the pillars that must be respected in terms of transparency of the data processing (not only by a political party but by all data controllers), by ordering to clarify the roles of the various entities and subjects involved in the data processing in the information notice provided to the data subjects, i.e.:

• co-controller;
• data processor on behalf of the controller;
• person in charge of the processing under the supervision of a controller or supervisor;

b) found unlawful communication of personal data from the party to some of its providers of services; and above all;

c) set-out a list of adequate security measures to prevent damage in case of future cyber attacks to the platform, such as:

• carrying out a vulnerability assessment,
• strengthening of the authentication mechanisms of the users,
• adoption of safer communication protocols (https) and stronger cryptographic algorithms to protect the users’ credentials, as well as
• measures to monitor the activities of system administrators during e-voting sessions.

Various points regarding general application can be drawn from the above decision of the Italian DPA.

Firstly companies that process personal data are called upon to review all data flows in order to ensure that recipients of data are correctly indicated in the privacy information notice and appropriately identified as data processor or co-controllers.

Secondly it is necessary to implement security tools (including IT mechanisms and safeguards) and at the very least carry out the activities mentioned in paragraph (c) above.

All in all, companies are required to reconsider their organisation: new corporate functions might be created (such as the DPO), relationships with employees should be governed with new policies and outsources must give warranties of compliance, be correctly appointed and remain subject to supervision. The above involves more clarity of privacy functions and adequate delegations of powers. An approach to data protection which does not consider the overall governance of the company would likely prove ineffective or even counterproductive. It is therefore necessary that privacy (as in the case of anticorruption) is not considered as a mere “check-the-box” fulfilment, but becomes an integral part of the overall governance and organisation of the business.

 

***

1 Garante per la protezione dei dati personali.

2 Corte di Cassazione.

3 Regulation (EU) 2016/679 of the European Parliament and of the Council.

4 Under Italian law, the duty of loyalty is expressly mentioned under Article 2105 of the Italian Civil Code which, however, does not specify which behaviour are eligible to breach such duty. As a consequence, behaviour that are eligible to determine a breach have been elaborated by judges in their rulings.

5 In this regard, the Italian Supreme Court confirmed that the potential capability of an employee’s conduct to violate the employer’s economic interests is sufficient for the purpose of determining a breach of duty of loyalty.

6 It would be unreasonable to impose on employers the duty to prevent their employees from having access to the commercially valuable data and/or information that – in most cases – are necessary in the ordinary course of business.

7 Reference is made to Article 4 of the Workers’ Statue (i.e. Law n. 300 dated 20th May 1970), as amended by the Italian Jobs Act (i.e. Legislative Decree n. 151 dated 14th September 2015).

These means shall be priory authorized by the local trade unions only if and to the extent such means allow the employer to perform a remote control (controllo a distanza) on the employees’ working activity. At the opposite, in absence of any form of remote control, and based on the assumption that the above mentioned electronic means are exclusively aimed at protecting the employer’s business or assets, no prior authorization shall be obtained.

Reference is made to the guidelines issued by the DPA through decision n. 13 dated 1st March 2007 on the use of internet and of electronic mails.

10 This principle has been also confirmed by the European Court of Human Rights within its decision dated 12th January 2016, originating from application n. 61496/08 which has been filed by a Romanian citizen against Romania. In particular, Romania was accused to have failed to condemn a Romanian employer form breach of its employee’s data protection rights due to performance of an unauthorized access to such employee’s personal communications in absence of a prior information notice concerning (i) such right of access by the employer aimed at controlling the use of the employer’s equipment and (ii) the expected intended use that the employee was allowed to make of the employer’s equipment (including the potential prohibition to use such equipment for personal purposes). In such a context, the Court took to chance to reiterate the following principle: “A human-rights centered approach to Internet usage in the workplace warrants a transparent internal regulatory framework, a consistent implementation policy and a proportionate enforcement strategy by employers.


DISCLAIMER

The only purpose of this Newsletter is to provide general information. It is not a legal opinion nor should it be relied upon as a substitute for legal advice.