Privacy and the working relationship. The European Supervisory Authority Guidelines

Privacy and the working relationship. The European Supervisory Authority Guidelines

By Damiana Lesce, Valeria De Lucia and Paola Lonigro

Under article n. 267 of June 15, 2017, of the Italian Personal Data Protection Authority rejected  the request of an employer, aimed at processing the  personal data  of employees in compliance with the terms of  a commercial contract, whereby the employer undertook to notify to its clients the name of its employees with criminal records.

May 2018 is getting closer and, since September, companies and public administrations will have to comply with the Privacy Policy. In this regard, we recommend the Opinion on Data Processing at Work 2 / 17- 8 June 2017 – Article 29 Data Protection Working Party of European  Data Protection Agencies summarizing the fundamental principles for the treatment of sensitive data:

RIGHT TO RESPECT PERSONAL LIFE, THE LIBERTY AND DIGNITY OF THE WORKER. Every worker has the right for his private life, freedom and dignity to be respected; every worker must be adequately informed about how to treat personal data in a clear, simple and exhaustive manner.

BALANCE BETWEEN CONTROL AND PURPOSE. Each treatment must be proportionate to the purpose pursued and the use of personal data as limited as possible. For example, geolocation tools can be used strictly for business purposes and the worker there must be possibility to disable the locator.

EMAIL AND INTERNET CONTROLS. It is legitimate to introduce tools and technologies to reduce the risks of computer attacks and the spread of confidential information, but you cannot spy on employees’ mail or their internet browsing.

SOCIAL NETWORK. Any consultation or monitoring of social networks should be limited to professional status, excluding the private lives of employees or candidates for recruitment.

PRIVATE SPACE OFFER ON COMPOUNDS AND CLOUD SERVICES. To encourage the correct use of corporate tools and policies while respecting the privacy of employees,  Data Protection Officer invite employers to dedicate, for example, WIFI connection areas and to define reserved spaces on computers and smartphones, cloud and e-mail, where documents can be stored or personal communications can be made which are not accessible to the employer except in absolutely exceptional cases.

WORKERS’ CONSENT IS NOT SUFFICIENT TO LEGITIMIZE TREATMENT. To be considered valid, consent to treatment, must be voluntary. Therefore, it will not be enough for companies and public entities to acquire employee consent for the processing of their data. Data Protection Officer suggest resorting to common normative or contractual arrangements in a balance-of-arms relationship with workers’ rights and freedoms. Apart from being voluntary, the consent must of course be informed. Once again then, corporate policies remain and will be important.


Related Posts

Legitimate dismissal (for poor…

(By Enrico Vella, Trifirò & Partners Law Firm) With Ordinance No. 24722/2022 of 11.8.2022, the Supreme Court of Cassation, ruling on the legitimacy of a dismissal imposed for poor performance,…
Read more

The dismissal of probationary…

(Court of Milan, 22 June 2022, no. 1638) Labour Law (case followed by Andrea Beretta) An employee hired with a part-time contract and dismissed during the probationary period, challenged the…
Read more

The new world of…

As has been effectively said, the future (or present) of the world of work - a consequence of economic and organisational transformations due to the pandemic - is a hybrid…
Read more