Publication of the legislative decree of harmonization to the GDPR: news on labour, sanctions and small and medium-sized enterprises
By Damiana Lesce, Paola Lonigro and Valeria De Lucia
On 4 September 2018, Legislative Decree no. 101/2018 was enacted to give harmonization of the national legislation to the EU Regulation no. 679 of 2016 (“GDPR”). The general part of the Italian
Privacy Code is almost completely replaced by the provisions of the regulations. Therefore, the rules on principles, legal bases of compensation, information and prior consent are repealed and replaced by European ones. As for the special part of the Privacy Code, below is a summary of the main news, starting from those in labour law.
- CURRICULUM VITAE
The information pursuant to art. 13 GDPR must be provided at the time of the “first contact”, following the sending of the curriculum. The consent of the candidate to the processing of personal data contained in the curriculum is not required.
- REMOTE CHECKS
The discipline is expressly made in art. 4 of the Workers’ Statute of Rights (as amended in 2015 by the Jobs Act).
- CONSENT OF MINORS
Consent can be expressed at the age of 14. Below this threshold, consent will be given by those who exercise parental responsibility.
- DEONTOLOGICAL CODES AND GENERAL AUTHORIZATIONS
The Legislator has decided to guarantee the continuity without prejudice, for a transitional period, the provisions of the Guarantor and the authorizations, which will be the subject of subsequent review. The Guarantor for the protection of personal data, will issue ethical rules concerning the processing of personal data in some sectors (work, journalism, statistics and scientific research), involving stakeholders and carrying out a public consultation.
- SIMPLIFICATIONS FOR SMES
The privacy obligations for SMEs will be simplified. The Guarantor for the protection of personal data promotes simplified procedures for the fulfillment of the obligations of the data controller.
The Italian legislator has decided to make use of the right, granted by the GDPR to all Member States, to provide for criminal sanctions for certain violations of the privacy legislation, which are in addition to the severe administrative sanctions provided for in the regulation. They are criminally sanctioned for:
- illicit processing of personal data;
- fraudulent acquisition of personal data processed on a large scale;
- the communication and illicit dissemination of personal data being processed on a large scale;
- false statements made to the Guarantor;
- failure to comply with the provisions of the Guarantor;
- The violation of paragraph 1 of the art. 4 of the Worker’s Statute of Rights