The post THE EMPLOYEE’S RIGHT TO PRIVACY PREVAILS OVER ADMINISTRATIVE TRANSPARENCY appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

In a precedent-setting decision, on 29 April 2025 the Italian Data Protection Authority (“Garante della privacy”) issued its first sanction under the General Data Protection Regulation (GDPR) for the unlawful storage of so-called “metadata” of employees’ e-mails and web surfing activities, applying for the first time the Guidelines published in June 2024.

As part of the inspections carried out in order to assess the compliance of the processing operations carried out at work by the Regione Lombardia (the regional government of Lombardy) with the rules on the protection of personal data, the Garante had found that the latter had kept metadata and navigation logs for 90 and 365 days respectively, a period of time far longer than that provided for by the Guidelines. Moreover, the Regione Lombardia had kept non-anonymous logs relating to each employee’s access attempts to websites listed on a blacklist. As a result, the Garante started proceedings against the Regione Lombardia given that that the processing of the data concerned was contrary: to i) the sector regulations on remote control with regard to the storage of metadata generated by the activities of employees in relation to both the use of the e-mail service and internet browsing; ii) the conditions laid down by the sector regulations with regard to the use of the metadata collected for other purposes connected with the management of the employment relationship; and iii) the storage periods of the logs relating to internet browsing as well as the data relating to requests for technical assistance.

The Garante has preliminarily recalled that e-mails’ metadata are backed by confidentiality guarantees, which are also constitutionally protected, and are intended to ensure protection of the essential core of a person’s dignity and the full development of his/her personality in social settings, so that, even at work, there is a legitimate expectation of confidentiality with regard to correspondence and, similarly, to the elements that can be inferred from the external data thereof, which define its temporal profiles as well as its qualitative and quantitative aspects also with regard to the addressees and the frequency of contact (which, in turn, are susceptible to aggregation, processing and control). The Workers’ Statute, moreover, strictly identifies the purposes for which instruments may be used at work, establishing precise procedural guarantees.

Although the Regione Lombardia claimed that electronic e-mails were used by the employee to work, such notion within the meaning of the Workers’ Statute can only include services, software or applications that are strictly functional to the latter. This, however, is not the case where e-mail’s metadata are collected and stored, in a preventive and generalised manner, over an extended period by computer programmes and services for managing e-mails. Such processing operations, in fact, are carried out, for the employer’s own needs, automatically and independently of the employee’s perception and will. The metadata concerned, moreover, remain at the exclusive disposal of the employer and, on his/her behalf, of the service provider, documenting the traffic even after the possible deletion of the message by the worker who, instead, retains the availability of the messages that, as sender or recipient, he/she exchanges within the mailbox assigned to him/her by the employer, with the subsequent risk of an indirect remote control of the workers’ activity.

In such a context, therefore, in order for Article 4(2) of the Workers’ Statute to be deemed applicable, the collection and storage of only those metadata necessary to ensure the operation of the e-mail system infrastructure and the fulfilment of the most essential computer security guarantees, on the basis of technical assessments and in compliance with the principle of accountability, may be carried out for a period limited to a few days, in any case not exceeding 21, unless the data controller adequately shows that particular conditions that make such an extension necessary on account of the specificities of his/her technical and organisational reality are actually present. Conversely, the generalised collection and storage of e-mail’s metadata, for a longer period, in the presence of requirements in any case attributable to the security and protection of the employer’s assets, makes it necessary to exercise the guarantees provided for by Article 4(1) of the Statute, since it may entail an indirect remote control of the workers’ activities.

The systematic collection and storage of all log files generated by employees’ use of the Internet in the context of the employment relationship gives rise to a generalized processing of data. This includes data on unsuccessful attempts to access websites already listed on a blacklist, which are in any case blocked by the system.

Since employees remain identifiable, and there is a clear link between the activity, the employee, and their specific workstation, such processing makes it possible to reconstruct their actions through technological systems.

In these cases, the employer must comply with the procedural safeguards set out in Article 4(1) of the Workers’ Statute. These safeguards are a legal requirement for the lawful processing of the data in question.

Given that the Regione Lombardia had collected and processed all the employee’s internet surfing logs in the absence of the prior conclusion of a collective agreement with the competent trade unions, the processing at stake therefore took place, within the limits of that timeframe, in breach of the GDPR.

All of that considered, the Garante decided, on the one hand, to sanction the Regione Lombardia with a EUR 50,000 fine and, on the other hand, to order it, among other things, to limit the storage of navigation logs to 90 days and then proceed to anonymisation, to minimise and encrypt e-mail’s metadata, to limit access to metadata to authorised personnel only, and to update internal policies and privacy documentation.

In light of the Garante’s findings, companies are called upon to review their metadata and network log management practices very carefully. Even before the decision, a high level of caution was needed in the handling of e-mails, requiring, for example, transparency on the checks carried out and the timely deletion of the boxes of terminated employees. The recent sanction introduces a further level of caution, extending the compliance obligation also to so-called “external” data, such as metadata and log files, which can lead to indirect monitoring of work activity. In this regard, e-mail’s metadata should normally be retained for no longer than 21 days, while browsing logs should be limited to 90 days, followed by anonymisation. It is also crucial to update privacy notices, limit data access, encrypt data and adopt consistent internal policies. Only a structured and compliant approach can guarantee the protection of workers’ rights and corporate compliance and avoid significant consequences for the organisation, including with regard to sanctions by the competent authorities, as demonstrated by this case.

Download the article

The post THE ITALIAN DATA PROTECTION AUTHORITY HAS ISSUED A SANCTIONING DECISION REGARDING THE PROCESSING OF EMPLOYEES’ METADATA appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

Partecipa al nostro prossimo evento/breakfast, in collaborazione con Camera di Commercio Italo-Svedese Assosvezia, in tema di Artificial Intelligence!

🗓️ mercoledì 10 luglio 2024,
🕔 a partire dalle ore 09:00

Sarà possibile seguire l’evento:
📍 in presenza presso De Berti Jacchia, ingresso da Via Agnello 6/1, Milano
💻 via webinar | Zoom

I professionisti dello Studio De Berti Jacchia, Alessandro Foti, Jacopo Piemonte, Adriano Garofalo, Giulia Beneduci, Silvia Bolognani e Federico Aluigi, offriranno un approfondimento pratico su come le imprese possono affrontare e implementare l’atteso Regolamento sull’Intelligenza Artificiale.

Attraverso l’analisi di case study concreti, i partecipanti riceveranno preziosi consigli per allinearsi a questo rivoluzionario strumento legislativo.

Inoltre, avremo il piacere di ospitare ReD OPEN – Spin-off Università degli Studi di Milano Bicocca con Massimo V.A. Manzari, che esporrà i prerequisiti organizzativi necessari per la compliance con il Regolamento.

L'evento è stato accreditato presso l'Ordine degli Avvocati di Milano e dà diritto a n. 1 crediti formativi.

REGISTRATI IN PRESENZA

REGISTRATI PER WEBINAR

The post REGOLAMENTO SULL’INTELLIGENZA ARTIFICIALE: CASI PRATICI PER GUIDARE LE IMPRESE NELL’IMPLEMENTAZIONE – July 10th, 2024 appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

Cosa si intende per metadati

È arrivata la rivoluzione?

Il coinvolgimento della disciplina giuslavoristica

Il compromesso prospettato dal Garante: perché è importante limitare la conservazione dei metadati?

La palla al Titolare: cosa occorre fare

Conclusioni

• il meccanismo previsto dall’art. 4 dello Statuto dei lavoratori tale per cui si richiede un accordo sindacale o, in assenza di tale accordo, l’autorizzazione dell’Ispettorato del Lavoro;
• con riferimento alla normativa applicabile in materia data protection, la conduzione di una previa valutazione d’impatto ai sensi dell’art. 35 del GDPR e la realizzazione di un rigoroso test di bilanciamento dei legittimi interessi del titolare con le esigenze di riservatezza dei dipendenti (cui si aggiunge, in ogni caso, la fornitura di dettagliate informazioni al soggetto assegnatario della casella di posta elettronica).

Download Article

The post IL GARANTE RIDEFINISCE LA GESTIONE DEI METADATI: RIVOLUZIONE NEI SISTEMI DI POSTA ELETTRONICA? appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

In data 11 marzo 2024, il Garante Europeo della Protezione dei Dati (GEPD)^[1] ha emanato un provvedimento^[2] nei confronti della Commissione europea nel quale ha individuato, riguardo l’utilizzo di Microsoft 365^[3], diverse violazioni del Regolamento (UE) 1725/2018, “sulla tutela delle persone fisiche in relazione al trattamento dei dati personali da parte delle istituzioni, degli organi e degli organismi dell’Unione e sulla libera circolazione di tali dati”, noto come “GDPR for EUIs” (da ora, il “Regolamento”)^[4].

L’indagine alla base, mirata a verificare il corretto recepimento delle Raccomandazioni pubblicate nel 2020 dal GEPD sull’uso da parte delle istituzioni dell’Unione dei prodotti e servizi Microsoft^[5], era stata avviata nel maggio 2021 in seguito alla sentenza della Corte di Giustizia dell’Unione Europea (CGUE) c.d. Schrems II^[6].

In breve, tale controversia riguardava la non conformità di una c.d. decisione di adeguatezza – un atto con il quale la Commissione europea classifica il livello di protezione dei dati personali da parte di un Paese terzo come avente le adeguate garanzie per attuare il trasferimento – adottata nei confronti degli Stati Uniti, che autorizzava il trasferimento nel paese di dati provenienti dallo Spazio Economico Europeo (SEE).

Tra le violazioni individuate dal GEPD, la Commissione europea, identificata come titolare del trattamento, ha mancato di adempiere all’obbligo, sulla base degli articoli 4 e 29 del Regolamento, di determinare con precisione quali dati possono essere trasferiti, per quali finalità e in quali Paesi terzi. Infatti, le c.d. istruzioni documentate sulla base delle quali Microsoft – identificata quale responsabile del trattamento – avrebbe dovuto attenersi ed essere sorvegliata dalla Commissione, non sono state considerate come sufficientemente chiare e precise dal GEPD.

Vi sono inoltre inadempienze riguardo gli articoli 4, 46 e 48 del Regolamento in proposito al trasferimento di dati personali in Paesi terzi al di fuori dello SEE che garantiscono un livello di protezione sostanzialmente equivalente a quello previsto dal Regolamento. Anche in questo caso, ciò sarebbe da imputare all’imprecisione ed alla povertà contenutistica evidenziate dal GEPD nel contratto siglato con Microsoft dalla Commissione.

È interessante notare come, prima dell’accordo USA-UE sul trasferimento di dati personali (Data Privacy Framework EU-US, entrato in vigore il 23 luglio 2023)^[7], la Commissione abbia mancato di verificare se fosse necessario predisporre “misure di sicurezza supplementari”, vale a dire specifiche misure tecniche, organizzative o contrattuali in grado di colmare il gap tra il livello di protezione richiesto dall’Unione e quello, più basso, garantito dal paese di destinazione del dato.

Nemmeno le Clausole Contrattuali Standard (CCS)^[8] inserite dalla Commissione europea sono state ritenute sufficienti, poiché non chiare, non esaustive e non preventivamente sottoposte all’approvazione del GEPD così come richiesto dall’art. 48(3)(a) del Regolamento.

Allo stesso modo, gli accordi non sono trasparenti in merito ai sub-fornitori di Microsoft che potrebbero entrare in contatto con i dati personali e, pertanto, è stato rilevato come la Commissione non possa esercitare quel controllo che sarebbe previsto dal Regolamento, tra cui garantire un’adeguata protezione ai dati oppure assicurarsi che i medesimi siano esclusivamente trattati nei limiti delle sue istruzioni.

Tutto ciò considerato, il GEPD ha ordinato alla Commissione europea, a partire dal 9 dicembre 2024, di sospendere tutti i flussi di dati relativi all’utilizzo di Microsoft 365 verso Microsoft e le società affiliate che si trovano in Paesi al di fuori dello SEE nei confronti dei quali non si applica una decisione di adeguatezza.

Inoltre, entro la suddetta data, il trattamento dei dati derivanti dall’utilizzo di Microsoft 365 deve essere regolarizzato tramite, in primo luogo, una precisa mappatura che identifichi quali dati personali vengono trasferiti, verso quali Stati, quali sono le finalità del trattamento e quali sono le garanzie di protezione previste. Secondariamente, viene prescritto di garantire, mediante disposizioni contrattuali concluse ai sensi dell’articolo 29, paragrafo 3, del Regolamento e di altre misure organizzative e tecniche, che: i) tutti i dati personali siano raccolti per scopi espliciti e specificati; ii) le categorie di dati personali siano sufficientemente determinate rispetto agli scopi per cui vengono trattati; iii) qualsiasi trattamento da parte di Microsoft, di sue controllate o di sub-fornitori sia effettuato solo in base alle istruzioni documentate della Commissione; iv) nessun dato personale sia ulteriormente trattato in modo non compatibile con gli scopi per cui è stato raccolto.

Il GEPD ha ordinato alla Commissione europea di dimostrare di aver adempiuto agli ordini di cui sopra entro il 9 dicembre 2024. Tale termine è stato individuato dal GEPD come risultato di un bilanciamento tra la gravità della violazione e la necessità di non compromettere il funzionamento dell’istituzione.

La vicenda in esame riporta in auge un tema già ampiamente dibattuto. L’Unione Europea, leader nell’implementare adeguate protezioni per la privacy dei cittadini, si trova spesso di fronte a contesti meno garantisti in altri Stati. In un panorama di rapida evoluzione politica ed economica, il controllo sui dati imposto dall’Unione si scontra talvolta con dinamiche socioeconomiche di altri paesi che non hanno implementato sistemi normativi così sofisticati, determinando un bilanciamento inadeguato tra la tutela della privacy e le altre esigenze in gioco.

Resta un tema aperto che potrebbe fornire ulteriori spunti, specialmente considerando che, nel luglio del 2023, l’avvocato e attivista Max Schrems ha indicato la possibilità di nuove questioni giuridiche da affrontare davanti alla Corte di Giustizia all’inizio dell’anno successivo. NOYB^[9] ha già predisposto varie opzioni procedurali per contestare il Data Privacy Framework EU-US^[10], e l’organizzazione ha dimostrato di agire rapidamente: il caso Schrems II è stato presentato nel 2015, pochi mesi dopo la decisione di Schrems I e prima che il Privacy Shield UE-USA venisse formalmente adottato.

Download Article

The post COMMISSIONE EUROPEA SOTTO ESAME. IL PROVVEDIMENTO CORRETTIVO DEL GARANTE EUROPEO SU MICROSOFT 365 appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

La Commissione Europea ha istituito l’AI Office per guidare l’applicazione dell’AI Act, assicurando un uso sicuro dell’Intelligenza artificiale, L’ufficio avrà un ruolo centrale nel monitorare i sistemi di IA a uso generale. Parallelamente, l’Italia affronta un dilemma sulla scelta dell’autorità nazionale per l’IA, oscillando tra AgID e altre opzioni

L’intelligenza artificiale è ormai una realtà che permea sempre più aspetti della nostra quotidianità e della nostra economia, diventando una questione di rilevanza strategica a livello nazionale ed europeo. Cresce dunque l’importanza di organi di governo e controllo che siano in grado di orientare lo sviluppo dell’IA rispondendo a domande complesse: come assicurare un utilizzo etico e responsabile? Come garantire trasparenza, sicurezza e rispetto dei diritti fondamentali?

In Italia, la questione dell’autorità competente per l’IA rimane ancora aperta.

Articolo di Jacopo Piemonte, Adriano Garofalo e Federico Aluigi pubblicato su Agenda Digitale.

Read More

The post GOVERNANCE DELL’AI: LA STRATEGIA UE E IL DILEMMA ITALIANO appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

Questo articolo di Gaspare Roma, Jacopo Piemonte, Adriano Garofalo e  Federico Aluigi è stato pubblicato in data 21 dicembre 2023 su Agenda Digitale.

Riproponiamo di seguito un estratto:

La geolocalizzazione dei lavoratori si pone al centro di un delicato equilibrio tra esigenze operative aziendali e diritti individuali. L’articolo 15 del GDPR, il provvedimento del Garante privacy e la sentenza della Corte di Giustizia dell’Unione Europea delineano un quadro normativo chiaro per le aziende.

La geolocalizzazione dei lavoratori, intesa come la pratica di monitorare la posizione geografica di un dipendente durante l’orario di lavoro, è diventata sempre più diffusa grazie all’uso di tecnologie come i dispositivi GPS e le app per dispositivi mobili. Questa pratica solleva importanti questioni etiche e legali, soprattutto alla luce del Regolamento Generale sulla Protezione dei Dati (GDPR), che è entrato in vigore nell’Unione Europea nel maggio 2018.

Di fatti, il GDPR è progettato per proteggere la privacy e i diritti fondamentali delle persone in relazione al trattamento dei dati personali: quando si tratta di geolocalizzazione dei lavoratori, diventa fondamentale rispettarne i principi chiave, come la trasparenza nel trattamento dei dati, la limitazione della finalità, la minimizzazione dei dati e la garanzia di sicurezza degli stessi.

Read the full article

The post GEOLOCALIZZAZIONE DEI LAVORATORI: IL DIRITTO DI ACCESSO AI DATI appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

By way of the Decree No. 24/2023 (“Decree”), Italy has transposed into law the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of union law into various jurisdictions.

The Decree has been enacted on 30 March 2023. The purpose of the Decree is to safeguard individuals who report breaches of certain national or European Union laws (which came to their knowledge in the work context) that may jeopardize the public interest, the integrity of public administration or of a private entity^[1].

The Decree took effect on 15 July 2023 for employers with an average of at least 250 employees in the year 2022^[2].

For companies that had an average of up to 249 employees in 2022 the main obligation provided by the Decree to set up internal reporting channels will have to be implemented by 17 December 2023^[3].

We have described in another article the compliance aspects related to the Decree^[4]. In this contribution we will focus instead on the quite important data protection actions that the companies should put in place.

1. PRINCIPLES OF THE GDPR TO KEEP IN MIND WHEN READING THIS ARTICLE

Art. 5 of the GDPR sets some principles related to processing of personal data, which should be observed while carrying out (or designing) activities that imply such processing.

More specifically, these principles delimit the boundaries within a data processing activity can be considered lawful. Failure to comply with these principles, and the gravity of the related violation, will determine the imposition of possible fines and/or penalties. The data controller shall be responsible for (and be able to demonstrate) compliance with those principles. “Accountability” is the one term which better summarizes the GDPR, and this dictum, of course, also applies to data processing activities related to the management of a whistleblowing channel.

The principles that any data controller must be able to demonstrate, are:

1. 1. “… lawfulness, fairness and transparency …”, which means that the processing must be based on one of the legal basis provided for in art. 6 of GDPR, and must also be inspired by good faith (e., for companies obligated to adopt a whistleblowing system, the provisions of the Decree will constitute a legal basis for the processing of personal data pursuant to art. 6.1.(c) GDPR). Moreover, those principles provide the data controller with a general disclosure duty to data subjects of the main features and information about the processing;
   2. “… purpose limitation …”, which means that data collected for specified, explicit and legitimate purposes, shall not further processed in a manner that is incompatible with those purposes (e., the data related to a whistleblowing report, shall be used only to handle the report, give feedback to the whistleblower, etc.);
   3. “… data minimisation …”, which means that data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (e., data that are not useful or irrelevant for the handling of a whistleblowing report, shall not be collected or, if collected, shall be promptly deleted);
   4. “… accuracy …”, which means that data must be accurate and, where necessary, kept updated (e., if a whistleblower wishes to amend its report because it contains erroneous data, every reasonable step must be taken to ensure that such data are rectified without delay);
   5. “… storage limitation …”, which means that data must be kept in a form which permits identification of data subjects for no longer the time necessary for the purposes for which the personal data are processed (e., once the whistleblowing report is successfully handled, or once the legal term for data retention provided for in the Decree is expired, such data must be deleted or anonymized);
   6. “… integrity and confidentiality …”, which means that data must be processed in a manner that ensures appropriate security against unauthorised or unlawful processing and against accidental loss, destruction or damage (e., the whistleblowing system shall be properly secured with encryption, or shall be used only by authorized employees, etc.).

Last (but not least), art. 25 of the GDPR provides the so-called principle of “… data protection by design and by default …”, which means that the data controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures. It shall then take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the varying risks to the the rights and freedoms of natural persons, in order to meet the requirements of the GDPR and protect the rights of data subjects.

2. SPECIFIC DATA PROTECTION ISSUES INVOLVED IN THE DECREE

We will now discuss of the specific issues arising from Decree.

As mentioned, the Decree main obligation is to set up internal communication channels to allow to the whistleblower to report certain facts to the company.

The receipt and handling of whistleblowing reports result in the processing of personal data referrable to the individuals involved in the reported facts.

This implies that the companies obliged to implement a whistleblowing channel have to adopt (in their quality of data controller) a series of measures to ensure the lawfulness, confidentiality and security of the processing carried out (directly, or by means of their employees and/or collaborators involved in the management of the reports).

Indeed, the principles set forth by the GDPR at the basis of all kind of data processing activities cannot be ignored. On the one hand, attention must be given to the privacy roles played by those involved in the management of reports. On the other, security and organizational measures designed to ensure the confidentiality of the information received cannot be neglected either. We will then analyse the main features that the companies must comply with (and take into consideration) when implementing a whistleblowing channel.

3. THE OBLIGATION TO DEFINE THE PRIVACY ROLES TAKING INTO CONSIDERATION THE DIFFERENT SCENARIOS

The company obliged to implement a whistleblowing channel, could alternatively entrust its management to:

1. 1. a person/office (with dedicated staff properly trained) within its own organization;
   2. an external entity.

The result of the choice could be two-fold as we explain below.

3.1. The scenario in which the company sets internally its own reporting channel

As mentioned above, the company that establishes the reporting channel is considered a data controller. A data controller is the subject that will delineate the means and purposes of the data processing, and, therefore, will always have to guarantee that the data processing complies with the principles and regulations placed at the basis of any data processing activities.

Art. 4.4 of the Decree also states that private sector companies that have employed, in the last year, an average number of employees (permanent or fixed term) not exceeding 249, can share the internal reporting channel and the related management. In such event, the companies that share the internal reporting channel will be considered as joint data controllers. This means that such companies have to jointly determine the purposes and means of the processing of personal data, and they are required to establish, in a transparent manner, through an internal agreement^[5], their respective responsibilities for compliance with the obligations arising from the legislation on personal data protection. The essential contents of such agreement must be made available to the data subjects and all the parties eventually concerned.

Data controllers and joint data controllers shall then identify, within their own organizational structure, the individuals (employees) expressly designated with specific tasks and functions related to the processing of personal data^[6]. These individuals will operate (for data protection purposes) under the authority of the data controllers and joint data controllers, and should receive appropriate and specific instructions from them, as well as adequate and professional training.

Such role, as clarified by ANAC Guidelines, may be entrusted, among others, to individuals within the internal audit bodies, or the Supervisory Board provided for in the regulations of Legislative Decree No. 231/2001, or to ethics committees.

In any case, it is expressly provided that the individuals/office entrusted with the management of the whistleblowing channel, must be:

1. 1. 1. Impartial, in order to ensure that reports are handled fairly and free from internal or external influences;
      2. Independent, in order to ensure objective and impartial analysis of the report.

It may occur, however, that data controllers decide to outsource the management of the whistleblowing channel (and the relevant reports) to third parties, external to their organization, instead of appointing their own employees as authorized subjects. In the event that a third party is entrusted with the management of the whistleblowing channel (or, otherwise, is involved in a part of the reports’ management procedure such as the provider of the IT platform on which the reporting channel is based), the latter must be appointed, by contract or other legal act, as data processor^[7]; the data processor is indeed the subject that carries out the data processing on behalf of the data controller. Therefore, the data processor must comply with the specific instructions that the data controller has provided. Finally, it is mandatory that the data processor presents sufficient guarantees, in particular in terms of specialized knowledge, reliability and resources, to put in place technical and organizational measures that ensure respect for confidentiality, data protection and secrecy.

4. THE NECESSITY TO CARRY OUT A DATA PROTECTION IMPACT ASSESSMENT AND RELEVANT SECURITY MEASURES

After having examined and defined the roles that those involved in the management of the whistleblowing channel may have, there are other relevant consequences of adopting a whistleblowing channel.

First of all, it is fundamental that the employer (as data controller) guarantees, from the design of the reporting channel (privacy by design), and by default (privacy by default), that only the personal data strictly necessary in relation to the specific reporting purpose are processed. In order to do so, the data controllers must carry out, while designing the features of the reporting channel, and thus before the start of processing of the reports, a data protection impact assessment^[8] (“DPIA”), in order to identify possible risks related to the processing and apply the necessary measures to avoid or mitigate these risks.

The DPIA will need to take into consideration that since the processing of whistleblowing reports entails high risks to the rights and freedoms of data subjects, data controllers must adopt several measures to protect the confidentiality of reports and relative information. Such measures^[9] could result in the use of encryption tools within the reporting channel, as well as ensuring the segregation of duties of the subjects involved in the processing.

With specific reference to the case where the access to the reporting channel is made through the data network of the data controller, it must be ensured that there is no traceability of the whistleblower, both on the IT platform and in the network possibly involved. Otherwise, the recording and storage (e.g., in the logs of firewall equipment), of information about connections to the reporting channel could allow the traceability of the individuals who used the platform, including the whistleblowers, and therefore frustrate the other measures eventually adopted by data controller in order to protect the identity of the whistleblower. On the other hand, where possible, the tracking of the activities of the authorized personnel shall be ensured, in order to prevent the misuse of data related to the reporting, except for those data from which the identity or activities of the whistleblower could be disclosed^[10].

5. INFORMATION DUTIES TO BE GIVEN TO THE DATA SUBJECTS

Data controllers must provide possible data subjects with appropriate information about the processing of personal data^[11].

This means, inter alia, that the following should be brought to the attention of the data subjects:

• • the data controller and its contact details;
  • the contacts of the data processor (if the service has been outsourced externally);
  • the purpose of the processing;
  • the legal basis of the processing;
  • the methods of processing;
  • the scope of processing and the subjects to whom the data are disclosed;
  • the storage period of personal data;
  • the contact details of the DPO, whether existent;
  • the data subjects’ rights and guidance on how they can exercise them.

By way of example, such information may be provided as an annex to the whistleblowing procedure, (e.g., on the website of the data controller), or in a special section of the IT application used for the filing of the reports, as well as being made available in the workplaces.

With reference to the obligation to make the disclosure, however, it must be noted that, in the phase of acquisition of a report and/or in any subsequent investigation, no specific information or disclosure should be provided to parties other than the whistleblower. The aim is to avoid the frustration of the confidentiality protections provided by the Decree.

6. OBLIGATION TO ADJOURN THE REGISTER OF PROCESSING

Moreover, the record of processing^[12] must be adjourned with the relevant details of the data processing related to the management of the reports. The record should contain the name and contact details of the data controller and, where present, the joint data controller, a description of the categories of data subjects and categories of personal data that are processed, the competent authorities to which the such data have been or will be disclosed, etc..

7. DATA RETENTION

In the Decree, it is expressly provided that personal data shall be kept in a form that allows the identification of the data subjects for a period of time not longer than the achievement of the purposes for which they are processed, and that reports and related documentation be retained for as long as necessary for the processing of the report and, in any case, no longer than five years from the communication of the final outcome of the procedure.^[13]

8. EXERCISE OF DATA SUBJECTS’ RIGHTS

The rights referred to in Articles 15 to 22 of the Reg. (EU) 2016/679 may not be exercised by request to the data controller nor by a complaint under Article 77 of the Reg. (EU) 2016/679, if they may result in prejudice of the confidentiality of the whistleblower’s identity, within the limits in which this constitutes a measure necessary and proportionate, taking into account the fundamental rights and freedoms of the data subjects.

9. CONCLUSIONS

As discussed in our previous article on the subject matter, the Decree imposes significant compliance burdens on companies regarding the establishment of whistleblowing procedures, with a particular emphasis on criminal law and organizational aspects.

Understandably, stakeholders have focused on meeting these requirements in their rush to comply.

However, as emphasized in this contribution, important privacy measures also need implementation within the same deadline specified in the Decree.

It is crucial not to overlook these measures, and steps should be taken to ensure compliance with them as well.

Download Article

The post THE IMPORTANT DATA PROTECTION ASPECTS RELATED TO THE NEW WHISTLEBLOWING LEGISLATION IN ITALY appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

Le tecnologie avanzate hanno rivoluzionato la raccolta, l’elaborazione e la conservazione dei dati, offrendo nuove opportunità per l’ottimizzazione delle attività aziendali e la gestione delle risorse umane. Tuttavia, questo progresso tecnologico pone sfide e questioni giuridiche complesse. Analizziamole nel dettaglio

Articolo di Gaspare Roma, Jacopo Piemonte, Adriano Garofalo e Federico Aluigi pubblicato su CyberSecurity360

Download Article

The post TRA GDPR E STATUTO DEI LAVORATORI: I PROFILI DI PRIVACY DEL LAVORATORE SOTTO LA LENTE DEL GARANTE appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

On 19 July 2023, the European Data Protection Board (EDPB) announced that it adopted a statement^[1] on the European Commission’s first review of the functioning of the adequacy decision for Japan^[2].

The adoption of an Adequacy Decision regarding Japan had already taken place on 23 January 2019, following the adequacy procedure under Article 45 of Regulation (EU) 2016/679 (GDPR), and as a result of the additional safeguards that Japan put in place to ensure that data transferred from the Union enjoy protection in line with European standards^[3]. The adequacy decision addresses the Japanese Act on the Protection of Personal Information (APPI), as complemented by the Supplementary Rules that were introduced to bridge certain relevant differences between the APPI and the GDPR.

Subsequently, the European Commission conducted its review which was completed on 3 April 2023 with a positive outcome, thus witnessing that the convergence between either system further improved in the past four years and that the Adequacy Decision had been successfully implemented^[4].

On the one hand, in the light of a number of amendments introduced to the APPI in recent years^[5], the European Commission was able to recognize the following achievements^[6]: i) some of the additional safeguards provided under the Supplementary Rules for personal data coming from the EU, i.e. as regards data retention and the conditions for informed consent in respect of cross border transfers, were incorporated into the APPI, thereby making them generally applicable to all personal data, irrespective of their source; ii) the APPI was transformed into a comprehensive data protection framework covering both the private and public sector, and subject to the exclusive supervision of the Personal Information Protection Commission^[7] (PPC). The EU Commission considers that this legislative process could lead to an extension of the adequacy decision mechanism to other areas of regulatory cooperation and research; iii) the publication by the PPC of updated guidelines, in particular, regarding international data transfers; the EU indicated that it believes the guidelines will increase the accessibility of the APPI rules on the subject and make them more user-friendly; iv) the establishment of dedicated contact points for EU individuals who have questions or concerns about the processing of their personal data in Japan, be it by commercial operators (Inquiry Line) or public authorities (Complaint Mediation Line); v) the announcement by the PPC that it will carry out random checks to ensure compliance with the Supplementary Rules, rather than continuing with the exclusive use of the non-coercive, soft-law powers of guidance, was hitherto the case.

On the other hand, certain critical issues worthy of reconsideration for the next review are reported by the Commission. For instance, “pseudonymized personal information”^[8] are currently exempted from certain obligations, such as the duty to report a data breach (Article 26 APPI) and provisions regarding data subject rights. Emphasis is placed on the fact that “pseudonymized personal information” processed for statistical purposes should not be used to adopt measures or take decisions concerning any particular individual. In the same vein, “pseudonymized personal information” originally received from the EU will always be considered “personal information” under the APPI, to ensure that the continuity of protection of data considered as personal data under the GDPR is not affected when it is transferred to Japan on the basis of the Adequacy Decision.

Taking the lead from the Commission, the EDPB likewise took certain actions, with particular focus on the commercial aspects of the adequacy decision. These are the most significant points: i) the new definition of “personal data held by the company” introduced by the amendment to APPI 2020^[9] was favourably acknowledged; ii) it was appreciated that the 2020 APPI amendment extended the right to object^[10] and the introduction of a duty to promptly notify the PPC and the data subjects of any data breach that is “likely to harm individual rights and interest”^[11]; iii) greater detail was hoped for regarding enhanced requirements for informed consent where used as a legal basis for (onward) transfers to third countries, with the EDPB welcoming further reassurances on the fact “that consent will not be used as a basis for transfer in case of clear imbalance of power”, and the Commission asking to monitor this particular aspect in the next review ; iv) the Commission was invited to maintain a close supervisions on the use of “pseudonymized personal information,” as companies that use it are exempt from certain obligations such as the obligation to report a data breach; v) the drafting of model clauses in collaboration between the European Union and Japan will be encouraged, in order to achieve greater uniformity and thus more robust safeguards in connection with the transfer of personal data.

The EDPB, thus, stated that it concurs with the Commission’s proposal to consult the Committee^[12] and establish a review of the Adequacy Decision in 4 years^[13].

The statement, issued just a few days after the EU-US Adequacy Decision^[14], is part of a broader framework devised to implement a policy of openness on the part of the European Union towards third countries in the matter of personal data, in an environment characterized by exponential technological advancement and the confirmed central importance of personal data, against a foreground increasingly designed by Artificial Intelligence.

Download Article

The post EUROPEAN COMMISSION CONFIRMS 2019 ADEQUACY DECISION ON JAPANESE DATA PROTECTION SAFEGUARDS appeared first on Studio Legale De Berti Jacchia Franchini Forlani.