GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Italy
Italy’s legislative decree relating to the GDPR became law in September 2018. (Legislative Decree no. 101/2018). Decisions/authorizations previously issued by the Italian Data Protection Authority (DPA) along with existing ethical codes are remaining in-place until they are officially updated.
Sensitive Personal Information and Biometric Data: Authorization No. 1/2014 concerning the Processing of Sensitive Data in the Employment Context (published in Italy's Official Journal No. 301 of 30 December 2014), allows the processing of sensitive data in the employment context without any previous request for authorization from the Data Protection Authority. That said, processing biometric data continues to be strictly controlled under the DPA’s regulations. Currently, processing biometric data must be done after filing an application with the DPA to permit the processing. Note that in 2014 the DPA permitted the processing of biometric data without an application in certain circumstances, such as when simplifying access to certain areas via finger/handprints.
Data Subject Access Rights: In Italy, the data subject’s access rights cannot be used to uncover the identity of a whistleblower.
Privacy Notices for Unsolicited Job Applicants: Italy’s Data Protection Code includes a privacy notification exception for when employers receive unsolicited resumes from job applicants. In these cases, the employer can wait until the first meaningful contact with the applicant to provide a data protection notice.
Automated Data Processing: The updated Italian Budget Law contains new requirements that appear to conflict with the GDPR. The Budget Law requires that businesses notify the Italian Data Protection Authority (DPA) prior to using new technology or automated tools to process personal data. If after 15 days you don’t receive a response from the Italian DPA, you can move forward with processing until receiving additional guidelines. One consideration is how this notification requirement may apply to employer data processing tools (for example, recruiting software which automatically filters out candidates). Additional clarification is likely in the coming months.2
2 2018. "GDPR in the Italian budget Law just approved." Europrivacy. January 15. http://europrivacy.info/2018/01/15/gdpr-in-the-italian-budget-law-just-approved/.
Ultimate Software's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where Ultimate Software's customers have employees. HR Compliance Assist is a service exclusively available to Ultimate Software customers.