GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Italy
Italy’s legislative decree relating to the GDPR became law in September 2018. (Legislative Decree no. 101/2018). Decisions/authorizations previously issued by the Italian Data Protection Authority (DPA) along with existing ethical codes are remaining in-place until they are officially updated.
Sensitive Personal Information and Biometric Data: Authorization No. 1/2014 concerning the Processing of Sensitive Data in the Employment Context (published in Italy's Official Journal No. 301 of 30 December 2014), allows the processing of sensitive data in the employment context without any previous request for authorization from the Data Protection Authority. That said, processing biometric data continues to be strictly controlled under the DPA’s regulations. Currently, processing biometric data must be done after filing an application with the DPA to permit the processing. Note that in 2014 the DPA permitted the processing of biometric data without an application in certain circumstances, such as when simplifying access to certain areas via finger/handprints.
Data Subject Access Rights: In Italy, the data subject’s access rights cannot be used to uncover the identity of a whistleblower.
Privacy Notices for Unsolicited Job Applicants: Italy’s Data Protection Code includes a privacy notification exception for when employers receive unsolicited resumes from job applicants. In these cases, the employer can wait until the first meaningful contact with the applicant to provide a data protection notice.