Recommendation CM/Rec (2015)5 of the Council of Europe on the processing of personal data in the context of employment: some considerations from the Italian perspective

Introduction

On April 1, 2015 the  Council of Europe (COE) adopted an important recommendation  – CM/Rec(2015)5 – with regards to the personal data processing in the employment context, with special reference to the use of new technologies and electronic communication tools for processing data and information likely to involve specific risks for the rights and fundamental freedoms of the workers as well as involving infringement of privacy and human dignity.

The topic is of undeniable interest in Italy especially in this time of great expectations and broad discussions about the law 183/2014 (the so called Job Act) and related aspects regarding  the possibility of remote control for workers under Article 4 of Law 300/70 as a consequence of the new tools of communication and information processing (ICT Information and Communication Technology), also used outside the workplace.

The COE Recommendation  does not bring regulatory mandatory requirements, however as a result of the agreed expression by the 47 COE member states, it represents an important point of reference and influence, much more than an abstract principle, to which the relevant national laws are called to be in line.

Structure of the Recommendation and some points of attention

The Recommendation is structured in two parts, the first one lays down, in addition to the purpose and some basic definitions, the 11 general principles that should be respected in the treatment of employees data in the context of the employment relationship:

–  3. Respect for human rights, dignity and fundamental freedoms

–  4. Application of data processing principles

–  5. Collection and storage of data

–  6. Internal use of data (by the employer)

–  7. Communication of data and use of ICTs for the purpose of employee representation

–  8. External communication of data (by the employer)

–  9. Processing of sensitive data

– 10. Transparency of processing

– 11. Right of access, rectification and to object

– 12. Security of data

– 13. Preservation of data

the second part shows the specific principles for “Particular forms of processing” that are precisely those directly related to the use of specific ICT systems that can determine conditions of effective impact on the privacy of the employee  in the employment context:

– 14. Use of Internet and electronic communications in the workplace

– 15. Information systems and technologies for the monitoring of employees, including video surveillance

– 16. Equipment revealing employees’ location

– 17. Internal reporting mechanism

– 18. Biometric data

– 19. Psychological tests, analysis and similar procedures

– 20. Other processing posing specific risks to employees’ rights

– 21. Additional safeguards

Interesting to note that the Recommendation envisages the possibility to adopt appropriate Codes of Conduct as instruments of implementation of its principles. Certainly such an approach, when resulting from shared agreement between authorities, organizations representative of  employees and of employers, could be considered a valid legal instrument from multiple points of view.

Among the novelties characterizing the Recommendation in its aim to represent the key points of the new work environments and tools, these indications addressed to the employer are of particular relevance:

• do not require the worker / applicant the access to his/her  information available through social networks to which he/she adheres to (principle 5.3)
• attention for the purpose specification and proportionality of the processing in the cases, becoming more frequent, of acquisitions, merging or detachments of business units (principle 6.4)
• transparency in providing the workers with a clear and complete description of the categories of their data processed in the company ICT systems (principle 10.3)
• attention in balancing the investigative needs of the company (for example in Italy: in relation to the company responsibility pursuant to Legislative Decree 231/01)  with the exercise of the rights of workers (principle 11.7)
• attention in retaining the minimum necessary period the data acquired by the candidate in relation to a particular job and delete them if the applicant so requests (13.2 principle, certainly not trivial implementation in the labor market)
• during  the conclusion of the employment: properly manage for removing the authorization granted for accessing the company ICT systems  and regulate access to the information exchanged by the worker through the company business tools (not only email) (15.1 principle, definitely non-trivial application)
• when introducing  new ICT company systems  which may bring monitoring on workers: proceed with prior consultation with employees’ representatives (15.1 principle, this will be discussed later in this article)
• in the event of disputes or legal proceedings between worker and employer: expressly provided for the possibility that employees can receive a copy of the recordings made by ICT company systems that might generate monitoring of workers (principle 15.3)
• for personal data processing involved by ICT company systems: required specific attention to systems able to geolocate the workers (principle 16),  whistleblowers procedures (principle 17), mechanisms to activate Privacy Impact Analysis (PIA, as widely provided for by future EU regulation on data protection) and systematic processes for giving appropriate information to the employees, consultation and / or agreement with employees’  representatives (principles 20 and 21) for particular types of systems and conditions.
  

Main correspondences in the Italian legislation

It should be noted that for the EU countries that are also COE members, the European legislation on personal data protection (Directive 95/46/EC albeit transposed differently in the 28 EU countries) and the tasks and the measures taken by the national privacy authorities, already provide robust basis for matching the principles set out in the Recommendation, whereas for other COE countries the process of regulatory alignment, we recall as voluntary and not mandatory, may be more complex to implement.

From the Italian perspective, the relevant regulation in force is constituted by the Privacy Code (Legislative Decree 196/03), the specific Measures taken by the Italian Data Protection Authority (DPA), and obviously the Article 4 of Law 300/70 by which it is ruled the possibility of using systems involving indirect remote monitoring on workers – by means of the agreement with the trade unions, failing of this, the employer shall apply a request for authorization to the competent offices of Labor.

Requirements about quality and minimization in data processing (Privacy Code: articles 3 and 11), Information to the data subjects (Privacy Code: article 13), Consent (Privacy Code: articles 23, 24, 26), data subjects’ Exercise of Rights (Privacy Code: article 7 and followings), organizational/contractual measures (Privacy Code: articles  29 and 30), minimum security measures and measures commensurate to specific risks (Privacy Code: Annex B and article 31) as a whole they represent the basic foundation already in place that, properly deployed in the context of the employment, is able to provide robust alignment to the principles set out with the COE Recommendation. Then in particular article 17 of the Privacy Code – Prior Checking by the DPA in case of  processing operations involving specific privacy risks – provides for the process to be followed by the employer (data controller) when he  intends to carry out a data processing likely to present specific risks to workers’ fundamental rights and freedoms and dignity on account of the nature of the data, the arrangements applying to the processing or the effects the latter may produce. In addition, article 114 of the Privacy Code (Remote Control, with direct reference to article 4 of Law 300/70) and the following article 115 (Telework and Home-Based Work), give the general delimitation for the allowed scope to the employer, in carrying out specific data processing in the employment context. In addition the Italian DPA, with several general Measures issued in the last years, has contributed to determine the articulated framework of requirements  that the employer, in the capacity of data controller, must fulfill, among them: the Measure on Biometrics processing issued in the year 2014, the Measures concerning Video-surveillance system issued in the year 2010,  the Measure issued in the year 2007 on Internet and E-mail in the work context, the Guidelines on the worker’s data processing in the public and private work context issued in the year 2006, and the General authorizations regarding the processing of sensitive / judicial data (especially Authorizations no. 1 and no. 2).

The key points  with the workers’ representatives and with the privacy authorities

Specifically the set of principles 15 (indirect monitoring), 16 (geolocation), 18 (biometrics), 20 (processing with specific risks to the rights and freedoms) and 21 (additional measures) highlights the complexities that need to be addressed at the level of relations between employers, workers, workers’ representatives and the competent authorities for privacy.

In general for all the ICT systems processing employees’ data, the Recommendation always indicates the need for the employer to proceed with an analysis aimed at identifying possible impacts for the employees’ rights and fundamental freedoms: where such risks are detected, the prior agreement with employees’ representatives has to be achieved (principle 20).

For the two cases of processing concerning: biometrics (principle 18) and geolocation data (principle 16) it is clear and objectively understandable that, due to the critical nature of these treatments in terms of impacts on privacy rights, fundamental freedoms and the dignity of the individual, the Recommendation requires the maximum rank of countermeasures (in compliance with applicable national laws), including among them those prescribed with principle 21:

-complete and up to date information to the workers

-implementation of appropriate internal measures in the company (protocols, security measures,…)

-consultation between employer and employees’ representative before the processing introduction: when from this consultation emerges the possibility that it may be infringed the right of the workers to their privacy and dignity, the agreement between the employer and employees’ representatives has to be achieved

-consultation with the national data protection authority

Furthermore, in the case of company systems used to process employees’ data for the purpose of company organization, production and safety at work, but which may involve monitoring on workers (principle 15), the Recommendation lays down, as certainly minimum requirement, the consultation between employer and employees’ representatives, among the additional measures of principle 21.

The regulatory solution for such a framework is not easy  to be designed and implemented, in respect of the different roles and responsibilities in place (in Italy: the DPA  with the Prior Checking under article 17 of Privacy Code and the possibility of identifying cases of balancing interests between employers and workers for the purposes of the exemption of consent under article 24 of Privacy Code, the Union Representatives with the procedure under Article 4 of Law 300/70 and its possible changes as a result of the provisions of the  Job Act).

In any case, the Recommendation certainly offers some hints to outline a regulatory solution able to allow respect for the rights and interests of workers and employers, bearing in mind the need to take advantage of the valuable contributions from the competent authorities and representative organizations, however with procedures and timelines appropriate to the dynamics of the business world.