Legislative Decree no. 101/2018 published on September 4, 2018 transposes the EU Regulation no. 679/2016 (the so-called “GDPR”) into the Italian legislation: labour law’s most significant news.
Legislative Decree no. 101/2018 will enter into force on September 19, 2018 and is aimed to harmonize and coordinate the national privacy legislation (Legislative Decree no. 196/2003, the so-called “Privacy Code”) to the new provisions of the “GDPR”, concerning personal data protection and processing.
The general part of the Italian Privacy Code has been almost entirely replaced by the provisions of the EU Regulation, so that rules on processing, information and prior consent of the data subject are repealed and replaced by the European ones.
Please find below an overview of the main news relevant to labor law introduced by the Decree:
Rules of conduct for companies involved in personal data processing
The Guarantor is required to promote the adoption of:
- rules of conduct for public and private companies concerning personal data processing in the context of the employment relationship, together with
- specific procedures and methods to provide the “information” pursuant to article 13 of the GDPR.
This “information” is the one which shall be mandatorily given by the employer (data controller) to employees (data subjects), when their personal data shall be collected by the employer for the purpose of the employment relationship.
In the case of reception of curricula spontaneously sent to companies by candidates looking for a new employment, the abovementioned “information” pursuant to art. 13 of the GDPR, must be provided at the time of the “first useful contact” following the sending of the curriculum itself.
For the processing of personal data contained in the curriculum vitae, the candidate’s consent is not required.
Penalties provided for the case of violation of monitoring power rules pursuant to Article no. 4 of the Workers’ Statute, have been expressly saved: if employers fail to provide employees with adequate information concerning methods and procedures applicable to employment tools monitoring, criminal sanctions provided by article no. 38 of the Worker’s Statute, do apply.
In order to answer to simplification needs of small and medium-sized enterprises, the Guarantor is called to promote simplified procedures for the fulfillment of the obligations of the data controller.
Administrative and criminal sanctions
The Legislative Decree introduces:
- strict administrative penalties as provided by the EU Regulation (up to 20 million Euros or 4% of the gross annual global balance sheet of the previous financial year) and
- criminal sanctions in the case of personal data, unlawful processing, illicit disclosure, failure to comply with the provisions of the Guarantor.
A transitional period of 8 months for the application of the new sanctions, as regulated by the Decree, is envisaged.