“Decreto Trasparenza”: Italian businesses to comply with new obligations for automated processing of employee data

In August 2022, Italy implemented the EU Directive No. 2019/1152 of the European Parliament and of the Council of 20 June 2019 on transparent and predictable working conditions in the European Union by adopting the new Legislative Decree 2022/104 (so called “Decreto Trasparenza”, meaning the “Transparency Decree”).

What areas does the Decree cover?

The new Decree introduces new rules with regard to employment relationships and employer obligations. The innovative aspects thus mainly concern labour relations, but interesting points have also been raised with regard to data protection issues. Indeed, since the Decree came into force in August 2022, Italian businesses had to take action to change their employee privacy documentation, and they had (or should have) also undertaken internal mappings and assessments of their employees’ personal data processing procedures, in order to comply with the new obligations imposed on them.

The main focus of all the new provisions introduced by the Decree is, of course, on achieving greater transparency of the information disclosed with employees, also with regard to the processing of their data.

Due to the complexity of the regulatory issue, and also to the fact that the main focus of the Decree’s obligations was on Employment Law, Italian businesses have largely neglected compliance with the new privacy obligations introduced by the law, considering them as marginal. After a number of requests from both public authorities and private businesses, the Italian Supervisory Authority  itself issued a provision in January to clarify the most controversial aspects of the new law and to support businesses adjusting to the obligations.

The main changes in data protection introduced by the Decree

Among the main changes, the Decree requires the employers to provide the employees with a comprehensive privacy notice, which includes not only the information contained in Articles 13 and 14 of the GDPR. This “strengthened” privacy notice should also contain:

• information on the possible use of employee decision-making or monitoring systems, especially if they are automated;
• if so, an additional set of specific information pursuant to Article 4 (1)(a) of the Decree, in addition to Articles 13 and 14 of the GDPR.

The automated systems are defined by the Decree in Article 4(8) as “automated decision-making or monitoring systems designed to provide indications relevant to the recruitment or assignment, management or termination of the employment relationship, the assignment of tasks or duties as well as indications affecting the monitoring, evaluation, performance and fulfilment of the contractual obligations of workers.”

The additional information to be provided to employees in relation to automated decision-making or monitoring systems is the following:

• the areas of the employment relationship that are affected;
• the purposes;
• the logic and operation behind them;
• the categories of data and the main parameters used to program or train such systems, including performance evaluation mechanisms;
• the control measures adopted for automated decisions, any correction processes and the quality management system manager;
• the accuracy, strength and cybersecurity level of these systems, the metrics used to measure these parameters, and the potentially discriminatory impacts of these metrics.

In order to comply with both the Decree and the GDPR, in case of use of automated systems, businesses having a seat in Italy must observe also the following, in addition to the information obligation:

• update the register of processing activities (GDPR Art. 30), including employee surveillance and monitoring activities;
• evaluate the most appropriate data security measures (GDPR Art. 32) and carry out data protection impact assessments (GDPR Art. 35) on activities involving such systems;
• carefully evaluate the tools offered by the various suppliers, and the levels of compliance and information security guaranteed by them.

UPDATE

The same definition of automated decision-making systems was recently amended by Article 26 of the new Decree-Law No. 48 of 4 May 2023 (the Italian Government’s latest measure to simplify the complex obligations introduced by the Decreto Trasparenza).
Now, the definition of “automated decision-making or monitoring systems” shall be restricted solely to “fully” automated systems. Therefore, the information obligations linked to the use of such systems will no longer apply in the case of partially automated systems, even if the degree of automation is important.

Conclusion

The imposition of these new information obligations is certainly a demanding burden for businesses, but it can also be seen as an opportunity to work on their internal mapping of employees‘ data processing activities as well as of all of the tools and systems used. By doing so, companies can assess the level of compliance of these tools with all applicable regulations, especially those related to privacy.
Moreover, the Italian DPA expresses its concern about the use of “particularly invasive systems” in the employment relationship, such as software for emotional detection, data analytics or machine learning tools, neural network, deep-learning, as well as facial recognition systems, rating and ranking systems.

“When used in the context of work”, states the Authority, these applications “pose a high level of risk to the rights and freedoms of data subjects that are specifically protected under the data protection system.”

Finally, it is worth mentioning that, on the subject of personal data processing in labour relations, a non-compliant business not only risks to be liable to the sanctions provided for in Articles 83(4) and (5) of the GDPR, but also to the sanctions provided for in the Italian Privacy Code for the violation of Articles 113 and 114, which refer directly to the rules of the Workers‘ Statute on the limits and methods of employee monitoring.