Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: A commentary on the newly adopted Transparency Decree

In order to transpose into the national legal system the provisions of Directive (EU) No. 2019/1152 of the European Parliament and of the Council of 20 June 2019 on transparent and predictable working conditions in the European Union ('the Directive'), the Italian Government recently adopted Legislative Decree No. 104 of 27 June 2022 ('the Transparency Decree'). Rocco Panetta and Marta Fraioli, from PANETTA Law Firm, provide an overview of the controversial aspects of the Transparency Decree from a data protection and privacy perspective, particularly regarding its impact on HR departments' daily activities, as well as on the potential overlays with applicable data protection obligations.

Jian Fan / Essentials collection / istockphoto.com

The Transparency Decree was published in the Official Journal on 29 July 2022 and entered into force on 13 August 2022. Given that no grace period was granted, employers shall comply from the beginning in case of new hires.

Through this piece of legislation, the Italian Government introduced significant new obligations to the quality and quantity of information the employer shall communicate to its employees, potentially extending the scope of the Directive, and causing possible overlaps with another important European framework: the one introduced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Article 4 of the Transparency Decree amends Legislative Decree No. 152 of 26 May 1997 ('the Work Decree') by introducing new Article 1-bis to the Work Decree.

More specifically, Article 1-bis of the Work Decree obliges employers and public and private contractors to properly inform workers when using automated decision-making or automated monitoring. Such information must be provided before the commencement of work, and must include the following additional information (beyond those related to the management of the work relationship from a labour law perspective, according to Article 1 of the Work Decree):

  1. "the aspects of the employment relationship which are affected by the use of the systems (…)
  2. the purposes and aims of the systems (…)
  3. the logic and functioning of the systems (…)
  4. the data categories and main parameters used to program or train the systems referred to in subparagraph 1, including performance evaluation mechanisms
  5. the control measures taken for automated decisions, any correction processes and the person responsible for the quality management system
  6. the level of accuracy, robustness, and cybersecurity of the systems (…) and the metrics used to measure these parameters, as well as the potentially discriminatory impacts of these metrics".

Such further information shall be provided when the abovementioned systems are able to reveal elements concerning:

  • the phase of recruitment or assignment;
  • the management or termination of the employment relationship;
  • the assignment of tasks or duties; or
  • the information affecting the monitoring, assessment, performance, and fulfilment of the contractual obligations of employees.

With regards to the current workforce, the employer or contractor is obliged to provide, update, or supplement the abovementioned information within 60 days from the entry into force of the Transparency Decree. Breaches of such provisions are punished according to the fines established by Legislative Decree No. 276 of 10 September 2003, as recently amended by Article 5 of the Transparency Decree (for a brief description of the penalty framework, see below).

Assessing current employees-related tools

It would be legitimate to say that systems supporting companies' decision-making related to employees' performances or working activity in general are considered, according to Article 1-bis of the Work Decree, as automated decision-making pursuant to Article 22 of the GDPR. However, Article 1-bis of the Work Decree goes beyond the realm of data protection, by providing a 'reinforced right' to employees to be exercised in the work environment.

Under this perspective, a very high number of software and applications, nowadays used by companies to evaluate their workforce, are likely to fall within the scope of the broad definition introduced by this new legislation, to the point that a massive rethinking of tools used at company level to manage personnel activities is not only advisable but, rather, necessary.

More information is always the best solution?

Considering all the elements enlisted by Article 1-bis of the Work Decree, some may wonder if the wide range of information (as well as the technicalities underlying) to be communicated to employees may, effectively, be provided 'in a transparent manner, in a structured, commonly used and machine-readable format'. The principle of transparency is indeed one of the central principles enshrined in Article 5 of the GDPR. It certainly shapes the content and modalities with which data controllers inform data subjects (specifically in connection to the information prior to the processing as well as with regards to their data protection rights), as duly reported in Article 12 of the GDPR.

As such, what has been emphasised by many is a strong risk of overlapping of the information obligations and fulfilments due under the privacy legislation with those now provided for by the Transparency Decree.

Single or double privacy notice: what is going to happen in practice?

As the ratio of the obligation to inform under the Transparency Decree is similar to the one underlying Articles 13 and 14 of the GDPR, it is not clear if the best way to inform employees would be to provide two separate documents or a comprehensive one. If this option would be pursued to better tailorise the quality of information given, on the other hand, it risks confusing the employee, even if all the transparency parameters are complied with, notwithstanding the effort the employer must undertake to perfectly combine the elements required by both the GDPR and the Transparency Decree in a single document (for example, informing the worker on data security is required by the latter, but not strictly necessary according to the GDPR).

Furthermore, it shall be considered that the task of the employer does not extinguish once the information has been provided at the commencement of the work activity, but instead 'workers must be informed in writing, at least 24 hours in advance, of any change affecting the information [already] provided that entails a change in the conditions under which work is performed'.

Lastly, not only information must be provided in a transparent manner to the worker, but also 'be made available to the company trade union representatives or to the unitary trade union representation and, in the absence of the aforesaid representatives, to the territorial offices of the trade union associations that are comparatively more representative at national level'.

Employees access right vs. Data Subject Access Request

The employee, directly or through the company or territorial trade union representatives, has the right to access the data processed by the employer through automated systems and to request further information concerning the systems involved.

The employer or contractor is required to transmit the requested data and to respond in writing within 30 days from the request.

The content of the right, as well as the envisaged timing, refer to the right of access and the transparency principle set forth by Articles 15 and 12 of the GDPR. Whether Article 1-bis of the Work Decree entails a sort of 'reinforced Data Subject Access Request' is not yet safe to say. It is worth mentioning, though, that the possibility to extend, up to two months, the period to reply to the data subject, admitted according to Article 12 of the GDPR ('where necessary, taking into account the complexity […] of the request'), does not seem to equally apply in case the data subject is an employee accessing information on automated decision-making and monitoring systems.

Other compliance obligations

Lastly, the Transparency Decree reiterates the need to update the register of processing activities, pursuant to Article 30 of the GDPR, which must also include surveillance and monitoring activities (even though the legislator does not provide a detailed explanation of the related meaning), and to carry out appropriate risk analyses, as set forth by recitals 49 and 83 and Article 32 of the GDPR and Data Protection Impact Assessments ('DPIAs'), as indicated in Article 35 of GDPR, when necessary.

Although such requirements should come as no surprise, considering that they are already indicated as mandatory in another legislation upon the occurrence of certain circumstances, it might, however, give the impression of a particularly careful legislator, aiming to openly (as the requirements are reiterated, and reinforced, on a national law) admit that specific safeguards are required in case of automated decision making and monitoring of employees, i.e., the weakest part of the work relationship.

Sanctions: another possible overlap with the GDPR?

According to Article 5 of the Transparency Decree, in case of non-compliance with the provisions set forth by Article 1-bis above, employers may be punished to the payment of a fine ranging from €250 to €1,500 for each worker concerned by the violation, without prejudice to the possibility of personal data protection breaches where the conditions set out in Article 83 of the GDPR and Article 166 of Legislative Decree No. 196 of 30 June 2003 ('the Personal Data Protection Code') are met.

According to the GDPR, unlawful information provision (for example, in the absence of a privacy notice or when data controller rely upon an unclear and not plain language) may lead to fines up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Conclusive remarks

What appears unclear is to which extent the amendments introduced by the Transparency Decree will increase the understandability of the mechanism underlying the use of automated decision-making and monitoring systems in the variegated work environment.

It is likely that advanced systems will be implemented to monitor workforces whose educational level is not always particularly advanced (employees operating in industrial implants or large warehouses are just few examples). In this respect, the innovations described above may only raise the level of employees' knowledge of automated tools and help them making more informed choices.

On the other side of the work relationship, though, undoubted burdens are on the horizon. Relaying on external consultants which can help understanding the practical impact of the new provisions for the business, drafting the best HR information notices, or conducting a DPIA is just one of the potential costs employers and contractors are obliged to deal with as a consequence of the Transparency Decree's entry into force.

The advice is to swiftly start working internally to meet the deadlines and respect the new obligations, as Ippolito Nevio, author of the novel Confessions of an Italian said, 'a good start is half the work'.

Rocco Panetta Managing Partner
[email protected]
Marta Fraioli Associate
[email protected]
PANETTA Law Firm, Rome