Text of the European Regulation (EU 2016/679) as published by the Official Journal of the European Union- (applies from 25 May 2018).
According to the Jobs Act, no authorization is required for checks that are carried out through the work tools. When a specific device (computer, tablet, mobile phone…) is used by the employee to carry out his duties or a specific task, there is no need to request prior authorizations to use it: this fact, however, exposes the use of the tools likely to monitor the activity to abuses against the worker.
According to the European Commission, however, "personal data is any information relating to an individual, linked to his private, professional or public life"
According to the European Supervisor, in particular, i software which not only serve to facilitate the management of workers' practices, but which they monitor, storing personal data referable to the activity of individual employees and extracting reports relating to the service performed, must be authorized in advance. L'authorization it is also needed when the data has no immediate association with the
name of the employee, but they can still be combined with operator code, or they can be cross-referenced by consulting information stored in separate systems.
In these cases, the Privacy Guarantor has excluded that systems similar to the tools used by the worker to carry out his work, therefore not subject to authorization according to the Workers' Statute. The software that monitors the worker it is instead a remote control tool, which as such must be subject to the appropriate authorization procedure.
Furthermore, these systems violate the Privacy Code if employees are not provided with complete and detailed information about the effective methods and purposes of the processing operations made possible by the application.
As regards the protection provided by the Privacy Code, the legislation establishes that the information collected through work tools can be used, provided that the employee is provided with ainformative appropriate.
The disclosure, in particular, must indicate:
- how to use the devices;
- the methods for carrying out the checks;
- the specifications that guarantee compliance with the privacy legislation.
Consequently, in the event of a breach by the company in providing the information to the worker, the data collected through the equipment would not be usable for any purpose, not even disciplinary.
The lack of information or the lack of an organizational control system could lead to the heavy penalties provided for by the Privacy Regulation for companies, based on the company's worldwide gross turnover, with very high maximum thresholds (a fine of up to 10 million euros, o up to 2% of the global turnover recorded in the previous year in the cases envisaged by Article 83, Paragraph 4 o up to 20 million euro or up to 4% of the turnover in the cases envisaged by Paragraphs 5 and 6) .
Consent should be expressed by means of an unequivocal positive act by which the interested party demonstrates the free, specific, informed and unequivocal intention to accept the processing of personal data concerning him, for example by written declaration, including by electronic means, or oral. This could include ticking an appropriate box on a website, choosing technical settings for information society services or any other statement or any other behavior which clearly indicates in this context that the data subject accepts the proposed processing. Silence, inactivity or pre-ticking of boxes should therefore not constitute consent. Consent should apply to all processing activities carried out for the same purpose(s). If the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is requested by electronic means, the request must be clear, concise and not unjustifiably interfere with the service for which the consent is expressed. (EU regulation 2016/679, point 32).
Any processing of personal data should be lawful and fair. It should be transparent to natural persons how personal data concerning them are collected, used, accessed or otherwise processed, as well as the extent to which personal data is or will be processed. The principle of transparency requires that information and communications relating to the processing of such personal data are easily accessible and understandable and that simple and clear language is used. This principle concerns, in particular, the information of data subjects on theidentity of the data controller and the purposes of the processing and further information to ensure correct and transparent processing with regard to the natural persons concerned and their rights to obtain confirmation and communication of a processing of personal data concerning them. It is appropriate that natural persons are made aware of the risks, rules, guarantees and rights relating to the processing of personal data, as well as how to exercise their rights relating to such processing. In particular, the specific purposes of the processing of personal data should be explicit and legitimate and specified at the time of collection of such personal data. Personal data should be adequate, relevant and limited to what is necessary for the purposes of their processing. Hence the obligation, in particular, to ensure that the retention period of personal data is limited to the minimum necessary. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. To ensure that personal data is not stored for longer than necessary, the data controller should set a deadline for the cancellation or for the periodic verification. All reasonable steps should be taken to ensure that inaccurate personal data is corrected or erased. Personal data should be processed in a way that ensures appropriate security and confidentiality, including to prevent unauthorized access to or use of personal data and the equipment used for processing (paragraph 37).
Editorial – 09/04/2018
Related news: Spying: Can employees be spied on?