Authorisation no. 1/2002 Concerning Processing of Sensitive Data in the Employment Context

The Garante per la protezione dei dati personali

On this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General;

Having regard to Act no. 675 of 31.12.1996, as subsequently amended and supplemented, concerning the protection of individuals and other subjects with regard to the processing of personal data;

Having regard to, in particular, Section 22(1) of the abovementioned Act, in which "sensitive" data are referred to;

Whereas private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ consent in writing;

Whereas the processing of sensitive data may be also authorised by the Garante ex officio by way of general provisions applying to specific categories of controller and/or processing in pursuance of Section 41(7) of Act no. 675/1996;

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation orders;

Whereas it is appropriate to grant new general authorisations to replace those due to expire on the 31^st of January 2002 by streamlining their provisions in the light of the experience gathered so far;

Whereas it is appropriate for these new provisional authorisations to be also time-limited in pursuance of Section 14 of Presidential Decree no. 501/1998 in view of the forthcoming adoption of a consolidated text of the provisions applying to personal data protection as required by Act no. 127/2001;

Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity;

Whereas the processing of sensitive data is carried out, to a considerable extent, in the employment context;

Having regard to Section 35 of Act no. 675/1996;

Having regard to the regulations including provisions on the minimum security measures, as adopted by Presidential decree no. 318 of 28.07.99;

Having regard to Section 14 of Presidential decree no. 501 of 31.03.98;

Having regard to official documents;

Having regard to the considerations made, on behalf of the Office, by the Secretary General in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);

Acting on the report submitted by Prof. Stefano Rodotà;

Hereby authorises

the processing of sensitive data as per Section 22(1) of Act no. 675/1996 for the purpose of managing employer-employee relationships, in compliance with the following requirements:

1) Scope

This authorisation shall be granted:

a) to natural and legal persons, businesses, bodies, associations and organisations which are parties to a labour relation or hire employees under atypical, part-time or temporary arrangements, or anyhow entrust the persons referred to under item 2), subheadings b) and c), with professional tasks;

b) to equi-representational bodies or other bodies running observatories on labour matters as provided for by laws, Community legislation, regulations or collective agreements, even when related to individual businesses.

This authorisation shall also apply to the activities performed by medical doctors competent for occupational health and safety, regardless of their being self-employed workers or employees either of the entities referred to under a) or of bodies operating under contract with the National Health Service.

2) Data subjects

Processing may concern sensitive data in respect of:

a) employees, including on a temporary basis, trainees and apprentices, or (joint) partners and, where necessary as per 3) and 4), the respective family members and cohabiters;

b) consultants and professionals, agents, representatives and mandataries;

c) any person carrying out co-ordinated activities during a continuance of time for a given employer and any other self-employed workers co-operating with the entities as per item 1);

d) applicants for the positions referred to above;

e) natural persons holding offices in the legal entities, bodies, associations and organisations which are referred to under 1);

f) third parties who have been harmed in the exercise of labour or professional activities by the persons referred to above.

3) Purposes of the processing

The processing of sensitive data must be necessary:

a) in order to perform or enforce performance of specific obligations, or else to discharge specific functions as provided for by laws, Community legislation, regulations or collective agreements, even when related to individual businesses, particularly with a view to complying with provisions related to social security and assistance, occupational or population health and safety, taxation, health care, public order and security;

b) for accounting purposes or the payment of salaries, allowances, premia, other kinds of remuneration, gifts or fringe benefits, even apart from the cases referred to under a), provided this is in compliance with the laws in force and serves specific, legitimate purposes;

c) for the protection of the data subject´s or a third party´s life or bodily integrity;

d) for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration or settlement proceedings in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim is of an equal level as compared with the data subject´s one if the processing concerns data disclosing health and sex life;

e) in order to exercise the right of access to administrative records in compliance with the relevant laws and regulations;

f) in order to fulfil obligations resulting from insurance contracts against risks related to employers´ liability for occupational health and safety and occupational diseases, or against any damage caused to third parties in the exercise of labour or professional activities;

g) in order to ensure equal opportunity actions.

4) Data categories

Processing may concern the data that are closely relevant to the obligations, tasks or purposes referred to under 3) that cannot be fulfilled, on a case by case basis, by processing either anonymous data or personal data of a different kind, and in particular:

a) with regard to data disclosing religious, philosophical or other beliefs, or membership of associations or organisations with a religious or philosophical aim, any data concerning leave of absence, religious holidays or use of canteen services as well as those relating to conscience objection where this is provided by the law;

b) with regard to data disclosing political opinions, membership of parties, trade unions, associations or organisations with a political or trade-union aim, any data concerning exercise of public functions and holding of political offices (provided data processing is carried out in order to grant (temporary) leave of absence pursuant to laws or collective agreements, even when related to individual businesses) or the organisation of public initiatives, as well as any data relating to trade-union activities or offices and the deduction of fees due for trade-union services or membership of political or trade-union associations or organisations;

c) with regard to data disclosing health, any data collected in respect of (occupational) diseases, disability, sickness, pregnancy, child-bearing or breast-feeding, accidents, risk factor exposure, physical and mental qualification to perform specific functions and title to the special protection afforded by law to certain disadvantaged categories.

5) Processing arrangements

Without prejudice to the obligations set out both in Sections 9, 15 and 17 of Act no. 675/1996 and in Presidential decree no. 318/1999, processing of sensitive data shall only be carried out in accordance with such logic and organisational data arrangements as are closely related to the obligations, tasks and purposes referred to under 3).

The data shall be collected, as a rule, from the data subject.

Data shall be communicated as a rule either directly to the data subject or to the latter´s delegate subject to the provisions made in Section 23(2) of Act no. 675/1996, by using a closed envelope; alternatively, suitable measures shall be taken in order to prevent unauthorised persons from having access to said data, including the requirement of standing behind a line while waiting to be served.

This authorisation shall be without prejudice to the requirement of informing the data subject and obtaining his/her consent in writing as per Sections 10 and 22 of Act no. 675/1996.

6) Data retention

In compliance with the obligation referred to in Section 9(1), subheading e), of Act no. 675/1996, sensitive data may be kept for no longer than is necessary to fulfil the obligations or discharge the tasks referred to under 3), or else to achieve the purposes mentioned therein. To that end it shall be determined, also by way of regular controls, whether the data are relevant and not excessive with regard to the existing, planned or terminated relationship, performance or tasks - including the data supplied on the data subject´s own initiative. The data that are found by said controls to be either excessive or irrelevant or unnecessary may not be used except with a view to keeping - as required by law - the instrument and/or document where the data are contained. Special attention shall be paid to relevance of the data concerning entities that are not immediately related to fulfilment of the abovementioned obligations and/or tasks.

7) Data communication and dissemination

Sensitive data may be communicated and, where necessary, disseminated - exclusively with regard to the obligations, tasks and purposes referred to under 3) - to public and private bodies including health care organisations, Funds for health care and assistance, even when set up by individual businesses, brokerage agencies, employers´ associations, professionals, external businesses acting as controllers of separate data processing operations and the data subject´s family members.

Data disclosing health may be only disseminated if this is necessary for the prevention, detection or suppression of criminal offences in compliance with the relevant provisions, as laid down in Section 23(4) of Act no. 675/1996.

No data disclosing sex life may be disseminated

8) Requests for authorisation

Where the processing falls within the scope of this authorisation, no application for authorisation shall have to be filed with the Garante by the relevant controller, provided the proposed processing is in line with the above provisions.

Any applications for authorisation which have already been received, or which will be received following the adoption of this authorisation, shall be regarded as granted insofar as they comply with the requirements laid down herein.

No applications for the authorisation of processing operations that are not in pursuance of the provisions laid down herein shall be taken into consideration by the Garante, unless they are to be granted on account of special or exceptional circumstances which are not referred to in this authorisation.

9) Final provisions

Any laws, regulations or Community rules imposing prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, especially as regards:

a) Section 8 of Act no. 300 of 20.05.70, prohibiting employers from investigating, even by the agency of third parties, employees´ political, religious or trade-union opinions or any facts that are irrelevant to the assessment of employees´ professional qualifications, whether with a view to their employment or in the course of labour relations;

b) Section 6 of Act no. 135 of 05.06.90, prohibiting employers from investigating seropositivity of employees or applicants for employment;

c) provisions against discrimination or applying to equal opportunity policies.

10) Effectiveness and Transitional Provisions

This authorisation shall be effective as of 1 February 2002 until 30 June 2003.

If, by the date on which this authorisation is published, the processing is not compliant with the provisions that are not included in Authorisation no. 1/2000, the data controller shall have to bring it into line with said provisions by the 31st May 2002.

This authorisation shall be published on the Official Journal of the Italian Republic.

Done in Rome, this 31st day of January 2002.

THE PRESIDENT
Rodotà

THE RAPPORTEUR
Rodotà

THE SECRETARY GENERAL
Buttarelli