Lawyer Monthly Magazine - July 2019 Edition

be limited to the minimum necessary with respect to the purposes legitimately pursued, in the field of employment law the collection of information on the candidate is allowed to the extent that it is relevant in order to proceed with the recruitment: in both cases, therefore, the guiding criterion is that of relevance. The real difficulty of this operation lies in the selection of the relevant information for every position and in the possibility of justifying this selection, also considering we have seen and still see significant fluctuations in Italian jurisprudence. What about the personal data published on social media? While it is relatively easy to comply with the information noticeobligationwhen itcomes to personal data relevant to the employment relationship and provided directly by the person concerned (such as those contained in the CV or reported spontaneously in the interview), the discussion becomes more complicated when the source of the information is a third party or, as it increasingly happens, the personal data is already easily available on the Internet or on social media. Obviously, there is no standard answer and, in practice, it will depend on the type of datum, its position, and of social medium from time to time. However, there is one certainty: the fact that the data is substantially public and easily accessible is not sufficient to exclude the application of the GDPR. On the contrary, this circumstance only strengthens the information notice obligation: in the case of processing of personal data acquired from sources other than the person concerned, the latter shall be provided with complete information about the nature of these data and the source from which they are taken (possibly public) anyway. For example, WP29 (in its opinion # 2/2017) refers to an employer who, after the employment relationship has ended, monitors the LinkedIn profile of a former employee bound by a non- competition agreement: in this case, the legal basis is the legitimate interest of the employer in verifying the employee’s compliance with this agreement. The criterion between lawful and unlawful, on the other hand, will still concern the relevance or otherwise of the data processed for the purposes of assessing the worker’s professional aptitude. What if the background check is about the candidate’s criminal record or judicial background? Are there any national regulations coming to the forefront? The background checks that trigger the greatest risk exposure are certainly those related to the criminal data of the employee or candidate that is, his/her criminal record and his/her certificate of pending charges. deny his/her consent to the employer). Having synthesized in essence the data protection-related discipline, as regards pre-hiring investigations it is to be noted that in the Italian labour law system too, there are provisions that closely follow the aforesaid GDPR principles. In particular, I would mention the provisions of Article 8 of Law # 300/1970 (the so-called Workers’ Statute) and Article 10 of Legislative Decree # 276/2003 (the so-called Biagi Law). The first rule, which dates back to the early 1970s, prohibits employers from investigating the worker’s religious, trade union and political opinions, as well as circumstances that are not relevant to assessing his/her professional aptitude, both when he/she is hired and during the course of the relationship. The 2003 legislation (which mainly concerns employment agencies) reaffirms and enriches the principle laid down in Article 8 of Law # 300/1970, also specifying that the prohibition may not be overcome even in case the worker provides his/her consent. In summary, if in the field of privacy the processing shall “In general, the answer is yes: you can do background checks on a candidate.” 63 Professional Excellence www. lawyer-monthly .com JUL 2019