Lawyer Monthly Magazine - July 2019 Edition

of art. 2 octies, this decree has not been published yet. In the absence of a specific provision to this effect, many authors had initially thought to remedy this considering that the processing of judicial data could be legitimate in cases where it was provided for by a rule of the collective agreement applicable in the relevant industry (also in relation to article 88 of the GDPR and recital 155): for example, rules with this content are laid down in NCLAs for workers in the Industrial Engineering, Credit, Postal Services and Railway Mobility sectors. However, by measure no. 314 of 22nd May 2018, the Authority for the Protection of Personal Data excluded this possibility: in particular, it censured the conduct of a company that processed this type of data in application of the specific provision of the CCNL Metalmeccanici (National Collective Labour Agreement for Metalworkers), since the provision was deemed too general and in any case lacking those security measures required by article 10 of the GDPR. It’s an impasse situation with no way out, then. One way out of the impasse is to consider the already mentioned Articles 8 of Law # 300/1970 and 10 of Legislative Decree # 276/2003 in terms of a “Member State law providing for appropriate safeguards for the rights and freedoms of data subject”. Employers are obliged to comply with the provisions of Article 8 of Law # 300/19: conduct; contrary to this rule, on the one hand, it represents a type of offence that can be punished by a penalty ranging from € 155 to € 1549 or arrest from 15 days to one year and, on the other hand, may constitute the basis for claims for compensation at Court by the worker. It should not be forgotten that article 8 is a provision contained in the Workers’ Statute, a regulation that next year will be exactly 50 years We know that the GDPR foresees that the processing of personal data relating to criminal conviction and offences has to fulfil a double condition of lawfulness, that is, on the one hand, the operation of one of the legal bases under Article 6 of the GDPR (consent, legitimate interest, execution of the contract...) and, on the other, the presence of an internal or European law provision which grant appropriate guarantees for the rights and freedoms of the data subjects. With regard to internal regulations, the legislative decree that updated the Privacy Code (Legislative Decree no. 196/2003) introduced art. 2 octies, containing “principles governing the processing of data relating to criminal convictions and offences”. Here, the Legislator has identified a series of hypotheses for the processing of judicial data that are abstractly possible, among which the employment-related case: however, it was also specified that, in order to define the appropriate instruments to ensure appropriate guarantees for the rights and freedoms of the data subjects, a special ministerial decree will be issued. At present, almost 10 months after the introduction “The background checks that trigger the greatest risk exposure are certainly those related to the criminal data of the employee or candidate that is, his/her criminal record” 64 Professional Excellence www. lawyer-monthly .com JUL 2019