Following the outbreak of COVID-19 and its development into a global pandemic, organizations have been implementing exceptional measures to safeguard employees, customers and others against the health threat that is being posed. Organizations are also endeavoring to maintain 'business-as-usual' to the extent allowed by their particular circumstances. We already discussed the resulting data protection compliance implications from the perspective of the European Union ("EU") General Data Protection Regulation ("GDPR").
Besides EU law, it is also important to consider the respective national data protection laws, bearing in mind that, despite the fact that the GDPR is a Regulation, it does not create completely identical data protection rules across all Member States. Instead, it permits or requires Member States to implement specifications or restrictions on certain rules set out in the GDPR. National Data Protection Authorities ("DPAs") have already provided guidance on such particularities relating to COVID-19. The present article discusses the legal situation in Italy.
Overview: guidance provided by Italian DPA
The Italian DPA has issued specific guidance on the application of EU and national data privacy rules in the context of the COVID-19. Such guidance documents are accessible on a dedicated section of its institutional website1. In addition, the Italian DPA has issued a collection of the most relevant legislative and regulatory provisions adopted since the emergence of the COVID-19 contagion. Such comprehensive documents (which are updated on a regular basis) are aimed at helping data controllers and data processors, along with privacy professionals such as DPOs and privacy consultants, to identify the legislative provisions with data privacy relevance, included in the high number of new laws, governmental decrees and resolutions, which are being adopted on a daily basis, to respond to the COVID-19 emergency in various sectors in Italy2.
No "do-it-yourself (DIY)" data collection with regard to COVID-19 data
The Italian DPA pointed out from the beginning of the outbreak of COVID-19 that data protection considerations should be included in organizations' actions even in such emergency situations, as the compliance with legal requirements is a mandatory prerequisite for prudent and level-headed action.
In this regard, on March 2, 2020, the Italian DPA published a "statement"3 in which it clarifies how companies should process personal data in the context of their efforts to prevent the spread of the COVID-19 among their employees and others in Italy. In particular, the DPA specifies that employers must refrain from collecting in advance and in a systematic and generalized manner, including through specific requests to employees or unauthorized investigations, health data to prevent the spread of COVID-19. The DPA will not consider such data processing justified on the basis that is "necessary to protect the vital interests of the data subject or of another natural person" or "necessary for reasons of substantial public interest"4.
Preventing the spread of COVID-19 is an objective to be pursued by entities that are tasked with discharging this mission in a professional manner and no "do-it-yourself (DIY)" data collection should be performed, says the Italian DPA.
National particularities
Organizations must have an appropriate legal basis for the processing of personal data and/or special categories of personal data relating to COVID-195. In addition to the legal bases laid down in the GDPR6, it has been specified that such processing can also be based on the measures specifically adopted in the context of the COVID-19 emergency situation7. In addition, a shared protocol to regulate measures to prevent and limit the spread of the COVID-19 in workplaces has been signed on March 14, 2020 (Protocollo condiviso di regolamentazione delle misure per il contrasto e il contenimento della diffusione del virus COVID-19 negli ambienti di lavoro)8, which also deals with data processing for employment-related purposes.
Applying the national particularities: individual measures and their legal admissibility
Considering the national legal particularities outlined above, certain specific individual measures in relation to the processing of employees' personal data in the private sector have been admitted, as set forth under the above-mentioned protocol:
- Collection of information relating to a COVID-19 case concerning an employee: employees who have come into contact with confirmed cases of COVID-19 are obliged to notify their employer in the 14 days following the contact (this measure does not apply to healthcare professionals and armed forces which have used protective gear). The employer is then held to notify the Public Health Authorities.
- Entrance to the workplace obligations: the employee may undergo a temperature test upon entering the workplace. If the result exceeds the 37.5C degrees threshold, entry to the workplace will be denied. The employer is held to notify all employees, before they enter the workplace, that access will be denied to those who have had contact with positive subjects or have come from areas at risk according to WHO'sprovisions. The recording of the temperature constitutes processing of personal data, therefore it is provided that:
- The temperature should not be written but simply recorded. It is only possible to identify the person concerned and record the exceeding of the temperature threshold if it is necessary to document the reasons that prevented access to company premises; and
- In the event of temporary isolation due to exceeding the temperature threshold, ensure arrangements to guarantee the confidentiality of the information related to the employee.
- Management of a symptomatic employee in the workplace: in the event that an employee in the workplace develops fever and symptoms of respiratory infection such as coughing, it must be declared immediately to the HR office, and the related isolation will have to be carried out according to the provisions of the health authority. Investigations can be carried out as to who has come into close contact with such employee.
- Sharing of a COVID-19 case concerning an employee with the other employees: the company is entitled to ask any subject who have come into possible close contact with the employee who has developed symptoms to carefully leave the premises, according to the indications of the Health Authority.
- Sharing of a COVID-19 case concerning an employee with public health authorities: The company will collaborate with the health authorities for the definition of any "close contacts" with the symptomatic employee.
Each of the above-mentioned measures needs to respect the general principles relating to processing of personal data. These include that personal data shall be collected for specified, explicit and legitimate purposes – in the cases discussed above in particular for the purpose of reducing the risk of infection –, that they shall be kept for no longer than is necessary for the purposes for which they are processed – i.e., no longer than necessary on the grounds of the COVID-19 pandemic's persistence – and that they shall be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorized or unlawful processing – which is of particular importance in the context of processing of special categories of personal data9.
1 https://www.garanteprivacy.it/temi/coronavirus.
2 The Italian DPA collection is available at the following link, in Italian: https://www.garanteprivacy.it/documents/10160/0/Raccolta+delle+principali+disposizioni+adottate++in+relazione+allo+stato+di+emergenza+epidemiologica+da+Covid-19+aventi+implicazioni+in+materia+di+protezione+dei+dati+personali+%28AGGIORNATO+AL+9+APRILE+2020%29.pdf/a3c13c1b-f14a-2cb3-c63b-d65dce1df8b7?version=1.3
3 The "statement" is available at the following link, in English: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9282117#1
4 See Art. 9(c) and (g) GDPR.
5 See Article 9 GDRP; for further information on the qualification of personal data as special categories of personal data in the context of data processing following the COVID-19 pandemic, please see our general guide on COVID-19 and Data Protection Compliance.
6 See Articles 6 and 9 GDPR; for further information on the possible legal bases for processing of personal data relating to COVID-19 under the GDPR, please see our general guide on COVID-19 and Data Protection Compliance.
7 Such as the Ministerial Decrees of March 8, 9 and 11, 2020 setting out urgent measures for the containment and management of the epidemiological emergency caused by COVID-19.
8 The full text is available, in Italian, at the following link: governo.it/sites/new.governo.it/files/protocollo_condiviso_20200314.pdf
9 See Art. 5(1)(b), (e) and (f) GDPR and Art. 14 of Law Decree no. 14 of March 9, 2020.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP