Transparency Decree: New privacy obligations towards employees in Italy

The so-called Transparency Decree has been adopted in Italy, introducing, among others, new information obligations, including new privacy obligations, of the employer towards employees on the use of automated decision-making and monitoring systems.

The Legislative Decree No. 104 of June 27, 2022, is the implementation Directive (EU) 2019/1152 in Italy but is better known as the Transparency Decree.

The Transparency Decree introduces in Italy a number of onerous information obligations to be borne by the employer with reference to different types of labor contracts, forcing companies to redraft their employment contracts, introducing a range of information that until now was handled through a simple reference to the Collective Bargaining Agreement.  You can watch the event run by our colleagues of the employment law department at the law firm DLA Piper on the Transparency Decree at the link available HERE.

The provisions of the Transparency Decree also have significant privacy implications because they introduce the new Article 1-bis of Legislative Decree No. 152/1997, obliging the employer to

“inform the worker of the use of automated decision-making or monitoring systems deputed to provide indications relevant to the recruitment or assignment, management or termination of the employment relationship, assignment of tasks or duties as well as indications affecting the supervision, evaluation, performance, and fulfillment of contractual obligations of workers.“

Thus, reference is made to the use of these tools from the recruiting stage, through the management of the employment relationship and its termination.

The purpose of this provision, then, would seem to be to avoid “information asymmetries,” where principals or employers process employees’ personal data through automated processes in order to carry out coordination and management activities of the employment relationship.  This provision goes beyond what is already provided for in Article 22 of the GDPR with respect to the right not to be subjected to decisions based solely on automated processing, by providing exceptions and the individual’s right to obtain human intervention by the controller, to express his or her opinion and to challenge the decision.

So the Transparency Decree also brings within the scope of automated decision-making and monitoring systems those that support business choices, which opens the door to a huge amount of tools because almost every company for example has a system for evaluating its employees based on certain parameters.

The information obligations under the Transparency Decree reproduce, even perhaps with greater detail, the privacy obligations in relation to automated decision-making and monitoring systems because they cover:

1. the aspects of the employment relationship that are affected by the use of the systems;
2. the purposes and aims of the systems; and
3. the logic and operation of the systems;
4. the major data categories and parameters used to program or train the systems, including performance evaluation mechanisms;
5. the control measures taken for automated decisions, any correction processes, and the quality management system manager; and
6. the level of accuracy, robustness, and cybersecurity of the systems and the metrics used to measure those parameters, as well as the potentially discriminatory impacts of those metrics.

In addition to that, the Transparency Decree expressly stipulates that there is an obligation to supplement the GDPR’s processing register and to perform an impact assessment (a DPIA) in relation to the processing.

Yet, in the event that any changes or additions are made to the automated systems subject to disclosure in the context of the employment relationship, it will also be necessary to inform the trade union representatives.

There is clearly an overlap between the information obligations and fulfillments due under the privacy regulations with those now provided for under the Transparency Decree.  The consequence of this could be that the level of detail of privacy notices for applicants and employees will have to be significantly increased to avoid a challenge under both the GDPR and the Transparency Decree with the risk of a double fine in case of non-compliance.

The Transparency Decree was published in the Official Gazette on July 29, 2022, and will come into effect on August 13, 2022, without any grace and transition period, which means that companies will already have to comply with its dictates.  In fact, effective from this date, all new labor contracts will have to comply with the requirements of the Transparency Decree, and in relation to existing contracts, employees can request that their contracts be updated.

On a similar topic, you can find interesting the following article “Artificial intelligence – What privacy issues with the GDPR?“.

Photo by Dylan Gillis on Unsplash