Three Legal Opinions of the Italian DPA clarify some GDPR Implementation Aspects
Personal Data Protection of Deceased Persons
This case arises from a request for the review of a refusal decision to admit a civic access to data concerning health related to a deceased person, presented to an hospital by a civic auditor in order to verify the possible existence of clinical errors and medical malpractice.
The Italian DPA, involved in the case, pointed out that, as provided by art. 3, paragraph 1, of Legislative Decree n. 33/2013, once a document become object of a civic access application, accepted by the competent authority, every personal data contained in it will become public, and anyone will have the right to know, use and reuse them, as established by article 7 of the same Decree. This excepts for the cases in which there is a law provision that expressly forbids access or diffusion of certain data.
In the Italian DPA opinion, one of the above-mentioned exceptions can be found in art. 2-septies of the Italian Legislative Decree 196/2003, as recently amended by the Legislative Decree 101/2008, that expressly forbids the diffusion of data concerning health. On this point, our authority clarified that in such prohibition are included data of deceased persons too as the Italian legislator expressly recognized a specific protection in favour of data related to said subjects.
Particularly, concerning personal data of deceased persons, the GDPR does not apply to them, but "Member States may provide for rules regarding the processing of personal data of deceased persons " (recital 27) and the Italian legislator, applying the above-mentioned option, stated that "the rights referred to in articles 15 to 22 of the Regulation", where "referred to personal data concerning deceased persons (…) may be exercised by who has a personal interest, or acts to protect the interested party, as his agent, or for family reasons worthy of protection " (article 2-terdecies, of the Italian Legislative Decree 196/2003, introduced by Article 2, paragraph 1, letter f, of the Legislative Decree n. 101/2018).
This having been said, in this case, the Italian DPA found that the relatives of the deceased person or other subjects indicated by the aforementioned provision of law were not involved in the civic access procedure, thus preventing these subjects from having the opportunity to present a possible opposition to access. Moreover, the case in object is excluded from the civic access scope, due the prohibition of the diffusion of data concerning health provided under art. 2-septies of the Italian Legislative Decree 196/2003.
As a further consequence, the Italian Data Protection Authority stated that the refusal decision of the hospital to admit civic access to data concerning health of a deceased person was in compliance with data protection law.
Communication of Nurses’ Personal Data to their Professional Association by Health Companies
A local professional nursing association (hereinafter “Professional Association”) asked to a hospital of the same local area (hereinafter “Hospital”) the list of all the nurses employed there.
As the Hospital could not be able to find a valid legal basis on which to base the communication of its nurses’ personal data to their Professional Association, it decided to submit the question to the Italian Data Protection Authority.
On this case, the Italian DPA pointed out that a data communication between data controllers for the execution of a task of public interest or connected to the exercise of a public authority, that process personal data other than those referred to in article 9 and 10 of the EU Regulation 2016/679, is allowed only if provided by law or, in some specific cases provided by law, regulation.
In this regard, the Legislative Decree 233/1946 that regulates health professions, as recently amended by Law 3/2018, does not assign specific powers to health professional associations in order to carry out general research and/or to collect personal information related to the persons registered with them by subjects other than the members themselves.
From a different perspective, professional association shall set up, publish on line and keep up-to-date a register of all its members, that employers or any person having a specific interest on it can easily consult.
On the basis of this premises, as a generalized collection of personal data relating to all the nursing staff operating in the local area of competence of a specific professional association cannot be qualified as a institutional function of this body, the Italian DPA clarified that the request of the Professional Association was not acceptable. Therefore, the Hospital involved in the case could simply reject
The Role of the Labor Consultant after the Full Implementation of GDPR
By letter dated 24 September 2018, the National Council of Labor Consultants submitted to the Italian Data Protection Authority a question concerning the role of labor consultant after the full implementation of GDPR, with particular reference to its qualification as data controller or data processor.
Firstly, it’s useful to remind the definitions of data controller and data processor provided by GDPR.
Particularly, the GDPR, defines data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data” and data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (please see art. 4, paragraphs 7 and 8, GDPR).
According to the regulatory framework outlined above, it is necessary to distinguish the two kind of data processing that can be carry out by a labour consultant. In fact, on one hand he may process personal data of his employees / customers in his quality of professional but, on the other hand the same subject can also process his client's employees data in order to perform his activity properly.
In the first case, as the labour consultant, for manage his professional activity, acts in full autonomy and independence and determines the purposes and means of processing of the customer's data, he is qualifiable as data controller.
In the second case, on the contrary, the activity of labour consultant is based on the task received by the client, that, for organizational reasons, decides to outsource a core service to a third party, providing him specific instructions for the processing to be carried out. The client determines the subjects involved, the purposes and methods to be used. The client, therefore, is qualifiable as the data controller and the consultant as data processor.
This interpretation is confirmed the Italian Law n. 12/1979, governing the organization of the labour consultant profession, that clarifies that the employer entrusts the consultant with the relevant assignment. However, this outsourcing does not exempt the employer from his responsibility foreseen by the legislation in case of violation of the obligations related to employment, social security and social protection (art. 7, Law N. 12/1979).
The Italian Data Protection Authority, in this note, also underlines that the legal basis that allows the processing of data relating to customers of the labour consultant (i.e. the data of the employer) can be found in the execution of the contract (Article 6, paragraph 1, letter b, of GDPR). On the other side, if the labour consultant acts as a data processor, the legal basis that legitimate the processing of personal data, including "sensitive" ones, concerning the employer's clients, must be identified by the client himself (i.e. the employer) pursuant to art. 9, par. 2, lett. b) of GDPR: in this case, the legitimacy of the processing is "transferred" to the processing activities carried out by the labour consultant because of his designation as data processor.
At the end of this recognition regarding the classification of the labour consultant privacy role, the Italian DPA underlines also that, according to article 32, paragraph 1 of GDPR, the labour consultant shall also identify and implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, taking into account "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. At the end the task, lastly, all personal data contained in the labour consultant’s archives must be deleted (or anonymized) and / or delivered to the client, which is the data controller, in full accordance with the conditions identified in the data processing agreement.
Article provided by: Chiara Agostini (R&P Legal, Italy)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, firstname.lastname@example.org