Smart working and the new privacy regulation: EU regulation 2016/679

Since the work tools offered to the worker by simple work tools have also become tools of control of the same in the hand of the employer, the latter can potentially monitor the movements, communications, surfing the net, communications and so on of the worker. For this reason, Legislative Decree 151 of 2015, known as the Jobs Act, in modification of article 4 of law 300 of 1970, introduced the principle into the system that, when certain conditions are met, it is legitimate and not the control of the worker deriving from the use of suitable work tools to also determine the surveillance of the worker (for example, GPS, tablet, etc.) requires no authorization procedure. In other words, the legislator acknowledged that the control, in some cases, has become so immanent to the performance of work that the obligation of any procedure to authorize it appears anachronistic. To offset this customs clearance, however, the legislator has provided for an obligation to inform the worker in paragraph 3 of the new article 4 regarding the processing of personal and identification data acquired as a result of worker controls. In particular, this paragraph establishes: “the information collected pursuant to the first and second paragraphs can be used for all purposes related to the employment relationship provided that the worker is given adequate information on how to use the tools and carry out the controls and in compliance with the provisions of the 1 legislative decree 30 June 2003, n. 196 “. It is, in hindsight, a duty of information borrowed is provided for by article 13 of Legislative Decree 196 of 2003, the famous privacy code, which generally requires information on “the purposes and methods of the treatment to which the data are destined “and which has already had a working declination with the Resolution of the Guarantor Authority for the protection of personal data n. 13 of 1 March 2017 regarding the use of e-mail and company internet by the worker. According to this resolution, the employer bears the “burden of indicating in any case which are the methods of the tools (editor’s note) made available believed to be correct and with which methods, checks are carried out”. There are two principles on which this resolution is based.

The first is that of necessity set out in Article 3 of Legislative Decree 196 of 2003, which prohibits the casual use of personal data and identification data. The second is that stated in article 11 of Legislative Decree 196 of 2003, according to which the data must be processed “for specific, explicit and legitimate purposes, relevant and not exceeding the purposes for which they were collected” with a storage time no longer than necessary “for the purposes for which they were collected or subsequently processed”. And so, on a practical level, as a result of the aforementioned resolution, the employer, through an internal disciplinary, is required to fulfill multiple obligations. By way of example, he must: identify the methods of use of e-mail and internet browsing for personal reasons (e.g. outside of working hours), specify the type of free access sites as well as the downloads of software or music files permitted, determine if and to what extent it reserves the right to carry out checks and the specific reasons behind them, highlight the methods of these checks and the consequences of disciplinary importance as a result of ascertaining the undue use of e-mail or the Internet. And again, the employer must identify the sites related to the work performance, use filters or systems that prevent certain operations, or finally arrange for the possible assignment of a different e-mail address for private use. On this basis, and moving on to the second point of the analysis, it can be argued that the current regulation on remote control is hardly compatible with smart working both in terms of the purpose it pursues and under that of the obligations regarding the protection of confidentiality deriving from it. From the first point of view, it is sufficient to note that the smart worker carries out his business outside the company walls and with a view to productivity. Consequently, there is no need to supervise that the same, damages the company assets simply because it does not come into contact with it. From the second point of view, the control of most of the personal and identification data of the smart worker by the employer is more than immanent to the performance of the job itself provided that it takes place remotely and therefore by means of an uninterrupted connection of such data between employer and worker.
Therefore, if the employer “conveniently” enters the private sphere of the smart worker, then the information burden of the employee’s identification and personal data declined by the Data Protection Authority with the note Resolution no. 13 of March 1, 2017. In this context, and moving on to the last point of the analysis, there is a need to rethink the legislation on worker controls for the smart worker, referred to in Article 4 of the Workers’ Statute, in two directions. -The first is that of the non-application of this provision for the smart worker, especially through company bargaining, possibly by way of derogation, which, from time to time, could elaborate the disciplines on smart worker control that best meet the needs of the specific case. -The second is that of the introduction of the new paradigm whereby the control of personal and identification data, as more than inherent in the performance of the smart worker, is a risk that the same accepts to run and with respect to which the employer is simply burdened with providing adequate information. In other words, it would mean shifting the reflection regarding this control on the ground of the worker safety legislation or within the perimeter traced by Legislative Decree no. 81 of 2008. In this sense, the entry into force (in 2018) of the European Privacy Regulation n. 679 of 4 May 2016, which entrusts the Member States with the task of providing, through the law or collective bargaining, “more specific rules to ensure the protection of rights and freedoms with respect to the processing of employees’ personal data in the context of relationships of work”. On closer inspection, moreover, it is precisely this European regulation that seems to create interference between the data protection and workplace safety regulations.

For example, in terms of privacy by design, i.e. the criterion that imposes to regulate data protection for the entire life cycle of the data, the Regulation seems to evoke the criteria of risk prevention at source and the programming of prevention in the with a view to “eliminating and / or reducing risks to a minimum in relation to the knowledge acquired on the basis of technical progress”. In terms of privacy impact assessment, i.e. the criterion that requires evaluating the impact that data processing may have on data subjects, the Regulation charges the employer to carry out an assessment of all risks and to draw up a document containing the programming and the identification of the risks and measures to be prepared on a par with the provisions of articles 17 and 28 of Legislative Decree no. 81 of 2008. In conclusion, smart working places our system in front of new challenges which, in order to be overcome, require the legislator to look at reality with new lenses, dismissing those of the twentieth century, and a good dose of legislative engineering. Moreover, the success of smart working depends largely on this. If the legislator continues to wrap it in the laces and straps of the old labor law schemes, smart working will not be able to express its potential. Nor can collective bargaining be decisive in this regard. It would be yet another wasted opportunity to relaunch our labor market. After all, change calls us to build a win win company in which innovation, work and man win together. To learn more