By order no. 146/2019 published at the end of July, the Italian Data Protection Authority (DPA) issued specific provisions for the processing of special categories of data in compliance with the GDPR. Herein we will highlight the most important provisions.

The processing of special categories of data in the employment context

The processing of special categories of data carried out for the purpose of establishing an employment relationship must be limited to the information necessary to the fulfilment of the purposes identified by the DPA, namely: the compliance with obligations provided for by the law or by collective labour agreements; the keeping of accounts or the payment of salaries, cheques, bonuses, other emoluments, donations or ancillary benefits; the protection of the life and health of the employee or a third party; the enforcement of a right in court or in arbitration and conciliation procedures; the fulfilment of obligations deriving from insurance contracts relating to health and work safety, occupational diseases or damages caused to third parties during working activities; the granting of equal opportunities; the pursuit of specific and legitimate purposes identified by the statutes of the bodies representing employers, or by collective agreements, in the matter of trade unions’ assistance to employers. Personal data concerning the health status and racial and ethnic origin of candidates can be processed only for specific and legitimate purposes and only when necessary to establish an employment relationship. Genetic data may not be processed (even with the data subject’s consent) in order to assess the candidate’s application. When curricula contain irrelevant data, recruiters must refrain from using this information.

During the employment relationship, the employer can process data revealing religious or philosophical beliefs, or the belonging to religious or philosophical bodies, only for the purposes of granting permits for religious holidays, for the provision of canteen services or for the exercise of conscientious objection. Similarly, data revealing employees’ political opinions, their belonging to trade union, or the performance of public functions or political and trade union appointments, can be processed only to grant permits or leave periods, as well as the exercise of trade union rights.

In all cases of communications addressed to employees containing special categories of data, individual communication channels and, in the case of paper documents, sealed envelopes must be used. Furthermore, if these documents have to be transmitted also to the competent offices of the employing company, they must contain only the information strictly necessary for the latter to perform their task, leaving out exceeding information. It will be the sender’s responsibility to ensure that the data is received and processed by competent and authorized personnel only. Finally, with reference to data concerning absences from work, if the employer needs to disclose this data to parties other than the concerned subject (e.g. to the employee’s colleagues in order to lay down working schedules), the reason for the absence shall not be disclosed in all cases where it would be possible to infer from it the knowledge of special categories of data, such as union permits or health data.

The processing of special categories of data by associative bodies, foundations, churches and religious bodies

Special categories of data relating to subjects belonging to associative bodies, foundations, churches and religious bodies can be disclosed to third parties only to the extent that it is strictly necessary for the performance of supporting activities or for administrative and accounting purposes, on the basis of a written document that accurately identifies the category of information that will be disclosed. This data can also be disclosed to other members of the relevant body even in the absence of the data subject’s consent, if this is permitted by the body’s by-laws or articles of association, in so far as it is necessary to the pursuit of specific and legitimate purposes and provided that its use is explained in the privacy notice. Apart from these cases, the disclosure to third parties requires the data subject’s consent, provided that recipients and purposes of the disclosure are specified beforehand in the privacy notice, subject to the principle of relevance. Finally, this data can be disclosed to competent authorities for the purposes of prevention, detection and prosecution of crimes.

The processing of special categories of data by private investigators

Private investigators can carry out inquiries and collect personal data only by virtue of a written appointment specifying the right(s) that shall be exercised in civil court or the criminal proceedings connected to the investigation, the facts justifying the investigation and the time limit within which the latter must be closed. Private investigators must personally carry out investigations and cannot use adjutants not mentioned in the appointment. Broadly speaking, personal data thus collected can only be disclosed to the client and, once the investigation is closed, the processing must cease. Temporary storage of the data is permitted only in view of the immediate release of the information to the client, for the purpose of documenting the correct carrying out of the appointment; the pending, or stay, of the proceedings related to the investigation, on the contrary, do not justify the keeping of the data. Genetic, biometric and health data acquired during the investigation can be disclosed to the competent authorities only for purposes of prevention, detection and prosecution of crimes, while data relating to sexual life or sexual orientation cannot be disclosed.

The processing of genetic data

The DPA stated that methods of conservation, use and transport of genetic data and biological samples must be suitable to guarantee their quality, integrity, availability and traceability, and that access to the premises in which it is stored must be regulated by a pre-established procedure. If this data is contained in lists, registers or databases, data controllers must also adopt security measures (such as, for example, encryption and pseudonymisation) aimed to prevent the direct identification of the data subjects. The disclosure of genetic data by e-mail is permitted on condition that the documents are attached and not included in the body of the message. In any case, the DPA requires the use of secure communication channels (including “web applications”) and the protection of the attachments with appropriate methods, in order to prevent their unlawful or accidental disclosure. Finally, access to this data is allowed upon adoption of authentication systems based on the combined use of information known to designated subjects and the use of devices in their possession.

The privacy notice must indicate which results can be achieved through the processing, the right to limit the disclosure of one’s own genetic data and the transfer of one own’s biological samples, as well as the possible use of the latter for further purposes. The data subject’s consent is necessary when the processing is aimed at protecting the health of a third party (in order to guarantee conscious reproductive choices or therapeutic or preventive interventions), to carry out defensive investigations, to perform genetic tests, or to carry out scientific research and statistical surveys not covered by the law.

In particular, the processing of genetic data for scientific and statistical research purposes must be aimed at protecting the health of the data subject, third parties or the community. This processing must be carried out by virtue of a detailed project that ensures the compliance of processing methods with DPA’s provisions. In the absence of consent, the storage of data and samples collected is allowed only in specific cases (in particular, for statistical surveys or scientific researches provided for by the law and limited to the pursuit of further scientific and statistical purposes directly related to those for which the consent was originally obtained). The data and samples collected in this way can also be communicated or transferred to research institutions and associations in the context of joint projects and on the basis of an agreement under Article 26 GDPR, for scientific purposes directly related to those for which it was originally collected, clearly determined in writing in the request of data and/or samples.

The processing of special categories of personal data for scientific research purposes

The DPA states that a scientific research project involving the processing of particular categories of data (such as health data or genetic data) can legitimately identify exceptional reasons for which giving appropriate information to data subjects and acquiring their prior consent is impossible, excessively burdensome, or is likely to seriously prevent the achievement of the objectives. These reasons include: ethical reasons for which the subjects should ignore their epidemiological condition (e.g. epidemiological studies on the distribution of a factor that involves the development of a pathology for which there is no treatment); organizational impossibility; the subject’s state of health which prevents him from understanding the information and giving valid consent. Broadly speaking, biological data and samples are stored no longer than necessary for the purposes for which they were collected or processed. The research project must also indicate the storage period, following the termination of the project, at the end of which the data must be anonymized. Furthermore, the DPA prescribed the adoption of encryption or pseudonymisation techniques and other measures that prevent the identification of the subjects where not necessary. In any case, the data controller shall adopt specific technical measures in order to increase the security level during the collection, storage or filing phase, and in the processing and transmission of data to the research sponsors or to collaborators.