Labor consultants: considerations by the Italian Data Protection Authority on their privacy role
The question regarding the role of data controller or processor of labor consultants and other specifically regulated professions is often at the center of heated negotiations. Compared to the preceding data protection framework, the GDPR has increased the obligations directly applicable to the processor; as a consequence, many organizations prefer to be qualified as autonomous controllers rather than as processors, in order to benefit from greater decision-making power on the processing. Against this background, the Italian Data Protection Authority (“Autorità Garante per la Protezione dei Dati Personali”) has responded to the question posed by the National Council of Labor Consultants by clarifying once and for all their data protection role. Find out the answer in the new article by ICT Legal Consulting and ICT Cyber Consulting.
Discover all answers in this article by ICT Legal Consulting, an international law firm with offices in Milan, Bologna, Rome and Amsterdam and presence in nineteen other countries specialized in the fields of ICT, Privacy, Data Protection/Security and Intellectual Property Law.
Premise
On 22 January the Italian Data Protection Authority (Garante) has published some clarifications regarding the question presented by the National Council of Labor Consultants on Labor Consultant’s role in the General Data Protection Regulation’s framework, with a focus on the qualifications of their privacy role, whether they act as data controller or data processor.
Main issues
The Authority opts for a solution that distinguishes the role of the labor consultant depending on whether the personal data processed is related to:
a) Labor consultant’s employees or customers (natural persons);
b) Labor consultant’s customer’s employees.
In the first case, the labor consultant acts as data controller determining the customer’s personal data processing autonomously and independently. The abovementioned case argument is based on the fact that the labor consultant does not limit his/her activity to the execution of the agreement with his/her customer but exercises a completely independent decision-making power regarding the purposes and means of the processing of his/her employees’ or customers’ personal data. The data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4.7 of the Regulation).
In the second case, the labor consultant shall be qualified as data processor, which is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4.8 of the Regulation).
Therefore, the instructions included in the contract concluded between the data controller and the data processor shall respect the organizational independency that the labor consultant has to maintain in carrying out his professional activities and shall always take into account the ethical rules and the legal obligations which regulates such activities.
Practical implications
In this framework, the labor consultant, assuming the role of data processor, will have to adopt appropriate technical and organizational measures, taking into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” (art. 32.1 of the Regulation).
Continue reading here.
In collaboration with
ICT Legal Consulting is an international law firm with offices in Milan, Bologna, Rome and Amsterdam and presence in nineteen other countries specialized in the fields of ICT, Privacy, Data Protection/Security and Intellectual Property Law.
