The Data Protection Authority recently updated its FAQs regarding personal data processing in the face of the COVID-19 emergency, providing some important clarifications on contact tracing and medical data processing based on mobile app technology more generally. This article examines the data protection implications of contact tracing apps at national and regional levels, in medical applications and private enterprise.
A recent Supreme Court decision found that an employee who copies computer data stored on a company laptop entrusted to them for work purposes and subsequently returns the computer with said data deleted and the hard drive formatted is guilty of embezzlement pursuant to Article 646 of the Criminal Code.
Employers must ensure that the technical-organisational measures and software that they use are adequate to protect whistleblowers' confidentiality. The data protection authority recently reiterated this point when it fined a major university in Rome for failing to prevent the data of two people who had notified the university of possible data violations from being accessible online.
Following the General Data Protection Regulation's (GDPR's) entry into force, the legislature asked the Data Protection Authority to review and update the so-called 'general authorisations' that it issued to allow the processing of sensitive data in the absence of the data subject's consent. Drawing on Article 9 of the GDPR, the Data Protection Authority subsequently issued Provision 146/2019, which sets out the requirements for processing special categories of data in employment relationships.
With a view to balancing private sector interests and the protection of individual rights, in 2015 the legislature decided that personal data collected through the remote monitoring of employees can be used for disciplinary purposes if employers provide employees with information regarding the scope and purpose of said processing. A recent case established what type of remote monitoring is permitted in the absence of providing the required data protection information.