Data Protection in Italy during Covid-19

Italian DPCM of 26th April 2020 and the Protocol of 24th April 2020 allow the employer to take appropriate measures to control the access of employees, suppliers and visitors to workplace.

The employer may subject the staff to a body temperature check before entering the workplace: when temperature exceeds 37.5°, access to the workplace will not be permitted. Persons in this condition will be momentarily isolated, provided with masks and will not have to go to the Emergency Room and/or to the infirmaries, but they will have to contact their doctor as soon as possible and follow his indications.

The employer shall inform the staff in advance, and those who intend to enter the company, of the foreclosure of access to those who, in the last 14 days, have had contact with people who have tested positive for COVID-19 or come from areas at risk according to the WHO guidelines.

Moreover, the entry into the company of workers who have already tested positive for Covid-19 infection must be preceded by a prior communication with a medical certificate that shows that the swab has been "negativeized" in accordance with the procedures provided for and issued by the territorial prevention department of competence.

Finally, the swabs and serological tests shall only be ordered by the health authority. In particular, in case of serological tests, the employer must cooperate to ensure that employees undergo them.

Following the analysis work of a Task Force, the Extraordinary Commissioner has identified in "Immuni" the App for the fight against virus infection. The processing of personal data has been subject to evaluation by Italian Supervisory Authority and, therefore, stated by Article 6 of Law Decree no 28/2020. In particular:

• the data controller is Ministry of Health which coordinates with other actors (including data processors) between public administrations and health authorities;
• the data subjects receive, before the activation of the application, in accordance with Articles 13 and 14 of GDPR, clear and transparent information in order to achieve full awareness, in particular, of the purposes and processing operations, pseudonymisation techniques used and data retention times;
• by default, the application collects only personal data necessary to warn users of the application to fall within the close contacts of other users found positive to COVID-19;
• the alert system is based on the processing of proximity data of the devices, made anonymous or, where this is not possible, pseudonymized; in any case, the geolocation of individual users is excluded;
• data relating to close contacts are stored, including in users' mobile devices, for the period strictly necessary for processing, the duration of which is established by the Ministry of Health; the data are deleted automatically upon expiry of the period;
• the data collected through the application may not be processed for further purposes, except for the possibility of use in aggregate or anonymous form, for public health, prophylaxis, statistics or scientific research purposes only;
• the non-use of the application does not entail any prejudicial consequences and the respect of the principle of equal treatment is guaranteed.
  

The use of the application and the platform, as well as any processing of personal data carried out pursuant to this article, shall be interrupted on the date of termination of the state of emergency, and in any case no later than 31 December 2020, and by the same date all personal data processed must be deleted or made permanently anonymous.

• Update of risk analysis, privacy impact assessment, data register due to the teleworking situation: Smart working;
• Design of teleworking policies/ policies on the use of tools and devices: annex to workers’ contracts; flyer and procedure;
• Security measures on company’s information systems and Cybersecurity measures (secure teleconferencing, arising awareness) relating to teleworking device: specific guidelines;
• Implementation of employee performance monitoring measures and related activities: assessment of the risks, PIA, duly inform, ROPA update.
  

DPCM 26.4.2020 recommends that employers encourage smartworking except where it is necessary to go to the company's premises to perform the work.

Article 17-bis of Law Decree no 18/2020, converted in law by Law no 27/2020, states some derogations for health authorities involved in combating the virus. In particular: 

1. the disclosure of special categories of personal data between heath authorities is permitted;
2. the information ex Article 13 GDPR may be omitted or provided in a simplified form;
3. instructions to persons in charge of the processing activities may be provided in oral form.
   

At the end of the state of emergency, the health authorities will take appropriate measures to bring the processing of personal data carried out in the context of the emergency back to the ordinary competencies and rules governing the processing of personal data.