GDPR: The IDPA Guidelines for the Processing of the Special Categories of Personal Data

On 22 July 2019, the Italian Data Protection Authority (“IDPA”) issued the decision No. 146, which lists the guidelines concerning the processing of the special categories of personal data (already known as “sensitive data”) pursuant to Section 9 of the European Regulation No. 679/2016, as data concerning health, political opinions, revealing racial or ethnic origin or sexual orientation etc. in the employment relationship with public and private companies.

The decision lists the specific guidelines with respect to the moments of the processing of the personal data (processing in the phase preliminary to the hiring and during the employment relationship). The main principle of the IDPA’s guidelines is the real necessity of the processing. IDPA pointed out the modalities and the purposes of the processing concerning: (a) personal data of the applicant inserted in the curricula sent spontaneously with the purposes to be hired; (b) persona data of the employees, even if parties of an apprenticeship contract, training, temporary work, intermittent work, occasional work or practitioners for professional qualification, or workers in the context of a work administration contract, or in an internship relationship, or to associates also in partnership; (c) personal data of the consultants and agents; (d) the personal data of subjects who carry out collaborations organized by the client, or other consultants in a collaborative relationship, even in the form of ancillary work services; (e) personal data of individuals who hold corporate offices or other positions in companies, institutions, associations and organizations; (f) personal data of third parties damaged in the performance of their work or professional activity; (g) personal data of third parties (family members or cohabitants of the subjects referred to in the previous letters b) and d) for the issue of benefits and permits.

The decision rules also the processing of personal data by associations, foundations, churches, religious communities, as well as by private investigators and gives indications concerning the processing of genetic data also for scientific research purposes.

In light of the IDPA’s guidelines above, the public and private companies should review the compliance of their processings with the decision No. 146, mentioned above, in virtue of the accountability principle to avoid any sanctions.

SILS’ legal team is specialized in personal data protection rules and fully available with respect to issues arising from the GDPR and IDPA’s guidelines; please send your queries through the "Contact" section of this website.