{"id":57975,"date":"2017-09-12T09:00:03","date_gmt":"2017-09-12T08:00:03","guid":{"rendered":"https:\/\/blogs.dlapiper.com\/iptitaly\/?p=57975"},"modified":"2019-06-24T11:42:53","modified_gmt":"2019-06-24T09:42:53","slug":"criminal-reports-of-employees-might-become-a-privacy-bomb","status":"publish","type":"post","link":"https:\/\/blogs.dlapiper.com\/iptitaly\/2017\/09\/criminal-reports-of-employees-might-become-a-privacy-bomb\/","title":{"rendered":"Criminal reports of employees might become a privacy “bomb”"},"content":{"rendered":"

A decision of the Italian privacy authority on the illegal collection of data on criminal convictions of employees raised the issue on a practice that is quite common.\"Giulio<\/span><\/p>\n

We are running a number of privacy audit on companies that need to get compliant with the\u00a0General Data Protection Regulation\u00a0and we can verify that the practice of collecting a police clearance report (in Italian the \u201ccasellario giudiziale<\/em>\u201c) of employees is quite common, regardless of the role to be taken by such employees, just because this is a standard practice adopted with anyone hired by the company and in absence of a regulatory obligation.<\/p>\n

Also, some companies even extend the collection of data on criminal convictions to their suppliers and the provision of a police clearance report is a condition to be enrolled in the registry of suppliers.<\/p>\n

The position of the Italian privacy authority re data on criminal convictions<\/h2>\n

The practice outlined shall be more carefully evaluated after the recent\u00a0decision<\/a>\u00a0of the Italian data protection authority (the \u201cItalian DPA<\/strong>\u201c). Under the current Italian Privacy Code, it is possible to process judicial data (which include the police clearance report and any data on criminal convictions) only if this is either provided by the law or with the prior authorisation of the Italian DPA which can be granted also by means of a \u201cgeneral authorisation<\/em>\u201d that does not require an ad hoc application by each entity. The mere consent of individuals is not sufficient per se to authorise the processing of judicial data.<\/p>\n

For this purpose, a company questioned the Italian DPA on the possibility to be authorised to collect police clearance reports of its employees and to communicate their contents to a company to whose benefit the requesting entity provides cleaning and handling outsourcing services.<\/p>\n

The request was\u00a0rejected by the Italian DPA<\/strong>\u00a0since the general authorisation on the processing of judicial data issued by the Italian privacy authority authorises the collection and the processing of data on criminal records of employees when it is<\/p>\n

\u201cessential to [\u2026] fulfil or require the fulfilment of specific obligations or perform specific tasks provided by laws, EU law, regulations and collective workers agreements, and just for the purpose of managing the employment relationship<\/em>\u201c.<\/p><\/blockquote>\n

If a company is found collecting police clearance reports of its employees (or any other judicial data relating to them), it could be deemed to be in breach of privacy laws. This is unless it is able to argue that the processing of judicial data either falls under the wording of the general authorisation above or of a law provisions or obtains a specific authorisation from the Italian DPA.<\/p>\n

What changes with the EU General Data Protection Regulation?<\/h2>\n

The GDPR adopts a strict approach in relation to judicial data since it provides that<\/p>\n

\u201cProcessing of personal data relating to criminal convictions and offences or related security measures based on Article\u00a06(1) shall be carried out\u00a0only under the control of official authority or when the processing is authorised by Union or Member\u00a0State law<\/strong>\u00a0providing for appropriate safeguards for the rights and freedoms of data subjects.<\/em>\u201c<\/p><\/blockquote>\n

It is not sufficient to either obtain the consent from the individual or argue that the collection of data relating to criminal convictions is necessary for the performance of an agreement, but the processing needs to be\u00a0expressly authorised by EU or national law<\/strong>.<\/p>\n

Also, in case of processing of data on criminal convictions or offenses, the GDPR provides that:<\/p>\n