12 Mar Labor consultants: considerations by the Italian Data Protection Authority on their privacy role
On 22 January the Italian Data Protection Authority (Garante) has published some clarifications regarding the question presented by the National Council of Labor Consultants on Labor Consultant’s role in the General Data Protection Regulation’s framework, with a focus on the qualifications of their privacy role, whether they act as data controller or data processor.
The Authority opts for a solution that distinguishes the role of the labor consultant depending on whether the personal data processed is related to:
a) Labor consultant’s employees or customers (natural persons);
b) Labor consultant’s customer’s employees.
In the first case, the labor consultant acts as data controller determining the customer’s personal data processing autonomously and independently. The abovementioned case argument is based on the fact that the labor consultant does not limit his/her activity to the execution of the agreement with his/her customer but exercises a completely independent decision-making power regarding the purposes and means of the processing of his/her employees’ or customers’ personal data. The data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4.7 of the Regulation).
In the second case, the labor consultant shall be qualified as data processor, which is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4.8 of the Regulation).
Therefore, the instructions included in the contract concluded between the data controller and the data processor shall respect the organizational independency that the labor consultant has to maintain in carrying out his professional activities and shall always take into account the ethical rules and the legal obligations which regulates such activities.
In this framework, the labor consultant, assuming the role of data processor, will have to adopt appropriate technical and organizational measures, taking into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” (art. 32.1 of the Regulation).
In conclusion, it is worth highlighting how the Authority has expressly excluded the configurability of a relationship between the customer and the labor consultant.
Having clarified this aspect, the Authority concluded its answer to the question posed by clarifying how to properly manage the IT archive held by the labor consultant. In fact, at the end of the professional relationship, the data collected and stored in the archives must be deleted or anonymized, and / or delivered to the data controller, in line with what has been identified in the contract.