Employment consultant, the clarifications of the Italian Data Protection Authority in light of EU Regulation 2016/679

In response to the question submitted by the National Council of the Employment Consultants, the Italian Data Protection Authority (“Garante”) recently clarified the role of the employment consultant regarding the qualifications of “data controller” and “data processor” in light of EU Regulation 2016/679 (“Regulation”).

As known the Regulation, in continuity with Directive 95/46/CE, at Article 4 no. 7 defines data controller who “alone or jointly with others, determines the purposes and means of the processing of personal data” and, at no. 8 of the same Article, data processor “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

As clarified by the Garante, the employment consultant in the performance of his activity works in two different segments: on the one hand he processes data of his own employees or clients and on the other hand he processes data of the employees of the clients. In the first case, he covers the role of data controller as he acts independently determining purposes and means of processing. Otherwise, when the employment consultant carries out activities delegated by the data controller (employer who transmits data of his employees) on the basis of specific instructions, reference should be made to the data processor.

According to the case law of the Authority “processing activities carried out by third parties on behalf of the controller, who can decide to outsource the performance of tasks strictly related to the execution of duties imposed by the labour law and/or by the employment contract, must, as a rule, be framed in the scheme data controller/data processor”. The payroll activity carried out by the employment consultant on behalf of the employer can be framed in this scheme. In fact, in practice, this service involves a flow of personal data (including sensitive ones) related to employees, which the employer, as data controller, entrusts to the employment consultant. It includes personnel’s identification data, data relating to qualification and career, health data, data relating to economic progressions etc. This information, initially collected and processed by the employer on the basis of the contract with the employee and the applicable laws and regulatory provisions, is entrusted to the employment consultant who performs the services by virtue of his specific competence certified by the enrollment in the Register of employment consultants.

The Garante establishes that the entrustment of the role to the consultant takes place through the signing of a contract, executed between the parties taking into account tasks in concrete assigned, context, purposes and means of processing.

The legal basis that entitles the processing of data relating to employees and clients of the employment consultant is the “performance of the contract” in accordance with Article 6 paragraph 1 lett. B) of the Regulation. Instead, the data processing carried out by the consultant as a processor is legitimate in accordance with Article 9 paragraph 2 lett. B) of the Regulation: the legitimacy of the processing is transferred from the employer/controller to the operations carried out by the employment consultant, by virtue of the contract with which the latter is appointed data processor.

On the basis of the Regulation, specific tasks in the arrangement of appropriate measures to guarantee the security of data stored in the archives are assigned to the consultant acting as data processor. At the end of the professional relationship, the employment consultant will be required to cancel or return to the controller the data contained in the archives in accordance with what is established in the contract.

A different role from those mentioned above is the one of the subject who carries out processing operations under the authority of the controller or of the processor.  This role is now provided for in Article 2 quaterdecies of the Italian Data Protection Code as amended by Legislative Decree 10 August 2018, no. 101. More specifically, if the employment consultant engages trusted collaborators, the latter may operate under his direct authority, or they can assume the role of sub-processor if the performance of specific processing activities on behalf of the controller is transferred to them. In this last hypothesis, Article 28 of the Regulation provides that the controller may authorize the appointment of the sub processor also in general (without need of specific authorization by the controller for each individual sub processor).