The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Employee’s data transparency – 2

Legislative Decree No. 104/2022 – which transposed in Italy Directive 2019/1152 on the subject of information obligations with regard to the employee – introduced a new provision (Article 1-bis) not covered by the European Directive and which requires the Italian employer to provide its employee with timely information on the automated decision-making and monitoring systems it may intend to install.

These new obligations interact in a complementary way with certain requirements of the GDPR, in particular with Article 22 on automated decision-making processes, including profiling. We will examine their implications. 

We addressed the same topic in our Bulletin of September 8.


Once the scope of application of the new Article 1-bis of Legislative Decree No. 152/1997 has been clarified, the main obligation to be fulfilled is to provide the employee with the information listed therein, to be communicated before the commencement of the work (Article 1-bis, paragraph 2).

The content of the information to be provided is very broad and not always easy to understand. On the one hand, some information does not appear to present particular difficulties: that relating to the aspects of the employment relationship affected by the systems, the purposes of the systems, the underlying logic, the functioning and the categories of data involved; it essentially takes up the GDPR information requirements for automated decision-making processes including profiling.

On the other hand, much more complex is the level of information to be provided about the “main parameters used to programme or train the systems“, which include “the performance evaluation mechanisms“; “the control measures adopted for automated decisions, any correction processes“; “the level of accuracy, robustness and cybersecurity of the systems” and “the metrics used to measure these parameters, as well as the potentially discriminatory impacts of the metrics themselves (Article 1-bis, paragraph 2, Legislative Decree No. 152/1997).

Integrating the notice

Also not easy to interpret is the first sentence of paragraph 4 of Article 1-bis, according to which “[t]he employer or principal is required to supplement the privacy notice with instructions to the employee on data security and the updating of the register of processing operations concerning the activities referred to in paragraph 1, including surveillance and monitoring activities“.

With regard to the phrasesupplementing the privacy policy with instructions to the employee on data securityit must be ruled out that it can be read as supplementing the content of the GDPR’s separate obligations of the privacy policy (Art. 13 and 14) and the instructions to the data controller (Art. 29 and 32.4 of the GDPR). The GDPR is a primary standard with respect to national law which, therefore, cannot amend or supplement the European regulation. 
The notice introduced by the Transparency Decree is a separate obligation from that prescribed by Articles 13 and 14 of the GDPR: the regulatory sources are different (Legislative Decree No 152/1997 and the GDPR), as are the obliged parties (employer and data controller), the content to be communicated, the methods of communication (the GDPR allows oral information on request), the timing, the exceptions, the sanctions in the event of violations. The second part of the quoted sentence, which refers to the register of processing operations, instead, should refer to what is dictated by Article 30 of the GDPR and provides (without any real innovative content) that it should also census processing operations concerning activities on which automated decision-making and monitoring systems insist as well as surveillance and monitoring activities. It is difficult to understand the real scope of this provision.

Communication modalities

The information due – both information on the employment relationship (Art. 1, Legislative Decree 152/1997) and information on decision-making and monitoring systems (Art. 1-bis)- must be communicated by the employer to each worker in a clear and transparent manner, in paper or electronic format. Therefore, the following is required:

  • an individual notice (excluding, for example, collective notices posted on the intranet or bulletin board; in this regard, INL Circular 4/2022 recalls as permissible examples “personal e-mail communicated by the worker, company e-mail made available by the employer of the worker, making available on the company intranet the relevant documents by handing over personal password to the worker“) and 
  • in writing (oral mode not being permissible), computer mode is permissible; 

The employer must be able to prove the transmission or receipt of the notice and retain such documentary evidence “for the duration of five years after the termination of the employment relationship” (Art. 3, Decree 104/2022).

Data format

The information to be provided to employees, concerning the decision-making and monitoring systems, must be communicatedin a structured, commonly used and machine-readable formatboth to the employee and “to the company trade union representatives or the unitary trade union representation and, in the absence of the aforementioned representatives, to the territorial branches of the comparatively most representative trade union associations nationwide” (Art. 1-bis, paragraph 6, Legislative Decree No. 152/1997).