The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Code of Conduct for Employment Agencies

In the February 29, 2024 bulletin, news was given of the completion of the Code of Conduct for Employment Agenciesby dwelling on the legal bases identified for typical processing of personnel data, as these can provide useful guidance to any employer attempting to compile its own processing register, as a controller, even beyond the context of the aforementioned code.

The Code of Conduct for the Employment Agencies sector was developed by Assolavoro to contribute to the proper application of data protection regulations in the Employment Agencies sector, in accordance with Article 40.2 of the GDPR. The draft Code was initially submitted for public consultation for 30 days, and comments received were considered for amendments.

Subsequently, by Decision No. 12 of January 11, 2024 (web doc. No. 9983415), the Garante approved the Code, the publication of which took place in the Official Gazette No. 55 of March 6, 2024; consequently, as the simultaneous accreditation of the Monitoring Body took place, it entered into force on March 7, 2024, as specified in Article 17 of the same Code of Conduct.

Subjective roles of Employment Agencies and Client

The code of conduct for Employment Agencies specifies the subjective privacy roles that intervene between the same Employment Agencies and their respective Clients, i.e., companies or entities that turn to Employment Agencies to obtain certain services (Art. 4, code of conduct). This guidance is generally applicable and provides useful pointers for the correct subjective framing in the privacy relations between these parties, independently of the actual adherence of the Employment Agency to the recalled code.

In the context of Employment Agencies’activities with Clients, excluding outsourced services, the APL generally assumes the role of Data Controller. This means that in the performance of activities such as labor administration, personnel search and selection, brokerage, and outplacement support, the Employment Agency is accountable in its own right for the relevant processing of personal data. In all these cases, the relationship between the Employment Agency and the Client takes the form of an Controller-Controller relationship, as both parties independently determine the purposes and methods of personal data processing. Consequently, the flow of data between the Employment Agency and the Client represents a “communication,” i.e., a distinct processing operation subject to a specific legal basis, as will be seen below.

Conversely, in the case of an outsourcing assignment, where the Agency processes personal data on behalf of the Client, the Agency would, as a general rule, have to be designated as a Data Processor under Article 28 of the GDPR; the relevant data flow between the Agency and the Client, therefore, will still take place within the scope of the processing operations under the Client controller.