Facial recognition for time and attendance: lawfulness and GDPR compliance

The Italian Data Protection Authority’s newsletter number 520 of March 28, 2024 reports the issuance of five decisions by the authority against as many companies involving the implementation and operation of a facial recognition system to detect workplace attendance by employees at waste disposal sites.   Following the establishment of a number of violations with […]

Accountability in the GDPR

The application perimeter of the accountability principle is not that of merely demonstrating what, if anything, the data controller claims in terms of GDPR compliance; in fact, accountability consists of a twofold obligation: Comply with the general principles (“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (of Article […]

Code of Conduct for Employment Agencies

In the February 29, 2024 bulletin, news was given of the completion of the Code of Conduct for Employment Agenciesby dwelling on the legal bases identified for typical processing of personnel data, as these can provide useful guidance to any employer attempting to compile its own processing register, as a controller, even beyond the context […]

CJEU on processing and personal data

Three CJEU pronouncements have clarified some important aspects of the general concepts of “processing” and “personal data.” Some of the Court’s considerations are of general relevance; others must be contextualized to the case before the Luxembourg judges. The rulings were all delivered on March 7, 2024; two are in response to references for preliminary rulings, […]

EDPB opinion on the main establishment

The topic of Opinion 04/2024, issued by the European Data Protection Board (EDPB) on February 13, 2024, is the notion of a data controller’s main establishment in the Union under Article 4(16)(a) of the GDPR. It was the French supervisory authority (CNIL) that requested the opinion from the EDPB; in fact, Article 64(2) of the […]

ENEL Energia and procedural time limits

In a press release dated Feb. 29, 2024, the Italian Data Protection Authority  announced the issuance of its own sanction measure of more than 79 million euros against Enel Energia for telemarketing processing violations (web doc no. 9988710). The value of the fine is the highest ever applied so far by the Italian authority. Precedent […]

Legal bases for personnel data processing

In its February 14, 2024 newsletter, the Italian Data Protection Authority informs of the approval of the code of conduct for employment agencies. As specified in the press release, “the code defines good practices for the correct processing of data carried out in the context of personnel intermediation, search and selection activities“. For the first […]

Guidance document on metadata of employees’ emails

* The Authority in a subsequent decision suspended the legal effects of the guidance document and initiated a public consultation to be concluded within 30 days. There has been an uproar over the Italian Data Protection Authority’s guidance document disclosed in the Feb. 6, 2024, newsletter regarding the collection and storage of metadata from corporate […]

Coordinated Enforcement Action

In January 2024, the EDPB published the report on the designation and position of DPOs as a result of the Coordinated Enforcement Action (“CEA”) conducted in 2023, as part of the Coordinated Enforcement Framework (“CEF”) convened in 2022. Previously, the same committee conducted the first CEF on the use of cloud services by public administration […]

Interactions between the Data Act and personal data protection

As is well known, the purpose of the Data Act – specified in Recital (4) thereof – is to “to lay down a harmonised framework specifying who is entitled to use product data or related service data, under which conditions and on what basis.” Recital (5) below indicates how the European legislator intended to achieve […]