The Data Controller and Data Processor under GDPR: the Role of Labor Consultants
On January 22, 2019, the Italian Data Protection Authority (Garante per la protezione dei dati personali – “Garante”) answered the question raised by the National Council of Labor Consultants (“Council”) on the role of labor consultants regarding their clients’ employees’ personal data pursuant to GDPR (Regulation EU 679/2016).
In particular, the Council’s thesis was that labor consultants should be qualified as autonomous data controllers or, in some cases, as joint controllers in relation to the processing operations carried out on behalf of the employer. In fact, according to the Council, labor consultants are fully autonomous when it comes to determining the methods and means of processing, as well as in choosing their collaborators.
The Garante, however, made a distinction between the case where labor consultants process their own employees’ data and the case where they process their clients’ employees’ data. According to the Garante, only in the first case would the consultants operate as controllers, as only in this case, the labor consultants (as employers) would determine the purposes and means of processing the personal data.
However, consultants should qualify as processors where they process their clients’ employees’ personal data. This activity is carried out pursuant to a contract entered into with the consultants’ clients (the employers), by which the employers outsource specific activities to outside professionals. Such outsourced activities relate to compliance with obligations stemming from either the statutory labor framework or the collective/individual employment agreements. In this context, only the employer should be regarded as the controller for the processing of employees’ personal data that is completed to comply with the obligations imposed solely on the employer. As a matter of fact, the employer is responsible for providing the labor consultant with the criteria to award promotions and/or bonuses relating to the productivity or attendance at work, reduce the salary to be paid as a result of disciplinary measures, among other things. Moreover, under Italian labor law, the employer is responsible for compliance with the abovementioned obligations regarding labor, social security and social assistance.
In light of the above, both the purposes and methods of processing employees’ personal data are determined solely by the employers, whereas the labor consultants only act on behalf of their clients, thus as data processors. Consequently, when the employers engage a labor consultant, they should also choose only qualified professionals that provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing will be carried out in compliance with the GDPR, enter into a contract governing the related processing of personal data in accordance with Article 28 of GDPR, and provide the labor consultant with specific instructions as to the processing to be carried out on their behalf.
Finally, the Garante considers the possibility that consultants make use of trusted co-workers to execute the agreement with the employer, thus without significant autonomy. These parties shall act as individuals under the authority of the labor consultant as provided for by Section 29 of GDPR and Section 2 quaterdecies of the Italian Data Protection Code (Italian Legislative Decree no. 196/2003 as recently amended by Italian Legislative Decree no. 101/2018).
With this decision, the Garante confirmed its previous case law according to which the controller may decide to outsource to third parties the performance of duties strictly connected with the execution of the obligations imposed by laws/regulations and, in such cases, those third parties should in principle qualify as processors. For instance, in the past, the Garante qualified the following entities as data processors: holding companies performing duties concerning labor issues on behalf of the subsidiaries, geolocation service providers, electronic mail providers, and telemonitoring service providers.
The decision shows that, in many instances, it may be difficult for data controllers to correctly qualify their contractual counterparties under a data protection perspective. As a solution, it may be useful for data controllers to adopt internal policies providing guidance as to the qualification of the external contractors. In this respect, useful guidance may be found in the opinions issued in the previous Article 29 Data Protection Working Party (now replaced by the European Data protection Board) as well as previous decisions issued by the Garante.
The decision of the Garante is available via the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9080970