Judicial data and privacy: how to behave in a corporate environment?
With the entry into force of the GDPR, the methods of acquiring and processing judicial data of employees, contractors and suppliers have changed
Multi-cloud, Cybersecurity, Governance and Compliance for our Clients’ business
Often, when a new employee is taken on, companies run a criminal record check on the candidate.
While prior legislation allowed obtaining judicial data on a candidate in a wide range of cases, and in line with the anticorruption standard ISO 37001:2016, today this matter has changed significantly, with major consequences for organizations needing to process judicial data.
Processing of judicial data: the old regulations
Previous Italian legislation on processing of judicial data was composed of various sources (article 27 of the Italian data protection code, Authorization 7/2016 of the “Garante” or Italian data protection agency, applicable collective national work contracts - CCNL), which have now been largely repealed.
Essentially, it was possible to request judicial data from employees and candidates in a wide range of cases, for example also where this was permitted by national collective work contracts.
ISO 27001: how to implement an Information Security Management System
Judicial Data and the GDPR
Today, article 10 of the GDPR requires that data subjects’ judicial data be processed only if this occurs under the control of the public authority or if the processing is authorized under EU or member state law.
To simplify, the GDPR refers regulation of this manner to any specific discipline (European or national).
The arrival of the GDPR led to, in Italy, the repeal of the existing regulatory system governing the processing of judicial data (art. 27 of the Italian data protection code, Authorization 7/2016, “CCNL” collective national labor contracts).
The main consequence of this is that today in Italy, only a law or equivalent act is able to establish when and how it is possible to process the judicial data of data subjects.
In Italy, there is currently no general regulation specifically regulating this matter which defines with which limits the CCNLs can intervene: the consequence is that companies needing to process judicial data are faced with a fragmented regulatory structure which is difficult to interpret and leads to the risk of having to pay fines and compensation.
What to do, then, in the face of such a legal lacuna?
Thank you for your interest!
We have received your contact request; we will be in touch shortly to further discuss your business requirements.