Lavoro, “timbrare” con la app: ok, ma solo con adeguate garanzie

cartellino_timbro_fotogramma-krab-835x437ilsole24ore-webDue società appartenenti a un gruppo che si occupa di ricerca, selezione e somministrazione di lavoro a tempo determinato potranno chiedere ai propri dipendenti – impiegati presso altre ditte o che svolgono sistematicamente attività “fuori sede” – di installare una app sugli smartphone di loro proprietà,  ai fini della rilevazione di inizio e fine dell’attività lavorativa.

Chi non intende scaricare la app potrà continuare a entrare e uscire dal posto di lavoro impiegando i sistemi tradizionali in uso.

Lo ha stabilito il Garante privacy che ha accolto, in applicazione della disciplina sul cosiddetto “bilanciamento di interessi”, un’istanza di verifica preliminare presentata dalle due società e ha dettato una serie di misure a tutela dei lavoratori.

Con l’adozione della app, che prevede l’uso dei dati di geolocalizzazione, le società intendono snellire le procedure relative alla gestione amministrativa del personale, di volta in volta collocato presso altre ditte o semplificare e rendere più efficiente la rilevazione della presenza dei dipendenti che lavorano per lo più all’esterno della sede aziendale.

Il Garante ha tuttavia prescritto alle società di perfezionare il sistema nella prospettiva della “privacy by design”, applicando il principio di necessità e anche alla luce dei possibili errori nell’accuratezza dei sistemi di localizzazione.

In particolare, verificata la associazione tra le coordinate geografiche della sede di lavoro e la posizione del lavoratore, il sistema

  • potrà conservare ˗ se del caso ˗ il solo dato relativo alla sede di lavoro (oltre a data e orario della “timbratura” virtuale),
  • cancellando il dato relativo alla posizione del lavoratore.

Inoltre, sullo schermo del  telefonino dovrà essere sempre ben visibile un’icona che indichi che la funzione di localizzazione è attiva.

L’applicazione dovrà poi essere configurata in modo tale da impedire il trattamento, anche accidentale, di altri dati contenuti nel dispositivo di proprietà del lavoratore (ad esempio, dati relativi al traffico telefonico, agli sms, alla posta elettronica, alla navigazione in Internet o altre informazioni presenti sul dispositivo).

Prima dell’avvio del nuovo sistema di accertamento delle presenze, le società dovranno effettuare la notificazione al Garante, indicando i tipi di trattamenti e le operazioni che intendono compiere, e fornire ai dipendenti  un’informativa comprensiva di tutti gli elementi (tipologia dei dati, finalità e modalità del trattamento, tempi di conservazione, natura facoltativa del conferimento, soggetti che possono venire a conoscenza dei dati in qualità di responsabili o incaricati del trattamento).

Le società dovranno, infine, adottare tutte le misure di sicurezza previste dalla normativa per preservare l’integrità dei dati e l’accesso a persone non autorizzate.

Accountability needs technology!


From the very beginning, data protection has been about the processing of personal data by means of technology. When the first data protection laws were adopted in the 1970s, computers were just starting to become standard tools in business and public administration. The Internet had just been invented and was only accessible to a few researchers and computer specialists. But still, the founders of data protection saw the big possibilities and the dangers of uncontrolled collection, analysis and evaluation of personal data with the help of the still emerging technologies and they managed to convince legislators to enact a set of controls and safeguards to protect fundamental rights.
Over the last 40 years, the technological tools for data processing have grown in capabilities and availability, the amounts of data processed have increased by astronomical orders of magnitude. Data protection authorities have long realized that technology can not only be the tool for processing but that it must also contribute to implementing the safeguards and the principles of data protection. The EDPS strategy 2015-2019 demands that “Data protection goes digital”.  

With the recent adoption of the new General Data Protection Regulation of the EU, a new chapter has been opened for data protection. One of the most important developments is that now the principle of accountability becomes a key concept in data protection.

Accountability means that those processing personal data:

  • have to take full responsibility for their actions and
  • must be able to demonstrate that they did all what is necessary in order to comply with their data protection obligations.

At the same time, the GDPR also introduces the principle of data protection by design and by default. This principle obliges the controller to take technical and organisational measures in order to implement data protection principles, such as data minimisation and purpose limitation, and the necessary safeguards. Choosing and using technology in this way will become a means to enable accountability and to demonstrate compliance and commitment to protecting fundamental rights.

How can we ensure that appropriate technologies will be available?

The GDPR establishes the “state of the art” as one of the criteria for the appropriate technological measures. This means that the most privacy-friendly solutions available contribute to setting the threshold for what can be accepted as appropriate solution.

If a good solution for a common data protection issue has been found and implemented in practice, there is no good excuse anymore for applying a less data protection compliant solution. This evolution of the state of the art can drive a dynamic process of continuous improvement of privacy-friendly technologies: the more and better data protection by design is implemented, the more it will become the baseline for all controllers to achieve in their implementations.

There are many technology developers who want to contribute to raising this bar.

Research in PETs (privacy enhancing technologies) has been a subject of growing interest in academia and industry for several years now, and a number of publications and conferences have been established and attract a growing number of contributors.

This week, the Annual Privacy Forum organised by ENISA has been a showcase for the state of the art in privacy enhancing technologies, and also an opportunity for discussing the factors that can accelerate or impede their further deployment and adoption in real life data processing. The developers presented tools to give more control to users about their data being processed, better information and transparency about the processing, improving the security of personal data and models to make PETs more accessible to developers. I participated in a panel on this project. One of the questions discussed was who could be the best keeper of a repository of information about the maturity of PETSs. There are many legal questions to be solved, possibly the future EDPB may be best placed to look at this issue.

The following day is reserved for a workshop of the Internet Privacy Engineering Network IPEN which the EDPS and colleagues from other data protection authorities, industry, academia and civil society created two years ago. IPEN was a welcome response to the need felt by many developers and designers of Internet technologies and services to find a response by the widespread surveillance revealed by Edward Snowden in 2013. Also some of those who are designing the technologies of the Internet, in the IETF and other organisations decided to join the exchange about more privacy friendly tools, building blocks and protocols.

With the GDPR, the environment has changed considerably.

When Data Protection Authorities will assess data processing operations in the future, they will look at the implementation of the solution, including all technical and organisational measures, in addition to legal and administrative tools, and transparency of personal data processing.

At the IPEN workshop, the discussion between stakeholders will focus on the question, how the new GDPR obligations which apply directly only to controllers can contribute to improving the state of the art in privacy engineering in such a way that also manufacturers and suppliers of tools, products and services will step by step upgrade the privacy feature of their offerings.

This is clearly an ambitious objective, but one that needs to be pursued in order to deliver better data protection and privacy to EU citizens, and that can have a global impact if we are successful.