Breaking news




Anti-Covid vaccinations in the context of workplace

Some useful guide lines issued by the Italian Data Protection supervisory authority clarify if the employer can process personal data relating to its employees as regards to anti-Covid vaccination. The employer cannot ask to provide information about vaccination status or a copy of documents which demonstrate anti-Covid vaccination. Employees’ consent cannot be accepted as a lawful legal basis for data processing since there is not a balance in the context of the relationship between the controller and the data subject: this processing activity is not necessary to carry out obligations arising from the employment contract. Therefore, the employer cannot ask the employee to confirm to have been vaccinated. Only the appointed doctor can process employees’ health data and, if the case, also data relating to vaccination and cannot provide the employer with the list of employees who have been vaccinated. In compliance with the provisions in the field of health surveillance and on personal data protection, the appointed doctor has to notify the employer of those specific cases where an employee’s particular condition of fragility as also related to that employee’s health makes it advisable to assign him or her to tasks in areas less exposed to the risk of infection. The appointed doctor can process data relating to the vaccination to take them into account when assessing the suitability for a specific job. The employer may process data relating to the assessment of suitability for the specific task and any requirements or restrictions the appointed doctor may lay down in terms of working conditions, but it cannot ask the employee to be vaccinated to access to the workplace. It is up to the appointed doctor to assess the need of vaccination according to the tasks of each employee (e.g.: employees working in healthcare facilities).


New guidelines on the use of cookies and other tracking tools

In compliance with the GDPR, information to be provided to the users should include the recipients of personal data and the period of storage of information; event using several tools and modalities (e.g.: pop-up, video, vocal messages). It is understood that, as for the use of cookies and other technical identifiers, the controller shall be only required to provide specific information, where appropriate as part of the general information notice (e.g.: privacy policy), since this category does not require the user’s consent. Only if they are used for statistical purposes and not for any other non-technical use, consent is not required. Conversely, cookies and other tracking tools serving purposes other than the technical ones may only be used after obtaining informed consent from the contracting party or user.

The banner to inform about cookies, if non-technical but profiling cookies are installed, normally contains a (X), according to well-received practice at the top right end of the banner area meant to enable to close the banner without having to access other ad-hoc areas or pages. This cannot be admitted as an expressed consent for profiling cookies. Default settings shall be maintained: the user can browse the website, but no profiling or other tracking tools should be used to monitor the user’s actions.

Some clarifications are due regarding the use of so-called scrolling for the purpose of obtaining consent to the storage and use of cookies and other tracking tools as well as regarding the use of so-called cookie walls. The mere scrolling is never capable, in itself, of fully signalling the data subject’s intention to accept the reception of cookies other than technical ones within the terminal’s user, and therefore does not amount to consent under any circumstances. In other words, scrolling down of the page bar is in itself unsuitable for the controller to obtain genuine consent to the storage and use of profiling cookies or other tracking tools.

Further clarification appears to be required with regard to the so-called cookie wall, which means a “take it or leave it” mechanism in which the user is obliged to give consent to the reception of cookies or other tracking tools – since failing to do so will prevent the user accessing the site. A cookie wall may not be deemed to be in line with the legislation in force.

The over-repetitive presentation of the banner to obtain the consent a user had previously withheld is liable to impact that user’s freedom by leading the user to consent to the processing in order to continue browsing without being plagued by the appearance of a banner containing a short information notice and the request to give one’s consent. In such a situation, i.e. where a user sticks to the default configuration and does not consent to the use of cookies or other tracking tools as well as where a user has only consented to the installation of certain cookies or tracking tools, such choice will have to be duly recorded and the user’s consent will not be solicited any longer, unless one or more of the circumstances of the processing changes significantly, or it is impossible for the website operator to be aware that a cookie has already been stored on the device in order to be re-transmitted to the site that generated it, on the occasion of a subsequent visit by that user or at least six months have elapsed since the banner was last presented.

The banner shall contain, in addition to the ‘X’ at its top right end, at least the following information and options:

(i) a warning to the effect that if the banner is closed by clicking on the ‘X’ at its top right end, the default settings are left unchanged and therefore browsing can continue without cookies or other tracking tools other than technical ones;

(ii) a minimal information notice to the effect that the website uses, if any, technical cookies or other technical tools and may, only after obtaining the user’s consent according to the mechanism to be specified in this short information notice, also use profiling cookies or other tracking tools in order to send advertisements and/or customise its services beyond what is strictly necessary for the provision of those services, that is to say, in line with the preferences expressed by the user in the context of the use of functionalities and web browsing and/or for the purpose of analysing and monitoring the behaviour of website visitors;

(iii) a link to the privacy policy, or to a second-layer extended information notice – which should be one-click away through a link to be placed in the footer of any page of the domain accessed by the user – where at least all the information referred to in arts. 12 and 13, GDPR is provided clearly and thoroughly including with regard to the technical cookies or tools;

(iv) a (button) through which consent can be given by accepting the storage of all cookies or the use of other tracking tools;

(v) a link to an additional dedicated area where the user can select, individually, the functionalities, the so-called third parties – whose list must be kept up-to-date whether they can be reached through ad-hoc links or via links to the websites of intermediaries representing them – and the cookies – possibly grouped into homogeneous categories – to which the user chooses to consent. If cookies are grouped into homogeneous categories and the list of the third parties changes as reflected by the links placed in this area, i.e., if additional third parties are included in the said list, it shall be for the first party (i.e., the website operator) to accurately select them and carry out the necessary supervision to ensure that the inclusion of these new entities and the resulting processing operations continue to be in line with the grouping by homogeneous categories.

Where only technical cookies or similar tools are implemented, their presence may be referred to on the home page or else in the general information notice without the need to display ad-hoc banners that users will then have to remove/deactivate. Users will obviously be enabled to modify their choices, i.e., to give their consent after they had withheld it and to withdraw their consent – at any time, simply, easily, and in a user-friendly fashion by way of an ad-hoc area that will be accessible through a link in the website footer; that link will have to flag the underlying purpose by way of wording such as “Change your mind on cookies” or something of that kind.


To learn more, contact me.

Leave a Reply

Your email address will not be published. Required fields are marked *


Privacy Policy - Cookie Policy - Website terms & conditions - Website map

Tiziana Minella - Via Vittoria Colonna, 32 - 10155 Torino (TO - Italy) - VAT IT03152590018 - mob. +39 366.4761338 - + 39 338.6626635