news and insights


14 NOV 2019    EMPLOYER’S DUTY OF VERIFICATION

Within the 16th of the following month, the Employer  must check and verify the consistency between the overall amount received (by contractors/subcontractors) and the withholdings operated by the same. To the above aim,  the latter shall send, via Certified Electronic Mail, to the Employer  (and tsub-contractors also  to contractors):

-          a list of the workers’s names  engaged in the performance of works/services during the previous month (with relevant fiscal code), together with the details of the working hours, the wages paid and the details of the withholding made during the previous months;

-           all data necessary to fill in the delegation of payment necessary to pay the taxes due;

-          data of the bank wire transfer made.

Direct payment by Contractors

Alternatively, the Fiscal Decree provides for the possibility for the contractors to pay directly the withholding taxes when some requisites, provided for by the Decree itself, occur (such as to have been in the business for  at least five years, not to have been subject to executive assessment for taxes and social security contributions higher than €  50.000, etc).

24 OCT 2019    IRREGULAR EMPLOYMENT CONTRACT AND EMPLOYER’S DIRECTIVES

In a recent decision the Tribunal of Padua (decision no. 550/2019 dated 16th July 2019)   ruled on the regularity and authenticity of a contract where instructions to employee are given by an  Employer’s software.

The case concerned some employees of a cooperative company who performed the task of “picker”,  i.e. they were dedicated to moving and handling goods.

According to these employees, work instructions were received directly by the Employer, both, at the beginning, through a mobile device provided to the employees and, later, through  microphone and earphones. This combined system allowed the Employer to a have a real time knowledge of the working activity performed by each worker and the  duration thereof. The defendants sought the judicial assessment of an employment contract directly with the Employer and the consequent payment of the wage differences and, in the alternative, of the joint liability of the cooperative company with the Employer, in accordance with article 29 of Italian Legislative Decree no. 276/2003.

The Tribunal of Padua had to state who was the real employer,  i.e. who “presided over the work organisation in the warehouse and who, therefore, directed the employees assigned thereto”.

According to the Tribunal of Padua, the concept of “subordination” must take into account the technological evolution which, for many sector, has made obsolete the relationship between  “hierarchical superior”, and  “subordinate”, mostly where  the machines lead the productive process.

Software and voice recognition systems of each cooperative’s employee, made available by the Employer, enabled the latter to control and direct the working operations and to process third parties personal data without having given  evidence of appropriate prior authorizations in this respect.

The above circumstances have been deemed by the Tribunal of Padua useful elements to demonstrate that the Employer had exercised its powers as employer. In fact, the overall management of the company’s activity and the work’s direction of each employee can be considered as elements of an IT relationship with the apparent “Employer”.

As a consequence thereof, the Tribunal, upholding the claim, has ascertained that the cooperative company had to be regarded as a mere “interposed” in the employment relations with the Employer; therefore, the  defendants have been considered employees of the Employer, with consequent applicability of the national collective agreement (C.C.N.L) applied by the Employer.

21 OCT 2019    NATIONAL CYBER SECURITY PERIMETER

On 21st  September 2019 Legislative Decree no. 105  “Urgent measures regarding the National Cyber Security Perimeter” has been published in the Italian Official Journal .
The mentioned Legislative Decree, in order to ensure a high security level of the Public Administration and National Entities information systems and networks, whether public or private and which provide an essential service for the fundamental activities of the State, sets forth the setting up  of a National Cyber Security Perimeter.
Within 4 months from the conversion into law of Legislative Decree no. 105, a Decree of the Prime Minister will list all private and public entities  subject to the new legislation and obliged to comply therewith.
 Within the following 10 months, another  Prime Minister’ Decree will:

-          define the notification procedure  to the new CSIRT- Cyber Security incident response team of data breach incidents which may have an impact on the information systems; the CSRIT shall forward these notifications  to the Italian Minister of Internal Affairs and to the Department of security information;

-          establishes the measures to ensure security levels for the information network  (amongst which the security policies, the mitigation and management of incidents and their prevention, networks integrity, etc.).

Furthermore, Legislative Decree no. 105/2019 expressly mentions 5G technology and the necessity to prevent informatics attacks, thus granting the integrity of broadband communication systems destined to an always wider diffusion.
The rules under reference represent for Italy an adaptation of cyber security to international standards, leaving to second level regulations further detailed rules.

18 OCT 2019    CASE LAW - RECENT DECISIONS

E.U. COURT OF JUSTICE – judgement of 26th September 2019 – Fifth Chamber (proceeding C‑63/18)
Limite subappalto al 30% – incompatibilità con diritto comunitario

The EU Court of Justice has analysed the conformity to European law of Italian law on public procurements with reference to the quantitative limit of 30% for subcontracts.
Italian Government has justified the above limit s in the light of the principle of social sustainability and the value of public policy and public security.
However, the Court of Justice has observed  that a restriction such as that at issue cannot be regarded as compatible with EU Law, it being a general and abstract prohibition, applicable whatever the economic sector concerned the nature of the work or the identity of the subcontractors. Furthermore, such a general prohibition does not allow for an assessment on a case by case basis by the contracting entity.
Moreover, as already noted by the EU Commission, the objective pursued by the Italian legislature could be achieved by less restrictive measures, as in the case of those provided for by  71 of EU Directive 2014/24 and referred to in the judgement. In fact, as the referring court has stated, Italian law already provides for numerous measures explicitly intended to prohibit undertakings suspected of belonging to the mafia, or in any event of being linked to the interests of the main criminal organisations operating in the country.
Therefore, a restriction on the use of subcontracting such as that at issue cannot be regarded as compatible with EU Directive 2014/24.

 
 

Consiglio d Stato, Fifth Chamber, 27th September 2019, no. 6490.
Lack of declaration of a previous exclusion for fiscal irregularities – Need for the information to result in the data base of the Italian Anti-Corruption Authority (ANAC).


A previous exclusion from a public tender based on fiscal irregularities cannot  constitute ground for exclusion, as a serious professional illicit behavior, and, as such, a circumstance to be disclosed, because  it would result in an undefined extended validity of  the breach of the tax obligations, since article 810, par. 4, of Italian Legislative 50 / 2016  allows exclusions from the tender only until the participant does not regularise its position.
Furthermore, a reason for exclusion under article 80, par. 5, of the above mentioned Legislative Decree can occur if the information not disclosed result from the data base of the Italian Anti-Corruption Authority (ANAC) since with respect to any such information an obligation of disclosure exists in order to participate to the tender; possible exclusions from previous tenders, even if ascertained by the administrative court, become relevant only if and to the extent that they result from the above mentioned data base.

 

TAR Lazio, Roma, Chamber III, decision 3rd October 2019, no. 11522
Juridical nature of  Trenitalia – Notion of “net management” for the supply of a service to the public in the field of transport (railway)


The juridical nature of Trenitalia is linked to that of its holding, Ferrovie dello Stato italiane s.p.a., legal concessionaire of rail service appointed to perform  an essential public service (transport).
High speed transport, even if liberalised, is included in the concept of “rail net” under article 118 of Italian legislative Decree  no. 50/2016, which implies the tasks  which Italian Legislative Decree. 112/15 grants to the infrastructure manager (such as Rete Ferroviaria Italiana RFI) in relation with the identification (by way of example) of the rail links, timetable, frequency and transport capacity
Also railway companies are subject to article 118 of Italian Legislative Decree no. 50/2016 – and, whether contracting entities, are subject to the rules governing public tenders for the award of instrumental activities; railway companies are included in the entities entrusted with the “management of the rail net” (which includes any activity performed by a  railway company and consisting of  supplying transport service to the public, utilizing a railway net (see EU Court of Justice, decision 2019, C – 388/17 – Konkurrensverket vs SJ AB).

 

Consiglio di Stato, Fifth Chamber, 20th September 2019, no. 6251
The deadline to appeal starts only from full knowledge of the award


For tenders, the award communication by the contracting entity is the exclusive deadline for the term to appeal and it cannot be surrogated by other forms  of legal publicity, including the publication on EU Official Journal. The above principle was pronounced by the Consiglio di Stato in a proceeding started by a company excluded from a tender for school transport, awarded to the competing company following further control of the requisites, made necessary by some anomalies.  The plaintiff hadn’t received any communication and, only following an access to documents, it could become aware of the outcome of the procedure, appealing it in delay, according to the court of first instance. To the contrary, according to the Consiglio di Stato, it is not possible to infer the so called full knowledge of the award “from a circumstantial element” since the deadline to appeal starts from the moment in which the participant to the tender has acquired full knowledge of the name of the awarded party and of the finality of the award.

 

E.U. COURT OF JUSTICE, Fifth Chamber, 18th September 2019 (proceeding C-526/17)
Illegitimacy of concession extension for public work


According to the European Court of Justice, since Italy, by an agreement of 2009, has extended from 31st October 2028 to 31st December 2046 the concession of public work of a motorway without  publishing any call for tender, it is uncompliant with the obligations set forth by article 2 of EU Directive 2004/18/CEE, which imposes respect of equality, non-discrimination and transparency  principles, in public tenders and article 58 which provides that “public administrations which intend to proceed with the concession of public works give knowledge of this decision through a call for tender”.
Therefore, the above extension, according to the Court of Justice constitutes “a substantial amendment of the concession conditions”.

24 SEP 2019    DATA BREACH – ITALIAN DATA PROTECTION AUTHORITY DECISION – PRIVACY SWEEP 2019

With Decision no. 157 of 30th July 2019, the Italian Data Protection Authority  has indicated  some technical rules concerning notification of a data breach to the Authority,  as per article 33 of GDPR Regulation EU 2016/679:

In particular, the Italian Data Protection Authority has issued a form, uploaded on the Authority ‘s website, which should simplify the Controller when notifying to the Authority itself of a data breach; such notification should be as prompt as possible and, in any case, it should be made within 72 hours from the breach episode, i.e. breach of security which implies  - by accident or unlawfully - destruction, loss, modification, unauthorized diffusion or access to personal data transmitted, kept or processed in general.

The Controller, therefore, has a form available drafted by the Authority itself which should facilitate the information transmission as provided for by EU Regulation 2016/679.  The form can be sent using the IT system  as indicated  on the Authority’s website.

Moreover, the Decision has clarified that all the terms, deadlines, content and means of communication of personal data’s violations as provided for by previous decisions (such as

those concerning biometrics data, bank data, health Dossier) are to be intended as superseded by this Decision, in accordance to EU Regulation 2016/679.

The Decision no. 157/2019 follows other relevant documents concerning data breach, amongst which are  the “Guidelines on data breach according to Regulation 2916/679” of Working Party art. 29 dated 2017, as amended and updated  by EDPB (European Data Protection Board) with decision dated 25th May 2018; and  Opinion 5/2019 on the interplay between  the ePrivacy Directive and the GDPR, issued by the EDPB on 12nd March 2019
 
Please note that on 23rd September 2019 the Italian Data Protection Authority has launched the  "Privacy Sweep 2019", an international investigation concerning data breach management by public and private subjects. Seventeen Data Protection Authority are involved in  this  Sweep. The Italian Data Protection Authority will  focus on the e-commerce sector, through the analysis of a significant sector of Italian companies.

27 JUN 2019    NEW  EU REGULATION ON CYBERSECURITY

On 27th June 2019 the new EU Regulation 2019/881 of European Parliament and Council of 17th April 2019 (published in EU Official Journal of 7th June 2019) has come into force. The new Regulation concerns ENISA (European Union Agency for Network and Information Security)  and cybersecurity certification for information and communications technologies (ICT) and it repealed EU Regulation no. 526/2013 («regulation on cybersecurity»).

The Regulation has the double purpose of, on the one side, reinforcing the role of ENISA and, on the other, achieving a high common level of cybersecurity across the EU for the cybersecurity of ITC products and of digital services.

The Regulation has been adopted in the framework of GDPR (EU Regulation 2016/679) as well as of EU Directive 2016/1148, containing rules on security of network and information systems, enacted in Italy by Legislative Decree no. 65 of 18th May 2018.

Goal of the Regulation is creating a common discipline which can grant a high level of security for IT devices and a safe use of ITC services

ENISA’s role will be achieving a high common level of cybersecurity within the European Union, actively sustaining the member States, EU institutions, organs and organisms.

Furthermore, ENISA’s goal shall be promoting the use of cybersecurity certification at a European level, in order to avoid fragmentation of the internal market.

The above is a very preliminary information, which will be followed by a deeper insight on the EU Regulation 2019/881.

21 JUN 2019    CONVERSION INTO LAW OF IITALIAN LEGISLATIVE DECREE 32/2019

On 17th June 2019 Law 14th June 2019 no. 55 – which converted Legislative Decree 18th April 2019 no. 32 (“urgent measures for the relaunch of public procurements, acceleration of infrastructural and urban regeneration interventions and reconstructions following earthquakes») has been published in Italian Official Journal.
 
Hereinbelow please find a brief summary of the main amendments introduced by the above law to the Code of Public Procurements ((Italian legislative Decree 50/2016 and subsequent amendments).
 

·         Implementing regulation: within 180 days from the coming into force of the Decree a regulation for the execution, implementation and integration of the Code must be adopted. The Guidelines and decrees adopted pursuant to the previous provisions shall remain in force and effective until the coming into force of the regulation.

·         Limit of 40% for the subcontract: until 31st December 2020 the maximum limit of the amount which can be object of a subcontract will be equal to 40% of the overall amount  of the contract. However, the contracting authority shall indicate, in the tender documents, for each tender, the percentage of work/services which can be subcontracted; furthermore, it  will not be mandatory to indicate the set of three subcontractors.

·         Negotiated procedures up to 1 million euros:
1)      In tenders ranging between 40 thousand euros and 150 thousand euros for work or up to the EU thresholds  (221 thousand euros) for services and supplies there will be a direct procurement following consultation, whether existing, of at least 3 economic operators for work and at least 5 economic operators for services and supplies;
2)      in tenders for amounts between 150 thousand euros and 350 thousand euros there will  be a negotiated procedure following consultation, whether existing, of at least 10 economic operators;
3)      for procurements of amounts between 350 thousand euros and 1 million euros, the negotiated procedure will be utlised, following consultation, whether existing, of at least 15 economic operator;
4)      for amounts above 1 million euros for work, or the EU thresholds for services and supplies, it will be necessary to recur to ordinary procedures.

There is also a discipline for procurements “under the threshold", market surveys and training and management of the economic operators lists, establishing the criteria of the “lower price” as alternative for the most advantageous economic offer for the award of contracts below the threshold.

·         Procurements to third parties by the concessionaires: the term within which the concessionaires must comply with the percentage of assignment to third parties by public tender ((80% - or 60% for motorway concessionaires-  of the work, services and supplies contracts) has been put off to 31st December 2020.
 
·        Integrated contract: until 31st December 2020, when the technoligical and innovative element of the work object of the tender is significantly predominant with respect to the overall amount of the work, the joint assignment of executive design and work execution is allowed. Law 55/2019 provides  that the minimum requirements for the development of the design are provided for in the tender documents in compliance with the Code and the new implementing regulation.
 
·         Maintenance work on the basis of the final design: until 31st December 2020, ordinary and extraordinary maintenance work can be assigned on the basis of the final design and execution thereof can be started notwithstanding the draft and approval of the final design, unless these work provide for the renewal or substitution of the structural part of the work or plants. The final design shall have a minimum pre-established content.
 
·         Tender commissioners: until 31st December 2020 it will not be compulsory, during the tender, to recur to  independent commissioners selected from the register hold by ANAC.

·         Offers’ exam: until 31st December 2020 the contracting authority will be allowed (whether expressly provided for in the tender documents) – only for open procedures – to carry out the exam of the offers before verifying the offerors’ requisites.

·         Awarding criteria: the obligation to assign work for amounts up to 5,5 million euros according to the maximum downward is eliminated The Contracting Authority will be allowed to choose autonomously the criteria and, should it decide for a different criteria from the lowest price one, it shall not provide an explanation thereof.
 
·         Certificates and exclusion cases: operators’ documents and certificates shall have a duration of six months. For certificates and documents (exception made for Durc) already expired from less than 60 days, for which the renewal procedure is under way, the contracting authority can verify directly with the competent bodies the existence of grounds for exclusion, if any. Lacking an answer within 30 days, the content of the expired certificates shall be deemed confirmed.

18 APR 2019    WHISTEBLOWER – NEW EU RULES TO PROTECT THE REPORTING SUBJECTS

The EU Parliament has enacted a new Directive, not yet published on the EU Official Journal, to protect whistleblowers revealing breaches of EU law in a wide range of areas including public procurements, financial services, money laundering, product and transport safety, nuclear safety, public health, consume and data protection. 

Safe Reporting Channels
To protect whistleblowers and ensure that the information disclosed remains confidential, the new rules allow whistleblowers to disclose information through different reporting channels: internally, to the legal entity concerned (i.e. the company) or directly to the competent national authorities, as well as to the relevant EU institutions, bodies and agencies. Therefore,  companies and national authorities must create such reporting channels. In defect thereof, the whistleblower will still be protected  if he/she elects to disclose information publicly. Such obligation shall not apply to small companies and small municipalities.

Safeguard against retaliation

The EU Directive prohibits reprisals and introduces new safeguards to prevent the whistleblower from being suspended, demoted and intimidated or facing other forms of retaliation. The same protection is provided for those assisting whistleblowers (such as colleagues or relatives).
Member States must ensure  that whistleblowers have free access to information relating to available procedures and remedies, as well as legal assistance during the proceedings. The reporting subject may also receive, during  legal proceedings, financial and psychological support.

Next Steps
The Directive shall be now approved  by the EU Minister and, following its publication on the EU Official Journey , Member States will have 2 years to implement it.

11 APR 2019    ITALIAN DATA PROTECTION AUTHORITY – DATA BREACH - RUSSEAU PLATFORM

Decision of the Italian Data Protection Authority 4th April 2019 no. 9101974

By a recent decision (4th April 2019) Italian Data Protection Authority, following reporting also by private citizens, has rendered a decision on a data breach case which involves Rousseau platform and other websites linked to Movimento 5 Stelle.
Article 33 of EU Regulation 2016/679 on data protection provides for an obligation to notify to the Authority, within 72 hours from the event and/or from the moment in which knowledge thereof is acquired, data breach cases (i.e. episodes of unlawful access into a computer system and breach of security measures to illicitly acquire data contained on a server or cases of file cryptography through malware with simultaneous ransom demand of a payment in bitcoins). 
The case under reference was started in 2017 when, following am investigation, the Authority issued a first decision (no. 7400401 of 21st December 2017) indicating specific actions to improve the above platforms, having identified numerous critical areas from a computer point of view, which compromised security thereof, also with respect to unauthorized access into the platforms, with evident breach of data protection law (the then applicable Data Protection Code, Italian Legislative Decree no. 163/1996 and numerous decisions of the Data Protection Authority). Amongst the preliminary necessary measures ordered in 2017 the Authority has requested the following:
- adaptation of the minimum length of passwords to access into the system;
- adoption of net protocols https to grant a higher security;
- adoption of sound cryptographic algorithms  to adequately protect users’ passwords;
- auditing  measures to verify lawfulness of data processing with reference to the e-voting system through the platforms under reference, by keeping the registries of the IT systems administrators’ accesses and of the operations performed (log) in the data base of the Rousseau  Platform (in compliance with a General Decision of the Data Protection Authority of 2008 concerning IT systems administrators) as well as :
-  improvement of the information given to the interested parties according to the then applicable article 13 of Italian legislative Decree 196/2013.
Furthermore, the above decision stated the unlawfulness of users’ data processing by the owners of the websites connected to Movimento 5 stelle, based on communication of the data to third parties (Wind Tre spa e ITNET srl) lacking an adequate reason therefor.
Following the above preliminary prescriptions, the Data Protection Authority has investigated further in order to ascertain if and how the measures provide for in 2017 had been implemented.

At the end of the above investigation – and after two postponements thereof based on relevant requests by Association Movimento 5 Stelle and Russeau Platform -   having performed the technical controls aimed at verifying concretely the soundness of the security systems adopted with respect to the critical aspects identified by the Authority in 2017, remaining infringements  have emerged which have led the Authority to apply a sanction to Association Rousseau, in its quality as Data Processor of Movimento 5 Stelle, equal to € 50.000, according to article 58 of EU Regulation 2016/679 (GDPR), for breach of article 32 of GDPR (safety of the processing).

Amongst the main infringements of data protection law emerged following the Authority’s investigations, we highlight the following:

-          obsolescence of some software components of the websites (the distributor of the Csm software in question does not issue updates thereof as of 2013);

-          notwithstanding adoption of a traceability system of the activity performed, the system used in the Platforms does not allow to trace adequately the accesses (reading and/or amendment) into the database by the System Administrators of Russeau Association who can operate, for example, on users’ data without their activity being adequately traced, so that it is not possible to carry out the computer auditing required by the Authority, thus exposing personal data in the Platforms to high risks of breach;

-          measures adopted have not eliminated the possibility to alter, cancel or extract offline copies of the results of e-voting operations on the platform: in other words, integrity, authenticity and confidentiality of the vote are not granted by those who act as Data Base Administrators;

-          finally, the use of the same authentication credentials assigned to authorised persons granted high privileges for management of the platforms supporting the websites www.movimento5stelle.it e rousseau.movimento5stelle.it; this circumstance prevents from attributing actions performed in a computerised system to a determine d authorised person, with a prejudice for the controller, prevented from the possibility of controlling activity of these technical important figures. 

Jointly with the administrative sanction, the Authority has given precise terms for adaptation and improvement of the platforms under reference, ordering to the Association Movimento 5 stelle, in its quality as controller, and to Association Rousseau, as processor, to evaluate the impact on data protection with specific reference to the e-voting functionality of the platform.

Avv. Grazia Quacquarelli, LL. M.

11 APR 2019    ITALIAN DATA PROTECTION AUTHORITY – DATA BREACH - RUSSEAU PLATFORM

Decision of the Italian Data Protection Authority 4th April 2019 no. 9101974

By a recent decision (4th April 2019) Italian Data Protection Authority, following reporting also by private citizens, has rendered a decision on a data breach case which involves Rousseau platform and other websites linked to Movimento 5 Stelle.
Article 33 of EU Regulation 2016/679 on data protection provides for an obligation to notify to the Authority, within 72 hours from the event and/or from the moment in which knowledge thereof is acquired, data breach cases (i.e. episodes of unlawful access into a computer system and breach of security measures to illicitly acquire data contained on a server or cases of file cryptography through malware with simultaneous ransom demand of a payment in bitcoins). 
The case under reference was started in 2017 when, following am investigation, the Authority issued a first decision (no. 7400401 of 21st December 2017) indicating specific actions to improve the above platforms, having identified numerous critical areas from a computer point of view, which compromised security thereof, also with respect to unauthorized access into the platforms, with evident breach of data protection law (the then applicable Data Protection Code, Italian Legislative Decree no. 163/1996 and numerous decisions of the Data Protection Authority). Amongst the preliminary necessary measures ordered in 2017 the Authority has requested the following:
- adaptation of the minimum length of passwords to access into the system;
- adoption of net protocols https to grant a higher security;
- adoption of sound cryptographic algorithms  to adequately protect users’ passwords;
- auditing  measures to verify lawfulness of data processing with reference to the e-voting system through the platforms under reference, by keeping the registries of the IT systems administrators’ accesses and of the operations performed (log) in the data base of the Rousseau  Platform (in compliance with a General Decision of the Data Protection Authority of 2008 concerning IT systems administrators) as well as :
-  improvement of the information given to the interested parties according to the then applicable article 13 of Italian legislative Decree 196/2013.
Furthermore, the above decision stated the unlawfulness of users’ data processing by the owners of the websites connected to Movimento 5 stelle, based on communication of the data to third parties (Wind Tre spa e ITNET srl) lacking an adequate reason therefor.
Following the above preliminary prescriptions, the Data Protection Authority has investigated further in order to ascertain if and how the measures provide for in 2017 had been implemented.

At the end of the above investigation – and after two postponements thereof based on relevant requests by Association Movimento 5 Stelle and Russeau Platform -   having performed the technical controls aimed at verifying concretely the soundness of the security systems adopted with respect to the critical aspects identified by the Authority in 2017, remaining infringements  have emerged which have led the Authority to apply a sanction to Association Rousseau, in its quality as Data Processor of Movimento 5 Stelle, equal to € 50.000, according to article 58 of EU Regulation 2016/679 (GDPR), for breach of article 32 of GDPR (safety of the processing).

Amongst the main infringements of data protection law emerged following the Authority’s investigations, we highlight the following:

-          obsolescence of some software components of the websites (the distributor of the Csm software in question does not issue updates thereof as of 2013);

-          notwithstanding adoption of a traceability system of the activity performed, the system used in the Platforms does not allow to trace adequately the accesses (reading and/or amendment) into the database by the System Administrators of Russeau Association who can operate, for example, on users’ data without their activity being adequately traced, so that it is not possible to carry out the computer auditing required by the Authority, thus exposing personal data in the Platforms to high risks of breach;

-          measures adopted have not eliminated the possibility to alter, cancel or extract offline copies of the results of e-voting operations on the platform: in other words, integrity, authenticity and confidentiality of the vote are not granted by those who act as Data Base Administrators;

-          finally, the use of the same authentication credentials assigned to authorised persons granted high privileges for management of the platforms supporting the websites www.movimento5stelle.it e rousseau.movimento5stelle.it; this circumstance prevents from attributing actions performed in a computerised system to a determine d authorised person, with a prejudice for the controller, prevented from the possibility of controlling activity of these technical important figures. 

Jointly with the administrative sanction, the Authority has given precise terms for adaptation and improvement of the platforms under reference, ordering to the Association Movimento 5 stelle, in its quality as controller, and to Association Rousseau, as processor, to evaluate the impact on data protection with specific reference to the e-voting functionality of the platform.

Avv. Grazia Quacquarelli, LL. M.

16 MAR 2019    CODE OF BUSINESS CRISIS AND INSOLVENCY - CHANGES TO THE CIVIL CODE

On 16th March 2019 some provisions of Legislative Decree no . 14 dated 12nd January 2019 (so called  “ Code of companies’ crises and insolvencies” , hereinafter “Code of Crisis”, published on Official Journal no. 38 of 14th February 2019) came into full force and effect. The Code of Crisis is composed of 391 article, most of which will come into force in August 2020. 
Amongst the provisions which came into force as of 16th March, we illustrate some of the most significant, which have amended the Italian Civil Code.
A.      Article  375 of the Code of Crisis
This article amends  article  2086 of the Italian civil code, introducing a second paragraph which requires the entrepreneur,  who operates through a company, to adopt and implement an “organizational, administrative and accounting structure” , consistent with the nature and dimension of the company, also in order to detect promptly any sign of the company’s crisis and loss of the business continuity. The entrepreneur is obliged also to take any adequate step to adopt and implement any action provided for by law to overcome the crisis and, consequently, recover  the business continuity. The legislator has meant, therefore, to further involve and empower the entrepreneur, obliging it to adopt an adequate internal structure able to detect promptly  the crisis and, consequently, act for the recovery of the business continuity.
B.      Article  377 of the Code of Crisis
This article amends articles 2257, 2380-bis, 2409-novies and 2475 of the Italian civil code  imposing the adoption of adequate corporate organizational structures and reiterating that management of the company is the responsibility, exclusively, of the Directors, who perform the necessary operations  to achieve the corporate goal.
C.      Article 379 of the Code of Crisis
It amends article 2477 of the Italian civil code, providing, for limited liability companies, the obligation to appoint a supervisory body (Auditor or Board of Auditors) if:
I.        the company is obliged to draft consolidated  financial statements;
II.      the company controls another company which is obliged to have the statutory audit;
III.    the company has exceeded, for two consecutive financial years, at least one of the following limits: 1) total asset of the balance sheet: Euro two million; 2) income from sales and turnover: Euro 2 million; 3) average number of employees during the financial year: 10.
According to article 2477, fifth subparagraph, of Italian civil code, the obligation to appoint a supervisory body or an auditor shall be complied with, by the shareholders’ meeting, within 30 days from approval of the financial statements, in relation to  which those limits have been exceeded; in defect thereof, the appointment is made by the competent Court, upon request from any interested party or “upon reporting from the Company’s register Registrar” (as introduced by the Code of Crisis).
Finally, limited liability companies and cooperative companies – if the requirements of article 2477, first subparagraph, of the Italian civil code occur – shall appoint the supervisory body or the auditor and, if necessary, adapt and amend the Deed of incorporation and the Articles of Association to the above new regulations,  within 9 months from the date of 16th March 2019 (i.e. within 16th December 2019).

06 MAR 2019    FRAUDOLENT WORK SUPPLY - LABOUR INSPECTORATE CIRCULAR N. 3/2019

Legislative Decree no. 87/2008, converted into Law no. 96/2018, has re-introduced in Italian legal system the crime of fraudulent manpower supply (article 38 bis of Italian Legislative Decree no. 81/2015) which occurs when “the work supply is implemented with the specific goal of avoiding the application of compulsory rules of law or of collective agreements applicable to the worker”. The sanction provided for is equal to € 20 per worker for each day of the supply.
The Labour Inspectorate, by circular no 3/2019, has provided some clarification concerning the different hypothesis in which the above crime occurs, as follow:
- through illicit building contract, aimed at avoiding applicability of compulsory rules of law or of collective agreements  subsequently allowing the employer to save money on the work cost; or
- through the involvement of work agencies, when the employer fires an employee with a view to re-hiring him/her through a work agency, thus breaching the rules of law or collective agreements; and
- through fake transnational secondments by the Italian employer, as far as the secondment is functional to the avoidance of internal rules or collective agreements.
Besides applying monetary sanctions, the Labour Inspectorate shall apply prescriptive measures aimed, by way of example, at obliging the effective employer to hire the workers for the entire duration of the contract. 
Finally, the Labour Inspectorate has indicated, amongst the element supporting the existence of a fraudulent intention (besides the avoidance of compulsory regulations) the occurrence of situations of financial distress of the firm and the consequent impossibility of sustaining the cost of personnel in the light of the annual turnover.

17 JAN 2019    ANTICORRUPTION LAW

On 16thJanuary 2019, Law no. 3 dated 9thJanuary 2019 (“Measures to prevent crimes against Public Administration, as well as concerning he statute of limitation of crimes and transparency of political parties and movements” - so called “Anti-Corruption Law”) has been published in the Official Journal (Official Journal no. 13 of 16th January 2019). The mentioned Law will come into full force and effect on 31st January 2019.
The provision contains new important regulations concerning the prevention and contrast of corruption in Public Administration and, more in general, in the field of criminal law.
More precisely, the punishment for the crimes of corruption and embezzlement are changed (for the first one the words "from one to six years" are amended with "from three to eight years"; for the second the words "with imprisonment of up to three years and with a fine of up to € 1,032 " are replaced by "with imprisonment from two to five years and with a fine from € 1,000 to € 3,000 "). Moreover, for the crime of improper corruption, the penalty is increased from one year to three years of imprisonment (in the minimum) and from six to eight years (in the maximum).
Finally, those convicted of offenses against Public Administration (amongst which embezzlement, corruption and bribery) will no longer be allowed to benefit from penalties alternative to imprisonment, such as premium permits and assignment of external work.
Any sentence for the above offences, whether committed to the detriment or to the benefit of a business activity, or in connection thereof, implies – as ancillary punishment – a ban from public offices and the inability to enter into any agreement with Public Administration. The ban and inability can be perpetual (exception made for  obtainment of a public service) or temporary, if the punishment inflicted is inferior to a given period of time or specific mitigating circumstances occur.
With Anti-corruption law also Legislative Decree 8th June 2001 n. 231 is amended, by both (i) raising the terms of maximum duration of the measures against entities as a consequence of corruption crimes and (ii) introducing trading of illicit influence (article 346 bis of Italian Criminal Code) amongst the predicted offences of the mentioned Decree.

+link+

11 JAN 2019    UNAUTHORSED ACCES INTO A COMPUTER SYSTEM

Having found out the above, the bank decided to report the employee, taking into account that the second employee, addressee of the e-mails and who had solicited the same, had no password or authorisation to access into these data. The Court of Appeal of Milan (by decision of 10th July 2017) confirmed the liability (ascertained by the Court of First Instance) of the e-mails addressee, as well, deeming him guilty of the crime provided for under article 615 ter of the Italian Penal Code (“unlawful access into a computer system”). More specifically, the contribution of the defendant  had consisted in having incited the colleague  to commit the crime, asking him to forward the above mentioned data, even though he was not authorised to access thereinto.
The employee appealed the Court of Appeal’s decision before the Supreme Court, alleging, amongst the others, breach of law and defective reasoning on the alleged occurrence of the crime under article 615 ter of the Italian Penal Code, on the basis that “merely sending an e-mail from a colleague to another, through one’s own e-mail account, cannot integrate the objective requirement of the crime under reference”.
However, the Supreme  Court has considered the appeal unfounded, reiterating the principle of the Supreme Court’s (Joined Chambers) decision no. 41210 of 18th May 2017, according to which “any employee’s behaviour in breach of the above duties (loyalty) is illicit and unauthorized it evidencing the intrinsic incompatibility of the access into the computer system connected with a use thereof inconsistent with the spirit of the relevant power’s granting”.
As a consequence of the above, also remaining in a computer system for an extended period of time with respect to the one allowed and/or to commit a forbidden activity – i.e. “transmittal of the list to a subject not authorised to have knowledge thereof” – integrates the behaviour provided for and punished by article 615 ter of the Italian Penal Code; furthermore, as per the above, the employee asking the colleague to forward him data - which he is not authorized to access into -can be involved in the crime under reference.

21 DEC 2018   SISTRI'S ABOLITION

The Decree Law n° 290 on 14 th December 2018, has published in the Official Gazette General Series n. 135 "Urgent provisions on support and simplification for businesses and for public administration" (hereinafter "Simplification Decree"), which entered into force on December 15, 2018. Among the contained innovations  in the Simplification Decree we point out that, with the 'art. 6 of the aforementioned provision, with effect from 1st January 2019 the waste tracking control system (SISTRI) has been deleted, provided for by article 188-ter of Legislative Decree 3rd April 2006, no. 152 (T.U. ambiente). Consequently, from the beginning of next year and until the definition of a new waste traceability system - which, according to the provisions of paragraph 3 of art. 6 of the Simplification Decree, will be organized and managed directly by the Ministry of the environment and the protection of the territory and the sea - the subjects required to track the waste will continue to fulfill their obligations through paper forms, filling the loading and unloading registers and the waste identification form.