The para-subordinate work relationship is defined as a specific employment relationship that combines elements of subordinate work with characteristics typical of self-employment: this hybrid nature raises significant questions in terms of privacy when para-subordinate workers, as part of their duties, process personal data.
In this article, we aim to explore whether it is more appropriate to appoint them as data processors under Article 28 of Regulation (EU) 2016/679 (“GDPR”) or authorize them to process data under the authority of the controller pursuant to Article 29 of the GDPR.
Regulatory framework
Article 409, no. 3 of the Italian Code of Civil Procedure defines the para-subordinate employment contract as a relationship of continuous, coordinated, and predominantly personal collaboration, without subordination and with autonomous management of the work by the collaborator, to whom the same regulations as subordinate work apply.
Today, para-subordinate work is governed by Legislative Decree no. 81/2015, which abolished the project-based employment contract (so-called co.co.pro), maintaining continuous and coordinated collaborations (co.co.co). In line with the aforementioned provision of the Code of Civil Procedure, co.co.co contracts consist of predominantly personal, continuous services, where the methods of execution are organized by the principal.
In these relationships, the rules for subordinate work apply, except in specific cases expressly provided for by Legislative Decree no. 81/2015 (for example, intellectual professions).
Role in the management of personal data
The para-subordinate worker who processes personal data presents the data controller with a choice: to appoint them as a data processor under Article 28 of the GDPR, considering their autonomous nature, or to authorize them to process data under Article 29 of the GDPR, assigning greater importance to their role as an internal resource within the controller’s structure.
The distinction in making this decision is not so much the existence of a (para)subordinate relationship with the controller, but rather the level of autonomy granted to the para-subordinate worker in processing personal data. Both options seem feasible under data protection regulations and the guidance of competent bodies, such as the European Data Protection Board (“EDPB”): the role of data processor imposes no subjective limitations, requiring only that the data processing be carried out autonomously and independently from the direct authority or control of the controller.
On the other hand, the EDPB excludes the possibility of appointing internal resources of the controller as data processors, as they act under the direct authority of the controller: in such cases, the controller must instruct the internal resources on data processing in accordance with Article 29 of the GDPR, designating them as “authorized” processors.
Specifically regarding “internal resources,” the EDPB does not limit the scope to employees alone but extends the possibility to para-subordinate workers — if they indeed act under the authority of the controller — to be authorized to process data pursuant to Article 29 of the GDPR.
Conclusion
In conclusion, the most appropriate privacy role for the para-subordinate worker must be determined based on practical and strategic considerations.
If the collaborator enjoys autonomy in processing personal data, it may be preferable for the controller to appoint them as a data processor under Article 28 of the GDPR, thereby assigning the obligations and responsibilities provided for by the regulation concerning the processing carried out.
Conversely, if their data processing activity is subject to the direct authority and control of the controller, it would be more appropriate to authorize them to process data under Article 29 of the GDPR, keeping the related responsibilities with the controller.
This assessment requires the involvement of professionals in both privacy and employment law, integrating their respective expertise to identify the option most compliant with the regulations, as well as most aligned with the controller’s organization.
Article published on CyberSecurity360
