Privacy compliance at the termination of employment in Italy

The principle of storage limitation, outlined in Article 5 of the GDPR, reveals its full importance at the end of the employment relationship. According to this principle, for data processing to be lawful, it must be determined, before processing begins, by the employer. The termination of the employment relationship, in most data processing activities, also dictates the end of the storage period. The conclusion of the employment relationship thus marks the obligation to establish a procedure capable of guiding the employer and the organization towards the correct data management practices. As mentioned, from the beginning of the processing, the employer must have determined the retention period related to the purpose, and this term must be clearly and precisely communicated to the employee from the start of the employment relationship. The Italian Data Protection Authority has repeatedly intervened on the matter, emphasizing that the retention period cannot and should not be indicated in a generic manner, such as simply stating it is tied to the achievement of the purpose. Instead, the retention period must be clearly defined from the outset. In this context, the importance of the record of processing activities is highlighted, a tool that is both mandatory and necessary for the mapping phase and for defining the data retention period. Therefore, updating the record becomes t...