Ch. 8 Information Provision Flashcards
Direct collection, DS’s must be provided with the following info:
Art. 13 ->
- Identity and contact details of controller & data privacy officer
- Purpose and legal basis of processing
- Legitimate interests if it uses these as legal basis for collection
- Recipients or categories of recipients of data
Whether there is an intention to transfer data to 3rd country/international organization, and if so:
a) if its on basis of adequacy decision
b) appropriate safeguards or legitimate interest -> motivation for these
- DS rights
- Right to lodge complaint
- The right to withdraw consent if processing is based upon consent under art. 6 or 9.
- The right to lodge a complaint to supervisory authority, plus the fact that
- Whether providing data is a contractual/statutory requirement, and what consequences are if DS fails to do so
- Information about the existence of automated decision making, the logic involved and its consequences.
Indirect collection
Art. 14, also:
- Source of data and categories, and whether it came from publicly accessible sources
- Categories of personal data concerned
Information must be provided to the DS within a reasonable amount of time. No more than 1 month after collection, or after first contact with DS. If data are disclosed, than at the latest at moment of disclosure.
Exemptions for information provision to DS
- DS already has info (14.5)
- If info provision is impossible, requires disproportion effort or would render impossible or seriously impair purpose of data processing. (14.5) but then -> take steps DS rights are secured nonetheless (through public communications e.g.)
- If national or EU laws required obtaining/disclosing data and provide appropriate measures to protect individuals interests
- if national/EU laws require that individuals data remain secret
Extra information provision with international transfers
When on the basis of:
- A controller’s compelling legitimate interests and own assessment of the circumstances surrounding the transfer, then inform DS of the transfer and of the compelling legitimate interests pursued by the controller
- Consent: inform DS of the possible risks of the transfer due to the absence of either an adequacy decision from the Commission or other ‘appropriate safeguards’
When on basis of BCR, then give DS information about the GDPR’s principles contained in the BCR, data subjects’ rights in relation to the processing and how to exercise them,
Limits to info provision
according to article 23 MS retain the ability to introduce derogations where these are required for the purposes of national security, prevention and detection of crime and in certain other situations. In line with case law of the Court of Justice of the European Union, any such derogation must respect “the essence” of the right to data protection and be a necessary and proportionate measure
ePrivacy Directive on info provision
sets out additional information on the use of cookies and similar technologies by the operators of websites, apps and, increasingly, other connected devices.
- user must be sent info on processing of data
- user must consent
Privacy notices
concise transparent easily accessible intelligible and clear language accurate & up to date
Conditions for employee monitoring
- Necessity: An employer must be able to demonstrate that the monitoring is really necessary. DPIA therefore required when monitoring results in high risks to employees, or when it involves systematic and extensive evaluation of personal aspects based on automated processing and producing significant effects.
- Legitimacy: An employer must have lawful grounds for collecting and using the personal data. In practice legitimate interesting balancing test. Monitoring that involves the collection of sensitive data is likely to be problematic
- Proportionality: Linked to the principle of data minimisation.
- Transparency: Crucial for judgment of courts: employers should set expectations to employees on what will be monitored. Employers should introduce an Acceptable Use Policy (AUP).
Information to be provided by employers
- Company email/internet policy
- Reasons and purposes for which surveillance is carried out
- Details of surveillance measures
- Details of enforcement measures
- Specific guidance in relation to monitoring email
- Specific guidance in relation to monitoring internet use:
Art. 29 Working party requirements for Whistleblowing schemes
- Transparency → explain it to employees
- Must be secure and confidential → but anonymity (required under American law) is strongly discouraged under EU law.
- Limitation: limiting the persons entitled to report alleged improprieties or misconduct through a whistle-blowing scheme to those who are in a position to know about the potential
- Scope of reports: Consider limiting the scope of reportable matters to those who realistically affect the organisation’s corporate governance
- Strict data retention. If report of wrongdoing can’t be proven, then it should be deleted
Sandboxing
limits corporate info to certain area of phone
ML law on data employees
Art. 88 GDPR -> MS may draw up more specific rules on the processing of employees data by law or collective agreement. Must safeguard:
- human dignity
- legitimate interest
- fundamental rights,
Special data processed by employers?
Art. 9 GDPR ->
- explicit consent
- necessary to establish legal claims
- may be necessary for controller to carry out obligations and exercise specific rights under employment, social security or social protection law, authorized under EU or MS law, or by collective agreement
Surveillance goals for public authorities
- preventing, investigating, detecting and prosecuting criminal offences,
- and to safeguard against and prevent threats to public security,
Conditions for surveillance by public authorities
- laid down by law
- and constitute a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the natural person concerned
