Chapter 14 (Employment Relationships)

Question 1

Does Article 88 of the GDPR recognize that member states may provide for more specific rules around processing employees personal data?

Answer 1

Yes.

Question 2

What are the 4 grounds employers usually rely upon to process employees’ data?

Answer 2

1. The employee has given consent
2. Processing necessary to fulfill the employment contract between the employer and employee
3. Processing is necessary for compliance with a legal obligation to which the employer is subject
4. Processing is necessary for the employer’s legit interests

Question 3

Is consent a good grounds for processing employees’ personal data?

Answer 3

No, it is best avoided because of the unequal balance of power in the employer-employee relationship.

Question 4

Is it possible that the processing of employee data may be unlawful or unfair under local law even if the employee has consented?

Answer 4

Yes- e.g. a member state’s local law can stipulated that consent can’t be given for certain types of processing.

Question 5

Is processing data of potential and existing employees background checks generally allowed under the GDPR and member states local laws?

Answer 5

Yes, due to the recognition that data breaches can be the work of unscrupulous employees.

Question 6

Can employers compile blacklists as part of its background-checking procedure or if individuals who it will not employ?

Answer 6

No.

Question 7

How do businesses use data loss prevention (DLP) technologies?

Answer 7

The are used to protect their IT infrastructure and confidential business info from external and internal threats.

Question 8

If an employee wishes to carry out workplace monitoring, it should ensure compliance with what 4 data protection principles?

Answer 8

1. Necessity: demonstrate monitoring is necessary
2. Legitimacy: must have lawful grounds for processing
3. Proportionality: monitoring proportional to issue employer is dealing with
4. Transparency: an employer must clearly inform employees of the monitoring that will be carried out

Question 9

A DPIA is required if the monitoring of employees includes what 3 things?

Answer 9

1. Amounts to a systemic and extensive evaluation of personal aspects of individuals
2. That is based on automated processing
3. And on which decisions are based that produce legal effects or similarly significant affect on individuals

Question 10

Article 9 of the GDPR permits employers to process sensitive data when exercising a specific right under what 3 areas of the law?

Answer 10

Carrying out the obligations and exercising specific rights of the employer according to:
1. Employment law
2. Social security law, and/or
3. Social protection law

Question 11

Want is an AUP in the context of an employment context?

Answer 11

An acceptable use policy that is brought to the attention of all new and existing employees and sets out in detail the expected standard of use for employer communications equipment and indicates that employee use may be monitored.

Question 12

When may it be appropriate for an employer to engage in undercover surveillance of an employee?

Answer 12

If the employer has reasonable grounds to suspect the employee of theft.

Question 13

The WP29 guidelines state that employers should provide what 4 pieces of info to their employees?

Answer 13

1. Company email/internet policy, which should describe in detail the extent to which employees may use communications facilities owned by the company for personal/private matters.
2. Reasons and purposes for which surveillance is being carried out.
3. The details of surveillance measures taken: Who? What? How? When?
4. Details of any enforcement procedures that outline how and when workers will be notified of breaches of internal policies and given the opportunity to respond to any such claims against them

Question 14

The WP29 guidelines state that employers should supply their employees with what 5 guidelines re the employer’s monitoring of e-mail?

Answer 14

1. Whether a worker is entitled to have an e-mail account for purely personal use, use of webmail accounts permitted at work, and the employer recommendations re the use, by workers, of a private webmail account for the purpose of accessing email for purely personal use
2. The arrangements in place to access the contents of a worker’s email
3. The storage period for any backup copies of messages
4. Info that concerns when emails are definitively deleted from the server
5. The involvement of workers’ reps in formulating the policy

Question 15

The WP29 guidelines state that employers should supply their employees with what 3 guidelines re the employer’s monitoring of internet use?

Answer 15

1. Clear delineation of conditions on which private use of the internet is permitted, as well as specific material that can’t be viewed or copied
2. Info about the systems implemented both to prevent access to certain sites and to detect misuse, as well as explaining what use of any will be made of any data collected in relation to who visited what sites.
3. Info about the involvement of the employer’s reps, both in the implementation of this policy and investigation of alleged breaches

Question 16

When dealing with employee data employers should consider their obligations under what 2 things?

Answer 16

1. Employment law
2. Collective agreements with trade unions and work councils

Question 17

What are work councils?

Answer 17

Bodies that represent employees and have certain rights under local law that affect the use of employee data by employers.

Question 18

What 3 EU members states are work councils active?

Answer 18

1. France
2. Germany
3. Italy

Question 19

Usually ender member state’s local laws employers have to engage with works councils in one or more of what 3 way?

Answer 19

1. Notifying the works council: about changes to the working environment that will affect work conditions
2. Consulting with the works council: about proposed data processing activity
3. Seeking the approval of the works council: may have the right to approve or reject certain decisions about the employer (known as right to co-determination)

Question 20

What 2 compliance regimes do EU companies have to comply with in the context of whistleblowing?

Answer 20

1. The U.S. Sarbanes-Oxley Act (SOX)- whistleblowing procedures
2. EU data protection laws, which limit use of personal data in whistleblowing circumstances due to the potential prejudice to individuals

Question 21

What is the aim of SOX?

Answer 21

To ensure company and accounting decision-making that is more responsible and accountable.

Question 22

Companies regulated by SOX must establish a way for a company to do what?

Answer 22

To confidentially receive and deal with complaints about actual or potential fraud from misappropriation of assets or material misstatements in financial reporting.

Question 23

What are the 3 ways most SOX regulated companies comply?

Answer 23

1. Controls
2. Encouraging those with knowledge of actual or potential fraud to report such instances
3. Reiterating the confidential nature of the reporting and protection for the whistleblower

Question 24

An employer seeking to comply with the EU data protection rules whilst operating a whistleblowing scheme needs to consider what 8 things?

Answer 24

1. A DPIA for the envisioned whistleblowing scheme to assess the impact on the protection of personal data
2. Liaison with works councils as required under local employment law or according to a collective agreement
3. Processing contracts with a processors based outside the EU and making sure they meet GDPR requirements
4. Mechanism for transferring personal data on reports outside of the EU to non-EU based companies for further processing (generally using SCCs or BCRs)
5. Whether consent from employees is required and, if so, in what form
6. Whether compliance in a particular jurisdiction is complicated due to the policy of the DPA
7. Developing a whistleblowing policy and process that is transparent to employees, informing them of the scope of the scheme and explaining how their personal data will be used in relation to the scheme
8. Ensuring individual employee’s rights under data protection law are protected appropriately under the scheme

Question 25

Considering the guidance provided by the CNIL and WP29, a company’s whistleblower policy should cover what 10 elements?

Answer 25

1. Limiting the people entitled to report alleged improprieties to those in a position to know about potential conduct
2. Limiting the individuals who may be incriminated
3. Confidentiality v anonymity: strongly discourage frivolous reports
4. Limiting the scope of reportable matters to those who realistically affect the org’s corporate governance
5. Reports should be subject to objective, confidential, and unbiased investigation (e.g. specific mechanism to manage reports)
6. Establish a strict data retention period following completion of an investigation
7. Be clear about the way whistleblowing scheme is operated as set out in whistleblowing policy
8. Setting out specific circumstances under which the data protection rights of incriminated individuals may be limited
9. Adopting a specific info security policy dealing with reports collected via the whistleblowing scheme
10. State the mechanism used to legitimize any international transfers of data

Question 26

Companies introducing bring your own device (BYOD) into the workplace should do what 4 things?

Answer 26

1. Establish a BYOD policy that explains to employees how they can use BYOD and what their responsibilities are
2. Be clear about where the data processed via the device is stored and what measures must be taken to keep the data secure
3. Ensure the transfer of data from the personal device to the company’s servers is secure to stop any interceptions as far as possible
4. Consider how to manage personal data held on the device once the employee leaves the company or the device is stolen or lost