Chapter 14 - Employment Relationships Flashcards
What types of personal data do employers collect and use about employees?
-Employers collect and use personal data about employees for various purposes, including recruitment, benefits, salary, personnel files, sickness records, monitoring and appraisals, personnel reports, and severance.
-Employers may also collect employee data to comply with obligations under employment law and to protect employees, as seen during the COVID-19 pandemic.
What should employers consider when dealing with employees’ personal data?
-Employers should consider any obligations under member state employment law that apply to the situation.
-Consultation with national works councils may be required in jurisdictions where employee rights law is strong, such as Germany and Belgium.
-Local employment law varies considerably across the European Union, making compliance complicated.
-Certain EU countries have specific laws dealing with employee data or workplace privacy laws surrounding surveillance.
How should employers handle the storage of personnel records?
-Employers should not retain personal data for longer than necessary under data protection rules.
-While an individual is a current employee, the employer has a legitimate reason to retain their data.
-Once the employee has left the job, the reasons for retaining their data are likely to diminish.
-Employers should securely archive data on former employees and change internal access to their records.
Why is relying on employee consent for processing personal data problematic?
-True consent, as required under EU data protection law, must be freely given, specific, informed, and unambiguous.
-The DPAs have stipulated that reliance on consent should be confined to circumstances where a worker has a genuine free choice and can withdraw consent without suffering any detriment.
-Employees may feel pressured into providing consent due to the unequal balance of power in an employer-employee relationship.
-Therefore, employers are ill-advised to rely solely on consent.
What information must employers provide to employees regarding the use of their personal data?
-Employers must provide an appropriate notice to employees informing them about the use of their data, the purposes, whom they should contact with queries, and their rights in relation to the data.
-This can be done through an employee handbook or a specific notification document.
-The notice must provide the required level of detail so employees can understand the purposes for the processing, the legal basis, the recipients of their data, where the data will be transferred to, and for how long their employer will retain their data.
What principles should employers follow when carrying out workplace monitoring?
Employers should ensure compliance with the following data protection principles:
- Necessity: Demonstrate that the monitoring is really necessary
- Legitimacy: Have lawful grounds for collecting and using the personal data
- Proportionality: Ensure monitoring is proportionate to the issue
- Transparency: Clearly inform employees of the monitoring that will be carried out.
What are the legal bases for processing employee personal data?
-Employers usually rely on the following grounds to process employees’ personal data:
- The employee has given consent (although relying on consent has considerable disadvantages)
- Processing is necessary to fulfill the employment contract between the employer and employee
- Processing is necessary for compliance with a legal obligation to which the employer is subject
- Processing is necessary for the employer’s legitimate interests.
What are the exceptions for processing sensitive employee data under Article 9 of the GDPR?
-Employers must comply with one of the exceptions specified in Article 9 of the GDPR when processing sensitive employee data.
-These exceptions include:
1. relying on the explicit consent of the individual
2. processing necessary for the controller to carry out obligations
3. exercise specific rights under employment, social security, and social protection law
4. and processing necessary to establish, exercise, or defend legal claims.
What is a Data Protection Impact Assessment (DPIA) and when is it required?
-A DPIA is a process that considers the privacy risks to individuals of any proposed data processing activity.
-It is required when the monitoring is likely to result in a high risk to the rights and freedoms of individuals.
-A DPIA helps determine whether the planned monitoring is really required and proportionate.
What should employers include in their acceptable use policy (AUP)?
-Employers should introduce an AUP that sets out the expected standard of use for employer communications equipment and indicates that employee use may be monitored.
-The AUP should specify how much private use of employer equipment is permitted and remind employees of the expectation concerning their use of company equipment.
What are the roles of works councils in relation to employee data?
-Works councils represent employees and have certain rights under local law that affect the use of employee data by employers.
-Employers may need to notify, consult, or seek the approval of works councils regarding changes to the working environment or proposed data processing activity.
-Failure to involve works councils can result in unlawful data processing and financial penalties.
What are the key elements of a whistleblowing policy?
A whistleblowing policy should cover the following elements:
- Individuals reporting: Limit persons entitled to report alleged improprieties
- Individuals incriminated: Limit individuals who may be incriminated
- Confidentiality versus anonymity: Emphasize confidentiality and discourage anonymous reporting
- Scope of reports: Limit scope to matters affecting corporate governance
- Management of reports: Ensure objective, confidential, and unbiased investigation
6.Data retention: Establish strict data retention period
- Information provision: Provide clear information about the whistleblowing scheme
- Rights of incriminated persons: Set out circumstances under which data protection rights may be limited
- Security of reports: Adopt specific information security policy
- Transfers outside the EEA: State mechanism used to legitimize international transfers of data.
What are the data protection compliance issues related to Bring Your Own Device (BYOD)?
-BYOD poses data protection compliance issues since the employer remains responsible as a controller for any personal data processed on the employee’s device for work-related purposes.
-Employers should establish a BYOD policy, ensure data security, manage personal data on the device, and consider how to handle data if the employee leaves the company or the device is lost or stolen.
