Chapter 3A: Employment relationship Flashcards
What mix makes compliance in the context of employment difficult?
Local employment law and EU data protection law.
Under Article 88 of the GDPR, member states may, by law or collective agreements…
Provide more specific rules around processing employees’ personal data.
Local employment law varies considerably across the EU; true or false?
True
An employer may be obligated to communicate with a trade union or works council. Considerations…
Work councils can have considerable power over the processing of employees’ personal data
Compliance may require notifying, consulting with, and seeking approval from them.
Compliant legal bases for processing employee data can include…
Fulfilment of an employee contract
Legal obligation
Legitimate interests
Consent(?)
Fulfilment of an employee contract - example for relying on this basis…
Collecting and using bank account information to process salaries
Legal obligation - example for relying on this basis…
sharing salary information with tax authorities (this must be an obligation under EU/member state law to count)
Legitimate interests - example for relying on this basis…
Migrating employee information from one data management system to another
this cannot be adverse to employees’ rights and freedoms, used as grounds for processing special categories of data or relied upon by public authorities
Why is consent problematic as a legal basis for employer <> employee relationships?
It’s difficult to prove due to the imbalance of power between the roles.
Processing of employee data may be unlawful or unfair under local law even if the employee has consented.
However, under some local labour laws, employers are obligated to obtain consent to process employee personal data.
Where sensitive personal data on employees is collected and processed, employers must comply with one of the exceptions specified in Article 9 of the GDPR.
To establish, exercise or defend legal claims;
To carrying out obligations and exercise specific rights under employment, social security and social protection law;
Consent is not likely to be legal grounds for processing sensitive employee data.
When might “to establish, exercise or defend legal claims” apply as an exception to processing employee special category data?
It may be necessary, such as to defend an employee’s claim of unfair dismissal.
Considerations of “carrying out obligations and exercise specific rights under employment, social security and social protection law apply as an exception to processing employee special category data?
Where authorised by the EU or member state law/collective agreement
In a number of jurisdictions, employment and labour laws restrict the extent to which sensitive employee data can be processed
Local data protection authorities may issue authorisations for specific processing activities
Local laws may affect retention obligations, requiring an employer to retain employee data - for example…
Records relating to health and safety checks under health and safety laws.
If obligated, these records should be archived and access limited.
What would be effective management of a bring your own device (BYOD) programme?
Provide notices to employees explaining consequences of signing up to BYOD and outlining the info the org will be able to access
Must have a lawful basis for processing personal data
Implement a BYOD policy
Know where data processed via the device is stored and measures required to keep secure
Ensure transfer to company’s server is secure
Know how to manage data held on device once the employee leaves the company or the device is lost or stolen
What should a BYOD policy include?
Explanation of how they can use their BYOD and responsibilities
Should align with employment law and GDPR
Protects personal data of individuals such as employees, customers
Protects organisational data such as intellectual property
Enables employee productivity
Mitigates network risks
What are the legal requirements for employee monitoring?
Member state data protection law and local employee law must be considered
An employees’ rights and freedoms must be balances against rights of employer; alternatives to monitoring should always be considered
Prevention methods should be invoked rather than detection, e.g. blocking websites an employer does not want the employee to visit
What types of employee monitoring may be necessary?
Background checks
Data loss prevention (DLP) technology (i.e. tools used to protect IT infrastructure from external or internal threats) or tools that inevitably involve processing personal data
Whistle blowing schemes - U.S. Sarbanes-Oxley Act (2002) - US companies must have system in place to receive anonymous complaints about potential wrong-doing;
there are conflicting obligations between US and EU - US is set up to protect identity of whistleblower, versus protecting the personal data of the accused (EU)
To monitor employees lawfully, employers must make sure that monitoring is…
Necessary (demonstrate why)
Legitimate (is it fair? are there lawful grounds?)
Proportionate (is monitoring proportionate to the issue?)
Transparent (have employees been informed of monitoring?)
