Chapter 3A: Employment relationship Flashcards
What mix makes compliance in the context of employment difficult?
Local employment law and EU data protection law.
Under Article 88 of the GDPR, member states may, by law or collective agreements…
Provide more specific rules around processing employees’ personal data.
Local employment law varies considerably across the EU; true or false?
True
An employer may be obligated to communicate with a trade union or works council. Considerations…
Work councils can have considerable power over the processing of employees’ personal data
Compliance may require notifying, consulting with, and seeking approval from them.
Compliant legal bases for processing employee data can include…
Fulfilment of an employee contract
Legal obligation
Legitimate interests
Consent(?)
Fulfilment of an employee contract - example for relying on this basis…
Collecting and using bank account information to process salaries
Legal obligation - example for relying on this basis…
sharing salary information with tax authorities (this must be an obligation under EU/member state law to count)
Legitimate interests - example for relying on this basis…
Migrating employee information from one data management system to another
this cannot be adverse to employees’ rights and freedoms, used as grounds for processing special categories of data or relied upon by public authorities
Why is consent problematic as a legal basis for employer <> employee relationships?
It’s difficult to prove due to the imbalance of power between the roles.
Processing of employee data may be unlawful or unfair under local law even if the employee has consented.
However, under some local labour laws, employers are obligated to obtain consent to process employee personal data.
Where sensitive personal data on employees is collected and processed, employers must comply with one of the exceptions specified in Article 9 of the GDPR.
To establish, exercise or defend legal claims;
To carrying out obligations and exercise specific rights under employment, social security and social protection law;
Consent is not likely to be legal grounds for processing sensitive employee data.
When might “to establish, exercise or defend legal claims” apply as an exception to processing employee special category data?
It may be necessary, such as to defend an employee’s claim of unfair dismissal.
Considerations of “carrying out obligations and exercise specific rights under employment, social security and social protection law apply as an exception to processing employee special category data?
Where authorised by the EU or member state law/collective agreement
In a number of jurisdictions, employment and labour laws restrict the extent to which sensitive employee data can be processed
Local data protection authorities may issue authorisations for specific processing activities
Local laws may affect retention obligations, requiring an employer to retain employee data - for example…
Records relating to health and safety checks under health and safety laws.
If obligated, these records should be archived and access limited.
What would be effective management of a bring your own device (BYOD) programme?
Provide notices to employees explaining consequences of signing up to BYOD and outlining the info the org will be able to access
Must have a lawful basis for processing personal data
Implement a BYOD policy
Know where data processed via the device is stored and measures required to keep secure
Ensure transfer to company’s server is secure
Know how to manage data held on device once the employee leaves the company or the device is lost or stolen
What should a BYOD policy include?
Explanation of how they can use their BYOD and responsibilities
Should align with employment law and GDPR
Protects personal data of individuals such as employees, customers
Protects organisational data such as intellectual property
Enables employee productivity
Mitigates network risks