Chapter 3A: Employment relationship Flashcards

1
Q

What mix makes compliance in the context of employment difficult?

A

Local employment law and EU data protection law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Under Article 88 of the GDPR, member states may, by law or collective agreements…

A

Provide more specific rules around processing employees’ personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Local employment law varies considerably across the EU; true or false?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An employer may be obligated to communicate with a trade union or works council. Considerations…

A

Work councils can have considerable power over the processing of employees’ personal data

Compliance may require notifying, consulting with, and seeking approval from them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Compliant legal bases for processing employee data can include…

A

Fulfilment of an employee contract

Legal obligation

Legitimate interests

Consent(?)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Fulfilment of an employee contract - example for relying on this basis…

A

Collecting and using bank account information to process salaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Legal obligation - example for relying on this basis…

A

sharing salary information with tax authorities (this must be an obligation under EU/member state law to count)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Legitimate interests - example for relying on this basis…

A

Migrating employee information from one data management system to another

this cannot be adverse to employees’ rights and freedoms, used as grounds for processing special categories of data or relied upon by public authorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why is consent problematic as a legal basis for employer <> employee relationships?

A

It’s difficult to prove due to the imbalance of power between the roles.

Processing of employee data may be unlawful or unfair under local law even if the employee has consented.

However, under some local labour laws, employers are obligated to obtain consent to process employee personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where sensitive personal data on employees is collected and processed, employers must comply with one of the exceptions specified in Article 9 of the GDPR.

A

To establish, exercise or defend legal claims;

To carrying out obligations and exercise specific rights under employment, social security and social protection law;

Consent is not likely to be legal grounds for processing sensitive employee data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When might “to establish, exercise or defend legal claims” apply as an exception to processing employee special category data?

A

It may be necessary, such as to defend an employee’s claim of unfair dismissal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Considerations of “carrying out obligations and exercise specific rights under employment, social security and social protection law apply as an exception to processing employee special category data?

A

Where authorised by the EU or member state law/collective agreement

In a number of jurisdictions, employment and labour laws restrict the extent to which sensitive employee data can be processed

Local data protection authorities may issue authorisations for specific processing activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Local laws may affect retention obligations, requiring an employer to retain employee data - for example…

A

Records relating to health and safety checks under health and safety laws.

If obligated, these records should be archived and access limited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What would be effective management of a bring your own device (BYOD) programme?

A

Provide notices to employees explaining consequences of signing up to BYOD and outlining the info the org will be able to access

Must have a lawful basis for processing personal data

Implement a BYOD policy

Know where data processed via the device is stored and measures required to keep secure

Ensure transfer to company’s server is secure

Know how to manage data held on device once the employee leaves the company or the device is lost or stolen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What should a BYOD policy include?

A

Explanation of how they can use their BYOD and responsibilities

Should align with employment law and GDPR

Protects personal data of individuals such as employees, customers

Protects organisational data such as intellectual property

Enables employee productivity

Mitigates network risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the legal requirements for employee monitoring?

A

Member state data protection law and local employee law must be considered

An employees’ rights and freedoms must be balances against rights of employer; alternatives to monitoring should always be considered

Prevention methods should be invoked rather than detection, e.g. blocking websites an employer does not want the employee to visit

17
Q

What types of employee monitoring may be necessary?

A

Background checks

Data loss prevention (DLP) technology (i.e. tools used to protect IT infrastructure from external or internal threats) or tools that inevitably involve processing personal data

Whistle blowing schemes - U.S. Sarbanes-Oxley Act (2002) - US companies must have system in place to receive anonymous complaints about potential wrong-doing;
there are conflicting obligations between US and EU - US is set up to protect identity of whistleblower, versus protecting the personal data of the accused (EU)

18
Q

To monitor employees lawfully, employers must make sure that monitoring is…

A

Necessary (demonstrate why)

Legitimate (is it fair? are there lawful grounds?)

Proportionate (is monitoring proportionate to the issue?)

Transparent (have employees been informed of monitoring?)