CIPPE Module 8 - Compliance Considerations Flashcards
In the EU, what laws besides GDPR has an impact on employee personal data processing?
Employee data processing (in the context of employment) is governed by
a) GDPR
b) Local data protection law
c) Local employment law
Article 88 permits member states to pass additional laws to safeguard employee data.
What are lawful bases for collecting and processing employee data?
- Fulfilment of an employment contract (e.g. bank info to pay employees)
- Legal obligation (e.g. tax information)
- Legitimate interests of the employer (cannot be adverse to employee rights)
- Consent (Freely given consent is difficult to prove in an inherently unequal power relationship).
Can employers process employee’s sensitive data (e.g. Article 9 data)?
Generally no! However, in some narrow cases it may be necessary:
a) Explicit consent (per Article 9) is required
b) in defense of legal claims
c) Local supervisory authority may need to provide explicit approval.
How do local work councils affect data processing?
In some countries (e.g. Germany), employers have to notify the work councils about employee data processing (required by local employment law)..
Notify, seek approval etc.
Work councils may or may not be cooperative.
How does BYOD affect compliance to GDPR?
- Employers remain controllers for any personal data processed on the employee’s device (e.g. employers may put monitoring capabilities on that device, collecting data about employees habits)
- Could result in data breaches - e.g. customer data may be leaked via the employee’s device
- Employers must establish a clear BYOD policy (the policy should a) align with the law, b) protect personal data c) protect organizational data d) mitigate network risks
- Employers must understand where the data processed by a BYOD device resides and protect it (e.g. disk encryption, secure data transfer, DLP tools, MDM software, remote wipe).
How does GDPR affect workplace monitoring?
Employers may have a legitimate interest in monitoring employees - e.g. to detect policy violations.
Member state data protection law and local employment law may have specific restrictions on employee monitoring systems.
Employer interest may have to balanced with employee privacy rights.
Prevention better than detection (e.g. blocking certain websites)
What are the key characteristics of lawful employee monitoring?
- Necessary - less intrusive method possible? a DPIA may be needed.
- Proportional - principle of data minimization
- Transparent - inform employees ahead of time (e.g. at the time of employment offer, publish an AUP).
- Legitimate - what is lawful bases?
How does GDPR affect Whistle Blowing (SOX) schemes?
- There’s a tension between the two. In some countries (e.g. France) it was illegal until a few years ago.
- WB schemes may violate the privacy of the accused (i.e presumed innocent until proven guilty).
- WB schemes (in US) require the support of anonymous reporting. However, in the EU, anonymous reporting is discouraged (though not prohibited).
- If the report cannot be substantiated, it has to be deleted after a period of time.
- The WB scheme may have to be limited to Financial/Audit fraud, depending on EU member state. Cannot be extended to other like workplace safety, discrimination etc based on member state law. This varies quite a bit between different EU states.
- Who is the subject of the report also varies - e.g. people in positions of power.
- Subject of the WB report should have access to it (e.g. they need to be informed) and be able to correct it. Right of access and right to rectification.
- Transfer to an international country (e.g. US) needs legal basis (e.g. BCR) and security.
- Transparency is key
What does GDPR say about surveillance?
- Per Article 23, Union or member state law may permit surveillance for national security, defense, public security in a manner that restricts the rights of individuals.
- However, it must respect the essence of fundamental rights and be necessary and proportionate.
- Maybe conducted by public and state agencies (e.g. regulated by LEDP) or private entities (national data laws and employment law).
What does the ePrivacy Directive regulate? (Directive 2002/58)
It regulates privacy of personal data generated by online/digital communications services (PECN/PECS).
This includes public phone networks and internet services.
Includes both content, metadata and location data.
Also known as the cookie directive.
Processing location data requires consent -unless you are a carrier and need the data to offer the service.
Specifies that the confidentiality of the content (communication data) must be ensured.
“Traffic data” (metadata) can be used for some very limited marketing purposes and billing. However, it is restricted for much else.
Does NOT apply to data passing over private networks (e.g. corporate) - however, other monitoring rules may apply (necessity, proportionality, legitimacy and transparency).
What are the rules for CCTV processing?
- Lawfulness - e.g. what is the basis? Legitimate interest? Public interest?
- DPIA - may be needed.
- Prior checking with SA
- Proportional (no zooming, sound recording)
- Information provisioning (e.g. signage)
- Individual rights (e.g. right to access)
- Measures to protect personal data and rights -e.g. staff training.
How is location data treated by GDPR?
Location data is considered an identifier.
If combined with other data to identify someone then it is personal data.
What is direct marketing?
Communication/marketing material directed towards a specific individual.
Those that do not process personal data, or are purely service related are not DM.
Regulated by both GDPR and ePD.
GDPR - regulates communications via all channels including online (e.g. cookie)
ePD - digital marketing comms (phone, fax, email, SMS/MMS).
GDPR permits individuals to refuse DM - especially if based on consent, also with legitimate interest.
Some countries may have opt-out registers that advertisers much check against.
Postal marketing not regulated by ePD; however, advertisers must conform to opt-out GDPR requirements.
Under ePD, person-to-person telemarketing does not require consent, but automated calling does (opt-in or opt-out is decided by member state law).
What is OBA?
Online behavioral advertising - ads based on user behavior observed over time.
Maybe controlled either by the website (e.g. Amazon) or via a third-party advertiser.
Hence, there may be more than one controller (e.g. Ad networks, website publisher, advertiser).
Uses cookies to track user activity.
User is assigned an online id.
GDPR considers online id as personal data.
ePD says placing cookies requires user consent.
What are the parties in OBA?
- The website publisher - the owner of the website where the ads appear
- The Ad network - connects advertisers and publishers.
- The advertisers - work with Ad network to place ads.
In OBA, the Ad network is always the one placing the tracking cookies. - hence this is a third-party cookie.
The tracking cookie usually has a unique identifier
The tracking cookie collects information (IP address, websites visited, ads clicked etc.)
The Ad network assigns a profile (e.g. avid sports fan) against the identifier.
The Ad network and website publisher may both be joint-controllers.
