Compliance Considerations (8) Flashcards
What does Article 88 allow member states to do regarding rules around processing of employee data?
To establish - by law or collective agreement - more specific rules around processing employees’ data
must include safeguards to dignity, interests and rights
What 3 elements must be safeguarded in member state rules established under Article 88?
processing in the context of employment
suitable and specific measures to to safeguard:
- Human dignity
- Legitimate interests
- Fundamental rights (transparency of processing, transfer of personal data and monitoring in the workplace)
What are three most common legal bases to process employee personal data?
- Fulfillment of a contract (e.g. bank account info for salaries)
- Compliance with legal obligation (e.g. tax authorities)
- Necessary for legitimate interests (e.g. data management)
consent in contract not valid under data protection law
Can consent serve as a legal basis for processing employee data?
Unlikely.
Due to imbalance of power. Where consent is not freely given it is not valid.
Can explicit consent be used as a legal basis for processing employee special category data?
No, not freely given
some cases not possible to lift prohibition on special category
Under what two legal bases can an employer process special category data?
- Establish, exercise or defend legal claims
- Carry out obligations and exercise specific rights under employment law
Who is responsible for personal data processed on an employee’s device for work-related purposes?
The employer as the controller
What are 5 elements of effective management of a BYOD program?
- Provide notice to employees
- Have a BYOD policy - how employees can use BYOD and responsibilities
- Know where data is stored and measures to keep secure
- Ensure transfer from device is secure
- Offboarding procedure
What are the 4 conditions of lawful monitoring of employees?
Necessary - (ie is there a less intrusive)
Legitimate - (ie lawful grounds?)
Proportional - (ie proportionate to the issue)
Transparent - (ie employee informed)
What are 3 types of monitoring carried out in employment?
Background checks
Data loss prevention
Whistleblowing schemes
What is the best way to determine if an employee monitoring initiative is compliant ?
(necessary, legitimate and proportionate)
Conduct a DPIA
What is surveillance?
the observation of an individual or group of individuals
can be covert or open or real time or stored
(SNA, data mining, aerial, satellite, telecom, biometric, geoloc)
What are the 10 circumstances where the scope of data subject rights can be limited by legislative measure?
Article 23
- national security
- defense
- public security
- crime
- general public interest of the union
- judicial proceedings
- regulated professions breach of ethics
- regulatory functions
- protection of rights and freedoms of others
- enforcement of civil claims
What 2 conditions must apply to restrict the scope of data subject rights under Article 23?
Article 23
- respect essence of fundamental rights and freedoms
- necessary and proportionate measure in a democratic society
What does Recital 66 of the Law Enforcement Protection Directive (LEPD) state?
Lawful, fair and transparent personal data processing should not prevent law enforcement authorities from carrying out activities to:
investigate criminal offenses
safeguard public security
What is content data versus metadata in electronic communications?
- Content: content of communication
- Metadata: data about the data about communication’s transmission
What regulation(s) protects the content of e-communication?
Freedom of expression
EPrivacy Rules (cant see content without consent of both parties)
What regulation(s) protects the metadata of e-communication?
GDPR
falls within definition of personal data
What regulation sets rules about data passing over public electronic communication networks?
ePrivacy Directive
governs processing of location, content and traffic data
Does the ePrivacy Directive apply to private communications networks?
No
What is required to obtain location data?
ePrivacy Directive
opt-in consent for precise location-based data
(except when data required to provide the service)
What does the ePrivacy directive require for content data?
Article 5 - confidentiality unless consent from all parties
Article 15 - member states can introduce some exceptions
What does the ePrivacy directive require for traffic data?
Limit access to traffic data
Can process traffic data for some limited marketing with user’s consent
What does the ePrivacy directive require for traffic data?
Limit access to traffic data
Can process traffic data for some limited marketing with user’s consent
Does CCTV require prior authorization?
In many countries CCTV triggers requirement to notify local regulator and in some cases seek authorization
When is a DPIA required for CCTV?
high-risk systematic monitoring of publicly accessible area on a large scale
if required by SA of list of data processing operations that require DPIA
Is location data within the GDPR definition of personal data?
Yes, if can be used alone or in combination with other information to identify
What are the 3 main areas of location data identified by Google?
implicit location - search terms
internet traffic - IP
device-based location - google maps
What is biometrics data?
personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm unique identification
What are the two uses of biometrics systems?
- Identification - who are you
- Authentication - are you who you claim to be
When is biometric data considered special category data (article 9)?
when the purpose is for uniquely identifying an individual
What is considered direct marketing?
directed to a particular individual
must process personal data to communicate the message
not service-related in nature
Which laws regulate direct marketing?
ePrivacy Directive: marketing over electronic networks (phone, fax, email or SMS)
GDPR: all channels, including online targeting based on browsing history
What right does GDPR establish for direct marketing?
absolute right to object to any form of marketing
What does GDPR require of controllers related to direct marketing?
- notice of right to opt out
- allow individuals to opt out
- honor opt out requests in timely fashion and no cost
- remove personal data and profiling after opt out
- ensure compliance with GDPR