Employment relationship

Question 1

Is GDPR the only law regulating processing of employees personal data?

Answer 1

No, GDPR allows MS to provide more specific rules
Rules must include suitable and specific measures to safeguard the DS’s human dignity, legitimate interests and fundamental rights with particular regard to:
the transparency of processing
transfer within a group of undertakings or enterprises engaged in a joint economic activity
monitoring systems at workplace

Question 2

If a MS implements national law, who does it have to notify?

Answer 2

European Commission

Question 3

Does employer need to ensure data processing in accordance with all aspects of GDPR?

Answer 3

Yes, including the right to access

Question 4

What are the most common legal grounds to process Employee’s data?

Answer 4

fulfilment of employment contract
compliance with legal obligation to which the employer is subject
legitimate interests

Question 5

Why is consent not an appropriate ground?

Answer 5

Employees don’t have genuine freedom due to the unequal balance power in a relationship.
If consent is withdrawn the employer will not be able to further process PD lawfully

Question 6

Is consent always possible?

Answer 6

No, MS law may stipulate consent can not be given for particular type of processing or particular PD or processing could be disproportionate

Question 7

Example of processing necessary to fulfill employment contract

Answer 7

E’s name, bank details to pay salary
Use of Employer’s communications systems

Question 8

Example of processing necessary for a legal obligation

Answer 8

To provide salaries details to tax authorities - it must be EU/MS law

Question 9

Legitimate interests and public authorities

Answer 9

PA can rely on LI only when processing is not for performance of public authority’s task

Question 10

What legal ground can the employer rely on for processing of employee’s sensitive data?

Answer 10

to carry out obligation and exercise specific rights under employment, social security and social protection law under EU, MS law or collective agreement.

Question 11

Does an employer need to provide notice to the employees?

Answer 11

yes, regardless of lawful ground
through employee handbook, specific notification document

Question 12

How long can an employer store employees PD?

Answer 12

For the duration of the employment, afterwards depending on different local laws (labour, tax, social security, health&safety)
The data on former employees must be securely archived.

Question 13

Is employer allowed to compile a blacklist through a background check?

Answer 13

No, BL are generally illegal as considered to be a significant intrusion into a person’s privacy. .

Question 14

What are DLP technologies?

Answer 14

Data loss protection tools to protect Business’s IT infrastructure and confidential business information from external and internal threats
They inevitably involve processing of PD of employees and 3rd parties as they operate on NW and systems used by employees and are considered a form of monitoring

Question 15

Which DP principles are particularly important with employee monitoring

Answer 15

Legitimacy - lawful grounds, fairness
Necessity - monitoring must be really necessary
Proportionality
Transparency - inform employees

must be held securely and only accessed by those who have a legitimate reason to view it
it should be deleted when no longer needed

Question 16

Explain necessity principle

Answer 16

Employer must consider if the monitoring activity is really necessary for the purpose and there are no other less intrusive methods of supervision

Question 17

When is DPIA required for monitoring?

Answer 17

high risk to the R&F of individuals
DPIA will help determine if the monitoring is really required and proportionate
If the monitoring amounts to a systematic and extensive evaluation of personal aspect of individual that is based on automated processing and on which decisions are based that produce legal effects or have similarly significant affect on individuals
e.g. use of DPL SW, systematically observing employee’s activities by monitoring their workstations and internet activity

Question 18

Explain legitimacy principle

Answer 18

Employer needs a lawful basis for monitoring
legitimate interests - balancing test
consent is not appropriate

Question 19

When could monitoring of sensitive data could be allowed?

Answer 19

Necessary for the purposes of carrying out specific obligations and exercising specific rights of the employer according to employment, social security and social protection law authorized by EU or MS law or collective agreement + adequate safeguards

guidance on EU and local law

Question 20

Is screening emails to detect viruses and filter unsolicited commercial emails justified?

Answer 20

It could be, as part of ensuring appropriate security measures

Question 21

Convention related to Court of Justice of EU=CJEU

Answer 21

Charter of Fundamental Rights

Question 22

Convention related to European Court of Human Rights (ECtHR)

Answer 22

European Convention on Human Rights (ECHR)

Question 23

Explain proportionality principle

Answer 23

Is proposed monitoring proportionate to the employer’s concern?
linked to the principle of data minimisation - PD must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
e.g. monitoring emails should be limited to the traffic data generated by emails, content of emails should not be monitored

Question 24

Transparency

Answer 24

Employer must provide notice to employees about monitoring activity:
- to satisfy notice requirement under GDPR
- to set employees’ expectations about how their time at work will be monitored
Accepted use policy - how much private use of employer equipment is necessary

Question 25

Is covert monitoring permitted?

Answer 25

No, except where permitted by local law, e.g. where specific criminal activity by the employee has been identified

Question 26

What info employers should provide to employees - general?

Answer 26

- Policy which describes to which extent employees may use communication facilities owned by the company for personal/private use/communications (email, internet) - reasons/purposes for which surveillance is carried out - details of surveillance measures taken - enforcement procedures in case of breaches - notification of the employee and how they can respond

Question 27

What info employers should provide to employees - email?

Answer 27

- can email account be used for private use; employer recommends the use of a private webmail account for purely personal use - situations where the employer's email can be accessed - unexpectedly absent from work - the storage period for backup copies of messages - when emails are definitely deleted from the server involvement of worker's representatives in formulating the policy

Question 28

What info employers should provide to employees - internet use?

Answer 28

- conditions on which private use of internet is permitted - specifying material that can't be viewed or copied - systems implemented to prevent access to certain sites and detect misuse - is content viewed or recorded, - what use will be made of any data collected - involvement of employer's representatives

Question 29

Examples of unlawful monitoring?

Answer 29

- collection of sensitive data - particularly intrusive - covert surveillance - access of private communications of employees even if through work-related email account Fines, criminal offenses

Question 30

What are works councils

Answer 30

In certain jurisdictions bodies that represent employees and have certain rights under local law that affect the use of emnployee data by employers safeguard employees' rights (incl. data protection and privacy)

Question 31

Ways of engagement with works councils

Answer 31

Notification - changes in working environment that will affect employee working conditions Consulting - about proposed data processing activity; opinion non-binding - Approval - right to approve or reject certain decisions

Question 32

What is SOX?

Answer 32

U.S. Whistleblowing law - a company is required to facilitate the ability of employees to make allegations of wrongdoing must receive and deal with complaints about actual or potential fraud from misappropriation of assets or material misstatements in financial reports

Question 33

Where can WB laws and data protection laws conflict?

Answer 33

DP law limit the use of personal data due to the potential prejudice to individuals

Question 34

How can a company adhere with a WB law?

Answer 34

policy that reinforces a strong adherence to internal controls encouraging to report knowledge of potential or actual fraud confidentiality and protection of WB independent 3rd party hotline provider available to employees

Question 35

EU WB directive

Answer 35

implementation Dec 2021 companies and government bodies must establish an internal WB system

Question 36

Safeguards the employer must introduce when implementing the WB scheme

Answer 36

DPIA cooperation with work councils if required under local law processing contracts international transfers consent, if required DPA policy implementation of WB policy and procedures, explaining also how their PD will be used employees rights under DP law must be protected

Question 37

elements of WB policy

Answer 37

- persons entitled to report should be limited to those who are in a position to know about the potential conduct of incriminated person - individuals who may be incriminated should be limited to those who are known by the persons reporting - WB must remain confidential but the anonymity should be discouraged - the scope of reportable matters should be limited to those who can realistically affect the organization's corporate governance reports should be subject to an objective, confidential and unbiased investigation strict data retention periods; unsubstinatiated reports should be deleted immediately the company should be clear how the WB scheme is operated rights of incriminated persons - define situations where DP rights could be limited (notifying the individual could jeopardize the ability to investigate) - security of reports - specific information security policy Transfers outside EEA