Source folder: Data Protection - GDPR
Source file: 20180509 DPO Course - Session 2b.pdf
File type: PDF document
Back to folder index
5/13/2018
A Look at the Obligations Imposed on Employers and the New
Employee Rights Under the GDPR
Dr. Christine Calleja
Senior Associate, MamoTCVAdvocates
May 2018
What is the aim of Data Protection
Legislation in Employment?
- Creating a balance
legitimate interests of the
employer and reasonable
privacy expectations of
employees.
- More advanced technology -
greater risks of invasion of
privacy of the individual.
1
5/13/2018
- Data processing
technologies has
Modern Risks become cheaper;
to Employee
- New forms of processing
Privacy
and tracking have
become less visible to
employees;
- Blurring of lines
between home and
work - working
remotely.
Stages of
Employment...
Data Protection issues can arise in all 3 stages:
- Recruitment/Interviewing stage;
- During Employment;
- Post-employment.
2
5/13/2018
What is Protected?
'Personal Data' -No need to be identified by name -the data subject can be
identifiable:
"...directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to
the physical, physiological, genetic, mental,
economic, cultural or social identity of that
natural person".
Principles of Processing Data(Art. 5)
- Dataprocessedforspecifiedandlegitimatepurposes;
- Limitpurposeofprocessing;
- Applyproportionalityandsubsidiarity;
- Betransparentwithemployeesaboutuseandpurpose;
- Enabledatasubjecttoaccessdataandrectify;
- Keepdataaccurateandnotlongerthannecessary;
- Protectagainstunauthorisedaccess.
3
5/13/2018
Legal Basis for
Processing (Art.6):
When processing, at least 1 criterion needs to be
present:
- Data subject has given his consent;
- Necessary for performance of a contract;
- Necessary for compliance with legal obligation;
- Necessary to protect the vital interests of data subject
or another person;
- Necessary for performance of a task carried out in the
public interest;
- Necessary for the purposes of the legitimate interests
pursued by the controller or by a third party -except
when this is overridden by interests/rights of data
subject.
Can Consent be a Valid Basis?
- Inothernon-employmentscenarios-yes;
- Consent - "any freely given, specific, informed and
unambiguous indication of the data subject's wishes by
which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal
datarelatingtohimorher"
4
5/13/2018
- Inemployment-canitbefreelygiven?
- Employee is 'dependent' on the employer
Can Consent
imbalanceofpowerintheemploymentrelationship.
be a Valid - There can be no genuine choice on part of the
employee-thereforeconsentcannotbelegalbasis.
Basis?
- Consent by data subject can be withdrawn at any
time-unfeasibleforemployertorelyonthis.
Can Consent be a
Valid Basis?
- Certain limited instance where there is
no other legal basis to process ex.
Filming at the place of work / use of
photosforsocialevents.
- In such a case - consent may be a
legitimate basis to process as employee
has a choice as to whether to accept to
or not without suffering any
consequences.
5
5/13/2018
Legitimate Basis to Process:
- Necessary for the performance of a contract;
- Necessary to comply with a legal obligation;
- Necessary for the purposes of the legitimate interests
pursued by the employer -importance of proportionality
with legitimate interests of data subject.
Purpose must be legitimate (ex. Security reasons);
Chosen method or technology for processing
Legitimate must be necessary for the legitimate interest of
the employer;
Interest
Ground Processing must be proportionate to the business
needs;
Processing should be carried out in the least
intrusive manner possible.
6
5/13/2018
Information to be Provided:
Not only must the employer identify a legitimate basis for data
processingbutthefollowinginformationmustalsobeprovided:
i. Identity&contactdetailsofcontroller;
ii. Contactdetailsofdataprotectionofficer(ifapplicable);
iii. Purposeandlegalbasisforprocessing;
iv. Legitimateinterestspursued(ifthisislegalbasis);
v. Recipientsorcategoriesofrecipients;
vi. Intention to transfer data to third country or international organisation (if
applicable).
More Information to be Provided:
Data retention period or criteria used to determine the period:
i. Existence of the right to request access to data/ rectification or erasure of data/
restrict processing or object to processing;
ii. Right to lodge a complaint with supervisory authority;
iii. Whether providing personal data is a contractual or legal requirement or
necessary to enter into a contract & consequences of failure to provide data;
iv. Existence of automated decision making.
7
5/13/2018
Transparency:
- New technologies - allow collection and
processing in more secretive ways = greater
needfortransparency.
- Important to informemployees about existence of
any monitoring, the purpose for which data is to
beprocessedetc;
- How? Employment contract itself or through
specificpolicies;
Recruitment Stage:
- Using social media to view profiles of
candidates for employment -is it permissible?
- Can the employer keep the data collected
during an interviewing process? If yes -for
how long?
- Can the employer require candidates to 'add'
him/her on social media profiles?
8
5/13/2018
Monitoring During
Employment
- Development of potentially more intrusive means of monitoring -not
only monitoring of email or website use;
- Monitoring all online activity of employees -disproportionate
interference with data subjects' rights.
- Importance of written policies re monitoring -allows employees to
adapt their behaviour.
- Consider -proportionality + acceptable use policies.
Monitoring at the Workplace
- Necessity to protect network and preventing
unauthorised access or data leakage - employer might
implement measures to monitor online activity of
employees;
- Goodpractice:
- provide alternative unmonitored access for employees
ex.FreeWiFiforprivateusage;
- No interception of certain kind of traffic ex online
bankingandhealthwebsites;
- Clear policy about acceptable and unacceptable use of
thenetworkandfacilities;
- If possible block certain websites as opposed to
monitoringuse.
9
5/13/2018
Monitoring ICT use Outside the
Workplace:
- Remote working -may result in breaches to employer's
security/ loss of information etc -what means are permissible
to monitor activity?
- Bring Your Own Device (BYOD) -can lead to employers
processing non-business related information;
- Mobile Device Management (MDM) -enables employers to
locate devices remotely and even delete date on demand.
- Tracking of vehicles used by employees for work purposes -
duty to inform and switch off tracking after working hours.
Ownership of an electronic means does
not necessarily mean that the employees
do not enjoy the right to secrecy of their
communications, related location data
and correspondence.
Monitoring
Cont:
Prohibiting all communications for
personal reasons not practical & might
require a high level of monitoring which
is disproportionate.
10
5/13/2018
Processing Using Video Monitoring Systems:
- CollectingrecognisableimagesfromCCTV-processingpersonaldata.
- New technological developments - reduction in camera size; increased
capabilities;newvideoanalytics;
- Privacy issues resulting from CCTV - continuously monitoring behaviour of
employee;
Lawful use of CCTV:
- Reason-istheusejustified?Whatimageswillbecapturedandwhy?
- InformofuseofCCTVandreasonforuse;
- Retentionperiodneedstobejustified;
- Rightofindividualtorequestfootage(incertaincases);
- Ensuresecuritycontractorsabidebydataprotectionlawsaswell.
11
5/13/2018
- Limitations ensure that employees' privacy is
not violated:
Limitations to - Limitations can be:
be imposed
- Geographical ex. Monitoring only certain
on specific places;
- Data-Oriented ex. No monitoring of personal
monitoring:
files and communications;
- Time-Related ex. Sampling instead of
continuous monitoring.
Monitoring IT usage -less visible
monitoring tools vs traditional CCTV
systems;
Employees may be less aware of
existence & consequences of
monitoring -not able to exercise their
New Forms of
rights;
Monitoring...
Undue pressure on employees to
behave in a certain manner;
Extensive use of monitoring -risk to
internal whistle-blowers.
12
5/13/2018
- What is permissible?
Monitoring of employees....
Barbulescu v Romania
- Employee Monitoring
- Case decided by the Grand Chamber of the ECHR -5thSeptember
2017;
- Employee dismissed after sending private messages at work using
the Yahoo messenger system set up for work purposes;
- Employer monitored and recorded messages and used them against
the employee in disciplinary proceedings;
- Was the right to private life violated?
13
5/13/2018
Barbulescu v Romania
- Guidance:
- Notification in advance of the monitoring;
- Extent of the monitoring and degree of intrusion;
- The legitimate reasons of the employer to implement monitoring;
- Whether a less intrusive system of monitoring was available;
- The consequences for the employee and use;
- Safeguards not to access actual content.
Subject Access
Requests
- Right of data subjects (incl. employees)
to obtain a copy of information the
controller holdsabout them;
- Employer should have a procedure in
place as to how to handle such requests
andhowto respond.
- Also - right to obtain a rectification of
inaccuratepersonaldata.
14
5/13/2018
Right to be Forgotten
- Retain data only for as long as necessary;
- What is 'necessary'?
- During employment -for the duration;
- After employment? -Any legal obligations to
keep data? What data to keep? And for how long?
- What about details of candidates?
Proportionality and
Data Minimisation:
- Processing must be a proportionate response to the
risks faced by the employer ex. Detecting
internet misuse without analysing content.
- Prevention vs detection misuse;
- Data minimisation and short retention period of data
collected;
15
5/13/2018
For how long should employee data
be retained?
In some cases -the law specifies a
time period;
Data
Retention In most cases -employer keeps data
to protect itself from a legal claim;
Periods
Contractual claims -5 years
prescriptive period (data such as
reports in case of an accident;
Health & Safety Regulations -specific
time periods to keep data relating to
occupational health and safety.
In Summary:
- Irrespective of technology used keep in mind
fundamental data protection principles;
- Contents of electronic communications made from
business premises enjoy same rights protections as
analogous communications;
- Consent is unlikely to be a legal basis for data
processing at work unless employee can refuse
without adverseconsequences;
16
5/13/2018
Cont:
- Legal Basis in Employment - performance of a
contract ± legitimate interests as long as there is a
legitimatepurpose and proportionality;
- Monitoring employees to receive information.
- International data transfers - adequate level of
protection must be ensured.
Way Forward...
- Review and update current data protection policies &
practices;
- Review use of employee data (including contracts of
employment) & ways in which data is processed and
stored;
- ReviewemployeemonitoringandITpractices;
- Implementproceduresforreportingfuturedatabreaches;
- Consider a Data Protection Privacy Impact Assessment at
theworkplace.
17
5/13/2018
Thank You for Your Attention
Mamo TCV Advocates
Palazzo Pietro Stiges
103, Strait Street
Valletta VLT1436
Malta
www.mamotcv.com T: (+356) 25 403 000
F: (+356) 21 244 291
www.gdprmalta.com E: info@mamotcv.com
18