• No results found

GDPR and its significance in employment

N/A
N/A
Info
Nedlasting
Protected

Academic year: 2022

Share "GDPR and its significance in employment"

Copied!
32
0
0

Laster.... (Se fulltekst nå)

Last ned nå ( 32 sider )

Fulltekst

(1)

13 November 2018

(2)

GDPR IN EMPLOYMENT

1. GDPR - BRIEF OVERVIEW

3. GDPR COMPLIANCE – WHAT TO DO?

2. GDPR - MAIN AREAS OF SIGNIFICANCE AND CONTROVERSY

(3)

GDPR IN NORWAY

• EU: 25 May 2018

• Norway: 20 July 2018

(4)

GDPR

• General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council

• Most significant development in EU data protection law for last 20 years

• From data room to board room:

“GDPR marks evolution from technical area to topic of broad business relevance”

(5)

GDPR

• GDPR has duties for employers and rights for employees

• Important basic principles continues from the Data Protection Directive 95/46/EC

• Heavier sanctions (up to MEUR 20, or 4% of turnover)

• Scalable framework - means that employers should take steps to ensure compliance where they may be exposed

(6)

WHY RELEVANT FOR EMPLOYMENT?

Personal data is defined in GDPR Article 4 no. 1:

“any information relating to an identified or identifiable

natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in

particular by reference to an identifier such as a name, an identification number, location data, an online

identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

(7)

WHY RELEVANT FOR EMPLOYMENT?

Special categories of personal data is defined in GDPR Article 9 no. 1:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical

beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”

(8)

WHY RELEVANT FOR EMPLOYMENT?

Data controller is defined in GDPR Article 4 no. 7:

“means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

(9)

GDPR

EMPLOYEE

«DATA SUBJECT»

(10)

GDPR

EMPLOYEE

«DATA SUBJECT» «DATA CONTROLLER»

EMPLOYER

(11)

GDPR

«DATA PROCESSOR»

SUPPLIER

EMPLOYEE

«DATA SUBJECT» «DATA CONTROLLER»

EMPLOYER

(12)

GDPR - IMPACT ON EMPLOYERS

• Process data only if legal and be fair and transparent

Lawfulness, fairness and transparency

• Process personal data only for specific, explicit and legitimate purposes

Purpose limitation

• Ensure that the data is relevant, adequate and limited to what is necessary for the purposes

Data minimisation

• The data must be accurate and up to date

Accuracy

• Do not keep it longer than necessary for the purpose

Storage limitation

• Keep the personal data safe & secure

Integrity and confidentiality

• The data controller is responsible

Accountability

(13)

Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship

GDPR Article 88 No. 1

ONLY GDPR?

(14)

Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place

GDPR Article 88 No. 2

(15)

Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees’ personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship

GDPR Recital 155

(16)

LEGAL SOURCES

GDPR (99 Articles, 173 Recitals)

Article 29 Working Party (Guidelines, Opinions - Opinion 2/2017 on data processing at work)

European Data Protection Board

Data Protection Authorities of other European countries (e.g. ICO)

Norwegian Personal Data Act (LOV-2018-06-15-38)

Personal Data Regulations (FOR-2018-06-15-876)

Transitional Regulations (FOR-2018-06-15-877)

Regulations on Camera Surveillance at Work (FOR-2018-07-02-1107)

Regulations on Employer’s Access to Employees email, etc. (FOR-2018-07-02-1108)

Norwegian Data Protection Authority (Datatilsynet)

Norwegian Privacy Appeals Board (Personvernnemnda)

(17)

MAIN AREAS OF SIGNIFICANCE AND

CONTROVERSY

(18)

1. LEGAL BASIS

Consent from employee

Legal obligation Employment

contract Legitimate interest of employer

(19)

WP29 ABOUT LEGAL BASIS

“As a general rule, a processing activity for one specific purpose cannot be based on multiple lawful bases.

Nonetheless, it is possible to rely on more than one lawful basis to legitimise processing if the data is used for several purposes, as each purpose must be connected to a lawful basis”

“Controller must have identified these purposes and their appropriate lawful bases in advance”.

“Lawful basis cannot be modified in the course of processing.”

“It is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent.”

(20)

GDPR ARTICLE 4 (11)

Consent of the employee means any :

• Freely given

• Specific

• Informed

• Unambiguous indication

(21)

WP29 - ABOUT CONSENT

• “Imbalance of power also occurs in the employment context”

“For example, activating monitoring systems such as

camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure”

(22)

WP29 - EXAMPLE OF VALID CONSENT

A film crew is going to be filming in a certain part of an office.

The employer asks all the employees who sit in that area for their consent to be filmed, as they may appear in the background of the video.

Those who do not want to be filmed are not penalised in any way but instead are given equivalent desks elsewhere in the building for the duration of the filming.

(23)

WHEN IS CONSENT VALID?

•Consent can only be valid if the employee is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if the employee does not consent.

•Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will.

(24)

EMPLOYER LEGITIMATE?

•To rely on the legitimate interest ground to process employee data, the processing must be strictly necessary for a legitimate purpose and must be proportionate to the business need.

•A proportionality test should be carried out prior to e.g. the deployment of any monitoring tool to consider whether all data are necessary, whether the processing outweighs the general privacy rights that employees have in the workplace, and whether appropriate measures have been put in place to ensure a balance with the rights and freedoms of employees.

(25)

WHICH LEGAL BASIS TO USE?

•For the majority of data processing at work, consent cannot form a valid legal basis because of the imbalance of power between employers and employees.

•Valid legal grounds may include:

-processing necessary for the performance of the employment contract (e.g. payment of salary).

- processing data in connection with obligations imposed by law (e.g. processing for tax calculation and salary administration).

- processing necessary for the purposes of the legitimate interests pursued by the employer (e.g. IT outsourcing)

(26)

2. RECRUITING

•In the context of recruiting, employers are allowed to collect job applicants’ personal data only to the extent that such collection is necessary and relevant to the performance of the job.

•Employers also must be able to justify a legitimate interest to inspect applicants’ social media profiles, taking into account whether it is related to business or private purposes.

(27)

3. MONITORING

•Employees must be informed of the existence of any monitoring and the purposes for the monitoring. Policies relating to workplace monitoring must be clear and readily accessible.

•With regard to Bring Your Own Device (“BYOD”) policies, employers should implement measures to prevent extensive device monitoring, as processing in this context may be unlawful if it captures data relating to the employee’s private and family life.

(28)

4. TECHNOLOGY

•Employers must take the principle of data minimization into account when deciding on the deployment of new technologies.

•Information should be stored for the minimum amount of time necessary and deleted when no longer needed, and the employer should have a specified retention period.

(29)

4. TECHNOLOGY

Health data processed by wearable devices should be accessible only to the employee and not the employer. The reason for this is that data in this context is unlikely to be truly anonymous and employees are not able to provide

“free” consent to an employer.

•Employers should refrain from the use of facial recognition technologies in the context of video analytics at the workplace, as this may be deemed disproportionate.

•The employer should inform employees about the use of vehicle telematics, collecting data both about the vehicle and the employee using the vehicle (e.g. GPS tracking, driving behavior), and offer an opt-out (e.g., ability to temporarily turn off location) if the private use of a professional vehicle is allowed.

(30)

GDPR COMPLIANCE –

WHAT TO DO?

(31)

GDPR COMPLIANCE – WHAT TO DO?

Review legal basis for processing of employee data

Change employment contracts

Update employee privacy policies and candidate privacy notices

Review data protection policies including routines for employee requests and routines for data breach response

Appoint a data protection officer

Verify data processing agreements including cross-border data transfers

Ensure that staff is provided with training

(32)

jsm@schjodt.no

Referanser

Last ned nå ( PDF - 32 sider - 1.86 MB )

RELATERTE DOKUMENTER

ACFM3006.pdf (28.20Mb)

j) provide specific information on possible deficiencies in the 2006 assessments including, at least, any major inadequacies in the data on landings, effort or

20-01289

Next, we present cryptographic mechanisms that we have found to be typically implemented on common commercial unmanned aerial vehicles, and how they relate to the vulnerabilities

17-17020

3.1 Evolution of costs of defence 3.1.1 Measurement unit 3.1.2 Base price index 3.2 Operating cost growth and investment cost escalation 3.3 Intra- and intergenerational operating

1712602

In April 2016, Ukraine’s President Petro Poroshenko, summing up the war experience thus far, said that the volunteer battalions had taken part in approximately 600 military

NUPIpaperIntlPolicing

The increasing complexity of peace operations and the growing willingness of international actors to assume extended responsibil- ity for the rule of law in often highly

1598972

An abstract characterisation of reduction operators Intuitively a reduction operation, in the sense intended in the present paper, is an operation that can be applied to inter-

The development of nutrition policy in Canada in the 1920s

Although, particularly early in the 1920s, the cleanliness of the Cana- dian milk supply was uneven, public health professionals, the dairy indus- try, and the Federal Department

Attributing Wrongful Conduct of Implementing Partners to UNHCR: International Responsibility and Human Rights Violations in Refugee Camps

In practice, many agreements concluded by unhcr and its ngo implement- ing partners include clauses stipulating that the ngo will not be considered an agent or member of staff of