ISACA Privacy Open Forum - GDPR & HR

Click to edit Master title stylePrivacy Open Forum

Tuesday, 14th of March 2017

Brussels, 14 March 2017 2

Close

Brussels, 14 March 2017

GDPR & HRJOHAN VANDENDRIESSCHE

3


Agenda

1. 18:30 Introduction

2. 18:45 GDPR & HR

3. 19:30 Break

4. 19:50 GDPR & HR

5. 20:45 Close


GENERAL OVERVIEW:

PRIVACY VS DATA

PROTECTION5


Privacy

• What is privacy?

• Various sources

• European Convention on Human Rights

• Treaty on the Functioning of the European

Union (TFEU)

• Charter of Fundamental Rights of the EU

• National (constitutional) legislation

6


Privacy

• Privacy at work in the EU?

• Telephone calls

• E-mail / Use of Internet and online

technology

• Principle of privacy at work has been

confirmed by ECHR and Article 29

Working Party

• National laws implement privacy at work

differently

7


Data Protection

• Limitations in relation to the

processing of personal data

• Personal data: “any information in relation

to an identified or identifiable physical

person […]”

• Very large legal interpretation to the concept of

personal data

• Not necessarily sensitive information

• Processing: “any operation or set of

operations which is performed upon

personal data […]”

8


Data Protection

• Purpose: impose strict (civil and

criminal) liability to the entity that is

processing the personal data

• Data controller

• Data processor (“service provider”)

• Accountability

• Risk-based approach

9


Issue

• Privacy vs. work efficiency

• Employee uses employer tools for private

means

• Employer seeks efficiency and cost

reduction

• Right to the protection of privacy

remains intact on the workfloor

• Employment law

• Authority of the employer

• Mutual respect

10


Some applications in Belgium

• Pre-employment screening (CBA 38)

• Surveillance on the workfloor

• Internet & e-mail (CBA 81)

• Cameras (CBA 68)

• Theft (CBA 89)

• Drugs and alcohol (CBA 100)

• What about acts outside the work context?

• Criticism on Facebook and freedom of

speech?

• Privacy (and secrecy of communications)?

11


GENERAL PRINCIPLES

12


GDPR: incomplete framework for HR

• Specific rules for processing of

employee data may be imposed

• CBA

• Member State laws

• Notification duty

• Current restrictions to be maintained?

• Consent restrictions in relation special

categories of data

13


GDPR: scope

• Material scope

• Automated processing of personal data

• Other processing of personal data forming

part (or intended to form part) of a filing

system

• Typical application: HR files

• Exceptions

• Not applicable in HR-related processing

14


GDPR: scope

• Territorial scope

• EU establishment of controller or

processor

• Location of processing is irrelevant

• Establishment of controller or processor

Outside EU

• Offering of goods or services to data subjects

in the EU

• Monitoring of behaviour taking place within the

EU

15


GDPR: scope

• EU based

• Clear situation

• Non-EU based

• Monitoring

• Tracking

• Potential subsequent use of data processing

techniques

• Take decision concerning him

• Risk?

• Timesheets, absences, illness, …

16


GDPR: lawfulness of processing

• Employer-employee relation?

• No consent if:

• No genuine or free choice or inability to refuse

without detriment

• Clear imbalance between parties

• Local legislation and CBAs may provide

specific rules

• Consent

• Statement or clear affirmative action

• Mere silence is not sufficient

17



• Consent

• Written declaration: formal requirements

impacting validity of consent

• Separate consent from contractual consent

• Controller has burden of proof

• Explicit consent is not generally required

• Required for processing of special categories

of personal data

• Specific case: the field of employment

• Right to retract consent

• “in a manner as easy as consent was given”

18



• Contractual necessity

• Performance of a contract

• Data subject is a party

• E.g. keeping a basic employee file

• Precontractual relationship is also

covered

• Necessary to take steps at the request of

the data subject

• E.g. to process an application

19



• Necessity for legal compliance

• Processing

• Legal obligation of the data controller

• Examples

• Employee file

• Employment obligations

• Social security obligations

20



• Legitimate interest

• Data controller or third party

• Balance with interests or fundamental

rights of the data subject

• Balance of interests?

• Data processing activity (purpose, data)

• Expectations of data subject

• Specific application for HR

• Centralisation of HR processing

• Preventing fraud

21


Special categories of data

• General prohibition to proces special

categories of data

• Specific categories

• Exceptions

• Explicit consent

• Compliance with obligations in relation to

employment and social security

• Data manifestly made public by data subject

• Legal claims

• Preventive and occupational medecine

22


GDPR: data subjects’ rights

• Overview

• Right to information and access to data

• Right to rectification and erasure (“RTBF”)

• Right to restriction of processing

• Right to data portability

• Right to object

• Rights in relation to automated individual

decision making, including profiling

23



• Transparency

• Identity and contact details (including

DPO)

• Purposes of processing, including legal

basis for processing

• Recipients of personal data

• International data transfers

• Data retention period

• Specific data subject rights

24



• Right to be forgotten

• No longer necessary

• Withdrawal for consent and no other legal

ground

• Objection

• Unlawful processing

• Erasure is required for compliance with a

legal obligation

• Personal data of children (conditional)

25



• Consequences

• Erasure of personal data

• If made public, take reasonable steps to

inform other controllers processing such

data

• Exceptions

• Freedom of expression and information

• Compliance with a legal obligation

• Public interest in the area of public health

• Archiving

• Legal claims

26



• Right to data portability

• Processing based on consent or

contractual necessity

• Right to receive a copy of personal data

provided by him

• Structured, commonly used and machine

readable format

• Right to transmit personal data to another

controller without hindrance

• Right to require direct transmission

between controllers

27



• Automated individual decision making

• Right not to be subjected thereto

• Legal effect concerning him

• Significantly affects him

• Exceptions


• Authorized by law

• Based on explicit consent

• Additional safeguards

28


CAPITA SELECTA

29


Recruitment database

• Database of candidates for future use

• Legal ground

• Consent


• Information

• Restricted retention period

• 6-24 months

• Data subject may provide indications

• No retention if no interest in company/role

30


Access control

• Automated tools for access control or

time registration

• Legal ground

• Consent



• Information

• Part of security measures

• Biometric tools / applications• Explicit consent

31


Employee directory

• Employee directory (contact details /

photos)

• Legal ground

• Consent



• Intranet

• International transfer of data?

32


Centralised HR processing

• Centralised approach to HR processing

• Centralised processing as a service

• Centralised HR-policy

• Role of the parties?

• International data transfer

33



• New data processing operation

• Data controller

• Legal ground

• Consent



• Information

• Data processor (service)

• Data processing agreement

34



• Joint controllership

• When?

• Legal ground

• Consent


• Information

• International data transfer

35



• “One-stop-shop mechanism”

• Single DPA: main establishment

• Controller

• Processor

• Cross-border processing

• Multiple establishments of controller or

processor

• Single establishment but (likely to)

substantially affect data subjects in more than

one EU member state

36



• Lead DPA

• Handle complaints or infringements

• Soft exceptions: other DPA may act

unless lead DPA decides to handle case

• Relates only to an establishment in one EU

member state

• Substantially affects data subjects only in one

member State

• Cooperation with other DPAs

37


Outsourcing of pay-roll services

• Payroll service provider = data

processor

• Written agreement

• Subject-matter, duration, nature, purpose, type

of personal data, categories of data subjects

and obligations and rights of the parties

• Appropriate security measures

• Only process in accordance with

instructions

• Confidentiality obligation

• Data breach notification obligation?

38


Outsourcing of pay-roll services

• What is additionally required?

• Appointment of sub-data processors

• Assistance in meeting data controller

requirements

• Retransition measures

• Audit and cooperation duty in relation to

demonstration of compliance

• Inform data controller if instruction

infringes the GDPR (information duty)

• Forward obligations to sub-data

processors39


Contact details

Johan Vandendriessche

Partner - Crosslaw

Visiting Professor ICT Law – UGent

Visiting Professor ICT Law – HoWest

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM

ISACA Privacy Open Forum - GDPR & HR

Law

Transcript of ISACA Privacy Open Forum - GDPR & HR