lena borislavova, attorney at law, georgiev, todorov & co....lena borislavova, attorney at law,...
TRANSCRIPT
Lena Borislavova, attorney at law, Georgiev, Todorov & Co.
1. How to design the relationship between the controller and the processor
2. The employer as a controller – dos and don’ts
1. Who is Who?
2. Facts and Myths. New Rules
3. The Virus effect
4. Common Responsibilities
5. Designing the relationship
Main topics:
Data Controller /DC
natural or legal person, public authority,agency or other body which, alone or jointlywith others, determines the purposes andmeans of the processing of personal data
Data Processor /DP
a natural or legal person, public authority,agency or other body which processespersonal data on behalf of the controller
Joint controllers and joint processors
Processing
any operation or set of operations which isperformed on personal data; collection,recording, organisation, structuring, storage,adaptation or alteration, retrieval,consultation, use, disclosure by transmission,restriction, erasure or destruction
It is essential for organizations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of the processing.
This is particularly important in situations such as a data breach where it will be necessary to determine which organization has data protection responsibility.
The fact that one organization provides a service to another organization does not
necessarily mean that it is acting as a data processor. It could be a data controller in its
own right, depending on the degree of control it exercises over the processing operation
Fines and liabilityif a processor infringes this Regulation by determining the purposes and means of
processing, the processor shall be considered to be a controller in respect of
that processing.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the
processor with regard to the controllerProcessor may act only upon documented
instructions from the controller
lawyers recruitment
agencies
Art. 28 (10) GDPR
Contractual liability
Art.5 (2) GDPR Demonstrate
compliance
the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures
Where a processor engages another processor, the same data protection obligations shall be imposed on that other processor by way of a contract or other legal act
If the other processor fails to fulfil its data protection obligations, the initial processor remains fully liable
The Virus effect
Legal basis for liability
Art. 28(10) GDPR: “if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.”
Contractual penalties
Maintain records of data processing
Comply with the code of conduct or with an approved certification
mechanism
Implement appropriate technical and organisational measures for
data security
Regular risk assessments, testing, and monitoring
Periodically review and update the technical and procedural
safeguards
Appoint a data protection officer where applicable
Maintain communication and cooperation with the supervisory
authority
Implement procedures for data breach identification and
notification
Common Controller and Processor Responsibilities
Designing the relationship
Stipulate: Documented instructions
DP must only act upon receipt of DC instructions (evidence)
Stipulate: Guarantee confidentiality
DP staff shall be obliged to keep confidentiality
Stipulate: Security of Processing
DP must adopt security measures–art. 32
Stipulate: Register of treatments
DP must keep a list of treatments –art. 30(2) vs. (5)
Stipulate: Engaging another DP
Upon written authorization by DC; initial DP remains liable
Stipulate: Duty of Assistance to the DC
DP must assist to respond to requests and audits
Stipulate: Fate of the Data
DP shall delete or return personal data
Stipulate: Demonstrate Compliance
DP must allow for audits and inspections by the DC
1. Тhe employer as a controller?
2. Risks for employers during recruitment
3. Risks for employers at the workplace
4. Risks for employers - scenarios
When do employers process personal data:• Recruitment
• During employment
• On termination of the employment relationship
Critical concepts and new obligations for the employer• Transparency
• Legal grounds for processing • Consent?
• processing is necessary for the performance of a contract
• processing is necessary for compliance with a legal obligation to which the data controller is subject
• processing is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or rights of the data subject
• DPIA and/or Records of processing activities
Personal data about the employee John Smith:
CV e-mails internet browsing history,
GPS and IP coordinates assessments evaluation of performance discipline measures taken employee behaviour at
work
Personal data of applicants -employers DO NOT have the right to:
• require more information than strictly necessary for the performance of the job applied for
• use information about the applicant gathered from social, and not professional networks unless prior consent is obtained
If employment contract is not concluded – employer MUST
immediately erase all personal data relating to the applicant once it
becomes clear that an employment contract will not be concluded
Employer might still wish to retain applicant’s data for future employment
opportunities? – consider:•getting the applicant’s consent •inform the applicant that you wish to process their data in order to contact them with future employment opportunities, give them the possibility to object to such further processing
Transparency • prior to the processing you must
inform the employee
• Clearly communication to employees their rights, including the right to lodge a complain against the employer with the regulatory body (Commission for protection of personal data);
Legal grounds for processing –legitimate interest◦ purpose of the processing is
legitimate, i.e. business needs of employer
◦ chosen method or specific technology is necessary to achieve the purpose
◦ processing is proportionate to the purpose
◦ processing is carried out in the least intrusive manner possible
Practical tip:In most cases consent will
not be freely given. Check whether you can rely on another
lawful basis for processing
Adopt:data protection policies and
procedures that are fully aligned with the processing and inform
the employees about them
Be aware:The legitimate purpose for
processing must be communicated to employees in
advance
Monitoring of electronic communications in the workplace
An employer intends to deploy an appliance to decrypt and inspect secure traffic, with the purpose of detecting anything malicious. The appliance is also able to record and analysethe entirety of an employee’s online activity on the organisation’s network.
Processing operations relating to time and attendance
An employer maintains a server room in which business-sensitive and personal data. In order to comply with legal
obligations to secure the data against unauthorized access, the employer has installed an access control system that
records the entrance and exit of employees who have appropriate permission to enter the room.
Employer cannot use the data collected for
different purposes – e.g. evaluate employee’s
performance
Good practice:Prevention should
be given much more weight that detection
Evaluate employment contracts and data privacy policies. Consent? Categories of data processed?
Legal grounds for processing personal data of employees?
Increase awareness among employees, especially Human resources department. Provide training on the new rules.
Take extra care:
if you use technology that can monitor the worker’s facial expressions by automated means, identify deviations from predefined movement patterns and more. This would often be disproportionate to the rights and freedoms of employees, and therefore, generally unlawful.