Upload
johan-vandendriessche
View
169
Download
0
Embed Size (px)
Citation preview
Click to edit Master title stylePrivacy Open Forum
Tuesday, 14th of March 2017
Brussels, 14 March 2017 2
Close
Brussels, 14 March 2017
GDPR & HRJOHAN VANDENDRIESSCHE
3
Brussels, 14 March 2017 4
Agenda
1. 18:30 Introduction
2. 18:45 GDPR & HR
3. 19:30 Break
4. 19:50 GDPR & HR
5. 20:45 Close
Brussels, 14 March 2017
GENERAL OVERVIEW:
PRIVACY VS DATA
PROTECTION5
Brussels, 14 March 2017
Privacy
• What is privacy?
• Various sources
• European Convention on Human Rights
• Treaty on the Functioning of the European
Union (TFEU)
• Charter of Fundamental Rights of the EU
• National (constitutional) legislation
6
Brussels, 14 March 2017
Privacy
• Privacy at work in the EU?
• Telephone calls
• E-mail / Use of Internet and online
technology
• Principle of privacy at work has been
confirmed by ECHR and Article 29
Working Party
• National laws implement privacy at work
differently
7
Brussels, 14 March 2017
Data Protection
• Limitations in relation to the
processing of personal data
• Personal data: “any information in relation
to an identified or identifiable physical
person […]”
• Very large legal interpretation to the concept of
personal data
• Not necessarily sensitive information
• Processing: “any operation or set of
operations which is performed upon
personal data […]”
8
Brussels, 14 March 2017
Data Protection
• Purpose: impose strict (civil and
criminal) liability to the entity that is
processing the personal data
• Data controller
• Data processor (“service provider”)
• Accountability
• Risk-based approach
9
Brussels, 14 March 2017
Issue
• Privacy vs. work efficiency
• Employee uses employer tools for private
means
• Employer seeks efficiency and cost
reduction
• Right to the protection of privacy
remains intact on the workfloor
• Employment law
• Authority of the employer
• Mutual respect
10
Brussels, 14 March 2017
Some applications in Belgium
• Pre-employment screening (CBA 38)
• Surveillance on the workfloor
• Internet & e-mail (CBA 81)
• Cameras (CBA 68)
• Theft (CBA 89)
• Drugs and alcohol (CBA 100)
• What about acts outside the work context?
• Criticism on Facebook and freedom of
speech?
• Privacy (and secrecy of communications)?
11
Brussels, 14 March 2017
GENERAL PRINCIPLES
12
Brussels, 14 March 2017
GDPR: incomplete framework for HR
• Specific rules for processing of
employee data may be imposed
• CBA
• Member State laws
• Notification duty
• Current restrictions to be maintained?
• Consent restrictions in relation special
categories of data
13
Brussels, 14 March 2017
GDPR: scope
• Material scope
• Automated processing of personal data
• Other processing of personal data forming
part (or intended to form part) of a filing
system
• Typical application: HR files
• Exceptions
• Not applicable in HR-related processing
14
Brussels, 14 March 2017
GDPR: scope
• Territorial scope
• EU establishment of controller or
processor
• Location of processing is irrelevant
• Establishment of controller or processor
Outside EU
• Offering of goods or services to data subjects
in the EU
• Monitoring of behaviour taking place within the
EU
15
Brussels, 14 March 2017
GDPR: scope
• EU based
• Clear situation
• Non-EU based
• Monitoring
• Tracking
• Potential subsequent use of data processing
techniques
• Take decision concerning him
• Risk?
• Timesheets, absences, illness, …
16
Brussels, 14 March 2017
GDPR: lawfulness of processing
• Employer-employee relation?
• No consent if:
• No genuine or free choice or inability to refuse
without detriment
• Clear imbalance between parties
• Local legislation and CBAs may provide
specific rules
• Consent
• Statement or clear affirmative action
• Mere silence is not sufficient
17
Brussels, 14 March 2017
GDPR: lawfulness of processing
• Consent
• Written declaration: formal requirements
impacting validity of consent
• Separate consent from contractual consent
• Controller has burden of proof
• Explicit consent is not generally required
• Required for processing of special categories
of personal data
• Specific case: the field of employment
• Right to retract consent
• “in a manner as easy as consent was given”
18
Brussels, 14 March 2017
GDPR: lawfulness of processing
• Contractual necessity
• Performance of a contract
• Data subject is a party
• E.g. keeping a basic employee file
• Precontractual relationship is also
covered
• Necessary to take steps at the request of
the data subject
• E.g. to process an application
19
Brussels, 14 March 2017
GDPR: lawfulness of processing
• Necessity for legal compliance
• Processing
• Legal obligation of the data controller
• Examples
• Employee file
• Employment obligations
• Social security obligations
20
Brussels, 14 March 2017
GDPR: lawfulness of processing
• Legitimate interest
• Data controller or third party
• Balance with interests or fundamental
rights of the data subject
• Balance of interests?
• Data processing activity (purpose, data)
• Expectations of data subject
• Specific application for HR
• Centralisation of HR processing
• Preventing fraud
21
Brussels, 14 March 2017
Special categories of data
• General prohibition to proces special
categories of data
• Specific categories
• Exceptions
• Explicit consent
• Compliance with obligations in relation to
employment and social security
• Data manifestly made public by data subject
• Legal claims
• Preventive and occupational medecine
22
Brussels, 14 March 2017
GDPR: data subjects’ rights
• Overview
• Right to information and access to data
• Right to rectification and erasure (“RTBF”)
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights in relation to automated individual
decision making, including profiling
23
Brussels, 14 March 2017
GDPR: data subjects’ rights
• Transparency
• Identity and contact details (including
DPO)
• Purposes of processing, including legal
basis for processing
• Recipients of personal data
• International data transfers
• Data retention period
• Specific data subject rights
24
Brussels, 14 March 2017
GDPR: data subjects’ rights
• Right to be forgotten
• No longer necessary
• Withdrawal for consent and no other legal
ground
• Objection
• Unlawful processing
• Erasure is required for compliance with a
legal obligation
• Personal data of children (conditional)
25
Brussels, 14 March 2017
GDPR: data subjects’ rights
• Consequences
• Erasure of personal data
• If made public, take reasonable steps to
inform other controllers processing such
data
• Exceptions
• Freedom of expression and information
• Compliance with a legal obligation
• Public interest in the area of public health
• Archiving
• Legal claims
26
Brussels, 14 March 2017
GDPR: data subjects’ rights
• Right to data portability
• Processing based on consent or
contractual necessity
• Right to receive a copy of personal data
provided by him
• Structured, commonly used and machine
readable format
• Right to transmit personal data to another
controller without hindrance
• Right to require direct transmission
between controllers
27
Brussels, 14 March 2017
GDPR: data subjects’ rights
• Automated individual decision making
• Right not to be subjected thereto
• Legal effect concerning him
• Significantly affects him
• Exceptions
• Contractual necessity
• Authorized by law
• Based on explicit consent
• Additional safeguards
28
Brussels, 14 March 2017
CAPITA SELECTA
29
Brussels, 14 March 2017
Recruitment database
• Database of candidates for future use
• Legal ground
• Consent
• Legitimate interest
• Information
• Restricted retention period
• 6-24 months
• Data subject may provide indications
• No retention if no interest in company/role
30
Brussels, 14 March 2017
Access control
• Automated tools for access control or
time registration
• Legal ground
• Consent
• Contractual necessity
• Legitimate interest
• Information
• Part of security measures
• Biometric tools / applications• Explicit consent
31
Brussels, 14 March 2017
Employee directory
• Employee directory (contact details /
photos)
• Legal ground
• Consent
• Contractual necessity
• Legitimate interest
• Intranet
• International transfer of data?
32
Brussels, 14 March 2017
Centralised HR processing
• Centralised approach to HR processing
• Centralised processing as a service
• Centralised HR-policy
• Role of the parties?
• International data transfer
33
Brussels, 14 March 2017
Centralised HR processing
• New data processing operation
• Data controller
• Legal ground
• Consent
• Contractual necessity
• Legitimate interest
• Information
• Data processor (service)
• Data processing agreement
34
Brussels, 14 March 2017
Centralised HR processing
• Joint controllership
• When?
• Legal ground
• Consent
• Legitimate interest
• Information
• International data transfer
35
Brussels, 14 March 2017
Centralised HR processing
• “One-stop-shop mechanism”
• Single DPA: main establishment
• Controller
• Processor
• Cross-border processing
• Multiple establishments of controller or
processor
• Single establishment but (likely to)
substantially affect data subjects in more than
one EU member state
36
Brussels, 14 March 2017
Centralised HR processing
• Lead DPA
• Handle complaints or infringements
• Soft exceptions: other DPA may act
unless lead DPA decides to handle case
• Relates only to an establishment in one EU
member state
• Substantially affects data subjects only in one
member State
• Cooperation with other DPAs
37
Brussels, 14 March 2017
Outsourcing of pay-roll services
• Payroll service provider = data
processor
• Written agreement
• Subject-matter, duration, nature, purpose, type
of personal data, categories of data subjects
and obligations and rights of the parties
• Appropriate security measures
• Only process in accordance with
instructions
• Confidentiality obligation
• Data breach notification obligation?
38
Brussels, 14 March 2017
Outsourcing of pay-roll services
• What is additionally required?
• Appointment of sub-data processors
• Assistance in meeting data controller
requirements
• Retransition measures
• Audit and cooperation duty in relation to
demonstration of compliance
• Inform data controller if instruction
infringes the GDPR (information duty)
• Forward obligations to sub-data
processors39
Brussels, 14 March 2017 40
Contact details
Johan Vandendriessche
Partner - Crosslaw
Visiting Professor ICT Law – UGent
Visiting Professor ICT Law – HoWest
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Brussels, 14 March 2017 41
ISACA BELGIUM