Employee right of access: how does it work?

The CNIL of France has released an article explaining the employee right of access under the EU GDPR.

 

Article 15 of the GDPR gives individuals the right to request a copy of any of their personal data from a data controller. This also applies when the data controller is the individual’s employer. CNIL has recently outlined in this article, how employers should go about fulfilling requests from current and past employees for their personal data. The organization must be sure of the identity of the applicant. In cases where there is reasonable doubt about the identity of the person requesting the information, the organisation may request proof of identity. This is not necessary in cases where the employee is requesting this information via their professional email, or the company’s intranet. Similarly, the identity can be proven by providing a current or former professional identifier.

 

Employees should receive their data, and have the right to have this data corrected or deleted free of charge in most cases.

 

Employees or former employees may request a copy of all the personal data that their employer holds concerning them and must receive this information in an understandable format, making it easy for them to check the accuracy of the information therein. The individual is also entitled to information like the purpose of the use of the data, the categories of data processed, the other organizations which may have obtained the communications data, etc. They may also request that the data be corrected or erased. These requests should be handled free of charge, however in the event that they are unfounded or excessive, for example where additional copies are requested, there may be reasonable costs related to fulfilling that request. This right of access relates to personal data and not to documents, however the organization is not prohibited from releasing documents rather than just the data, if doing so it would be more practical.

 

Employers must protect the rights of third parties when it comes to fulfilling requests for copies of professional emails.

 

Employees may request access to professional emails where they were either the sender or receiver, or where they were mentioned in the emails. In cases where the employee was the sender or receiver, it is assumed that the individual has had prior knowledge of the information contained in the messages requested. Therefore the fulfillment of those requests are presumed to respect the rights of third parties. However, in cases where the applicant is mentioned in the content of these emails, it is important that the employer protects the rights and identities of any third parties. It is suggested that the employer first makes an attempt to either delete, anonymize or pseudonymize the data. If this is insufficient it would be necessary for the employer to refuse the request for access, and provide reasons justifying the refusal to the applicant.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

International Data Protection Committee

International Data Protection Committee established by Danish DPA

An international data protection committee has been established by the Danish DPA to protect Danish interests regarding international data protection.

 

The Danish DPA has established a special committee with the aim of giving the Authority’s stakeholders more and better insight into the international data protection work done by the Data Inspectorate. It will also serve the purpose of giving them an opportunity to contribute to this work, strengthening the safeguarding of Danish interests on an international level. This new special committee differs from the Danish DPA’s  contact committee in that its efforts will be geared specifically towards the Authority’s work regarding international affairs.

 

The International Data Protection Committee is aimed at fostering collaboration to strengthen the protection of Danish interests.

 

The GDPR is directed at pursuing a more formalized cooperation between various European Data Protection Authorities. This is paramount in ensuring harmonization in the interpretation of data protection rules throughout the EU. The Danish DPA, in an effort to protect and further Danish interests, is ensuring that European regulation is beneficial within the Danish context. This Special Committee on International Data Protection Cooperation was established to give the Danish Data Protection Authority’s stakeholders, and the Danish Data Protection Agency, a platform on which to work together and collaborate and strengthen the protection of Danish interests. 

 

This special committee will hold quarterly meetings to inform stakeholders about ongoing international cases as well as any current issues in the international arena. Committee members will have the opportunity to provide input at these meetings, as well as insight on their specific needs. The first of these meetings is scheduled to take place on January 20.

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

 

DATA PROTECTION AND GDPR

DATA PROTECTION AND GDPR: LESSONS LEARNED FROM 2021

The data protection industry is constantly evolving as the GDPR is implemented by organisations and enforced by the Data Protection Authorities. 

 

New year, new beginnings? That is not always the case, at least definitively not when the previous year has provided valuable insights for the upcoming one. Considering that the GDPR has been in application since 2018, it is still a relatively new piece of legislation about which stakeholders are still learning, including organisations, Data Protection Authorities (DPAs) and the broader society. This is the reason why we need to take a close look to any development in the industry, as it may be determining for the future of data protection. In this post we go through the main takeaways of 2021.

Schrems II and new SCCs

After Schrems II and the caveats that the CJEU added to the use of SCCs, the EU Commission adopted a new set of SCCs for the transfer of personal data to third countries in June 2021 as we informed in Aphaia’s blog. These new SCCs brought practicality and flexibility through a modular approach which makes them suitable for any type of data transfer, regardless of the role taken by the controller or the processor as the data exporter or the data importer. The new SCCs also include a toolbox and some supplementary measures aimed at helping controllers and processors to make safe international data transfers, built on the need for performing a Data Transfer Impact Assessment which the parties can use to identify the risks of the transfer and their ability to comply with the clauses. 

It should be noted that the ICO has not pronounced about the new SCCs yet. The ICO is planning to produce its own SCCs for restricted transfers made from the UK.

Other updates

Together with the new SCCs for international data transfers, the EU Commission also published a set of SCCs covering Article 28 GDPR requirements. However, unlike SCCs for international data transfers, these are not mandatory and controllers and processors can still use their own terms in data processing agreements.  

Not new in 2021 but still work in progress over the year, we find the rules on cookies and the concept of joint controllership. Many organisations are still updating their cookie banners to include toggles or checkboxes for each not strictly necessary cookie. Cookies are also relevant in terms of data protection roles as, as any other joint personal data processing, if there are two or more parties involved, they may trigger joint controllership as a result of converging decisions.

GDPR enforcement

The impact of the work carried out by the DPAs is not clear at this stage. First because the GDPR has only been around since 2018 and we all are still learning, secondly because GDPR investigations are lengthy and consume a lot of time, running into several months, and thirdly because each DPA has its own criteria beyond Article 83 GDPR. For example, Portugal’s GDPR national implementation legislation places a 3 year moratorium on administrative fines to public bodies. On the other hand, in Spain no fines can be imposed on the public sector. Aligned actions and criteria would help to enhance the consistency mechanism, contributing to the consistent application of the GDPR throughout the EU.  

The role of the DPAs may also change in the upcoming years as new pieces of legislation enter into force, such as the EU AI Regulation Proposal.

The regulatory fines

Regarding fines, it should be noted that the GDPR fines have ramped up significantly in recent months, although it should be taken into account that not only the amount of the fine is important when it comes to infringements, but also the cost that the process implies for the organisations involved and the damage to the corporate reputation. 

 

I had the chance to discuss this with JC Gaillard from Corix Partners in their Cyber Security Transformation Podcast. You can access it [here].

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

 

CLEARVIEW AI ordered to delete photos by French DPA; CNIL

CLEARVIEW AI, ordered to delete photos by the French DPA after investigation revealed unlawful collection and processing of photos from the Internet.

 

CLEARVIEW AI, and the facial recognition software the company produces were first reported to the CNIL in May of 2020. This led to an investigation which uncovered two GDPR infractions; the unlawful processing of personal data, and the lack of sufficient consideration of the rights of the individual, particularly their right to request access to their data. As a result, the CNIL has ordered CLEARVIEW AI to cease the collection and use of data from people on French territory without legal basis, and to facilitate access to data by data subjects. In addition CLEARVIEW AI was ordered to comply with requests to have data erased. The CNIL has given the company two months to comply with these requests sent in their formal notice.

 

CLEARVIEW AI developed a facial recognition system which uses a database of photos which the company had neither consent, nor legal basis to process.

 

CLEARVIEW AI developed a facial recognition software of which the database is built on photographs and videos extracted from the internet’s publicly accessible media. The company does not receive consent of the data subjects whose photos are being used to feed its software. There is also no legal basis for the processing of this personal data. As a result the company was found to be in breach of Article 6 of the GDPR. The collection of data of tens of millions of individuals in France territory without legitimate interest is also considered particularly intrusive.

 

“It should be noted that the fact that personal data is publicly available does not mean that it can be freely used. The GDPR applies to publicly available personal data as well, therefore a basis of Article 6 is required in order to process it lawfully. If this basis is legitimate interest, a Legitimate Interest Assessment needs to be performed” comments Cristina Contero Almagro, Partner in Aphaia

CNIL also found CLEARVIEW AI in breach of articles 12, 15 and 17 of the GDPR as individuals found difficulty in exercising their rights with the company.

 

The many complaints received by the CNIL pointed to an issue with individuals’ rights being infringed upon by the CLEARVIEW AI, particularly the right of access for data subjects and the right to erasure. The company was found to have been limiting the exercise of the right of access to only data collected during the 12 month period preceding the request. In addition individuals were only being allowed to exercise this ride twice a year by CLEARVIEW AI, and without justification. The company was found to only respond to certain requests after an excessive number of requests that come from the same person. When requests were made to exercise the right to erasure, it was reported that the company either did not respond at all, or provided incomplete responses. CLEARVIEW AI has since been put on notice by CNIL to come into compliance, cease unlawful processing and delete all data processed unlawfully within a two month period.

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessmentsAI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.