Data Protection

Subscribe to Data Protection RSS Feed

The trouble with the reluctant complainant (UK)

It has been annual review season here at Squire Patton Boggs.  Looking back over my efforts this year in the usual endeavour to justify my own existence, I have spotted the same scenario cropping up with unusual frequency.  An employee tells their employer that they have experienced something at work that they are not too … Continue Reading

New post-Brexit DSAR guidance – still no bonfire (UK)

Back in March 2020 we reported here on some new guidance from the Information Commissioner’s Office concerning DSARs.  In particular, we looked at what it said about the employer’s rights not to comply with a DSAR to the extent that it was manifestly unfounded or manifestly excessive, and concluded that despite the superficially encouraging words … Continue Reading

New GCC rules for employers, Part 3 – revised KSA Personal Data Protection Law (KSA)

The Kingdom of Saudi Arabia has issued legislation to regulate the collection and processing of personal data in the country (the PDPL). While the law was originally due to come into force on March 23 last year, the enforcement date has been postponed until March 17 of this year (as of the date of this … Continue Reading

What’s new in Belgium on the employment front, Part 2 – rolling out the biking allowance

In the first part of our mini blog series we discussed the training plan you are required to introduce for your employees in Belgium before 31 March. In this second blog, we will zoom in on the biking allowance which was introduced recently. Although we are not quite at the level of the Dutch (the … Continue Reading

Proposed new EU regulatory regime for Artificial Intelligence – more relevant to HR than you might think (UK)

For the last year or so the EU Commission has been working on the world’s first serious attempt to create a regulatory framework around the use of AI, the Artificial Intelligence Act.  The Proposal itself runs to over 100 pages of dense type and no pictures, so is a fairly off-putting read at first look.  … Continue Reading

Saudi Arabia’s new personal data protection law – key points for employers

The Kingdom of Saudi Arabia has enacted a new comprehensive data protection law (the PDPL), which comes into force on 23 March. The first standalone data protection law of its kind in KSA, the PDPL is a significant development and seeks to develop the Kingdom’s legislative landscape in a way consistent with its 2030 Vision … Continue Reading

Watching the detectives – employee rights to monitor employer misconduct (UK)

Today’s word is “Avizandum”, which the internet tells me is the name of the King of the Dragons, mate of Zubeia and father Azymondias, respected by all the elves as the most powerful creature in the whole of Xadia. Clearly. Whether the elves would have taken the same view if aware that the King of the … Continue Reading

Spain’s new decree on remote working

A new decree (Royal Decree-law 28/2020) was passed on 22 September to regulate remote working in Spain. As for many countries worldwide, Spain has recently seen a marked increase in the number of employees working from home as part of its bid to decrease physical contact between individuals and curb the COVID-19 pandemic. Prior to … Continue Reading

Belgian Ministry of Employment blows hot and cold on pre-return temperature checks

In an attempt to keep Covid-19 out of the workplace, many employers have been inquiring about the possibility of performing temperature checks before employees enter their premises each day. The Belgian Ministry of Employment’s position until last week was fairly relaxed: its FAQ document referred to the stance taken by the Belgian Data Protection Authority, … Continue Reading

The Australian Government wants workplaces to be “COVID-safe”, but this doesn’t mean employers can require employees to download the COVIDSafe App

In a bid to reawaken the Australian economy, the Federal Government is developing a return to work health and safety “toolkit” and is encouraging workplaces to become “COVID-safe”. At the same time, the Government is continuing to encourage the public to download its COVIDSafe digital contact-tracing App.… Continue Reading

New York Strengthens Data Privacy and Security Protections: Employers Must Adopt Safeguards (US)

Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that owns … … Continue Reading

When employee consent is the start of the problem, not the end – the GDPR shows some teeth

The Greek Data Protection Authority has imposed a 150,000 EUR fine on PriceWaterhouseCoopers Business Solutions SA for – get this – asking their employees’ consent to process their personal data. It may strike you as counterintuitive (and going against everything your mother ever told you) that asking consent could get you into trouble, but where … Continue Reading

Employee Data Subject Access Requests in the UK: Part 4 – how to deal with mixed data

In part 1 of this blog series, we asked how employers facing a Data Subject Access Request (DSAR) should be dealing with ‘mixed data’ cases, i.e. when a third party’s personal data is intertwined with that of the requester? Mixed data comes in many forms; for example, an email from John to a colleague saying … Continue Reading

Employee Data Subject Access Requests: Part 3 – DSARs and proportionality – limiting the search (UK)

Some DSARs can be wonderfully straightforward: “Can I have a copy of my personnel file?” “Absolutely, here you go” “Can I have a copy of the notes from my appeal hearing?” “Of course, all yours. Any time” However, a large number of DSARs submitted by employees are far more taxing: “Can I have all personal … Continue Reading

Employee Data Subject Access Requests: Part 2 – It’s complicated – extending the DSAR deadline (UK)

In the second of our five part blog series on Data Subject Access Requests (DSARs), we examine the notion of “complexity” and how that might affect the way you respond as an employer to a DSAR. What is “complex”? Under the General Data Protection Regulation (GDPR), data controllers must respond to DSARs “without undue delay … Continue Reading

Employee Data Subject Access Requests: Part 1 – where are we now and what questions remain? (UK)

Just when we thought we were getting to grips with some of the stickier issues around Data Subject Access Requests (DSARs), then along comes the EU General Data Protection Regulation (GDPR) and numerous new ambiguities over how its DSAR provisions might work in practice.  We are waiting for the ICO’s guidance and update on its … Continue Reading

Practical Guide to the GDPR – Part 8

Part 7 of this series looked at how far an employer might be exposed if employees whose images were used in internal or external marketing or other corporate communications then withdraw their consent to that processing. Our Global IP and Technology team has now provided some useful further thoughts on this risk, accepting that the … Continue Reading

What’s Your Number? Be Careful When Asking Your Japanese Employees.

In many countries, individuals are identified by a unique number issued by the government. Probably the most ubiquitous example is the Social Security Number in the United States, which is generally necessary to obtain employment, open a bank account or obtain a driver’s license, and is used for credit monitoring and other private sector purposes. … Continue Reading
LexBlog