For the last year or so the EU Commission has been working on the world’s first serious attempt to create a regulatory framework around the use of AI, the Artificial Intelligence Act. The Proposal itself runs to over 100 pages of dense type and no pictures, so is a fairly off-putting read at first look. … Continue Reading
The Kingdom of Saudi Arabia has enacted a new comprehensive data protection law (the PDPL), which comes into force on 23 March. The first standalone data protection law of its kind in KSA, the PDPL is a significant development and seeks to develop the Kingdom’s legislative landscape in a way consistent with its 2030 Vision … Continue Reading
When an employee leaves, it is often a first step for the business that his personal access to their professional mailbox is cancelled as soon as possible (often even during the exit meeting). But most often that mailbox will remain open for quite some time after the termination, as there is a genuine business concern … Continue Reading
Today’s word is “Avizandum”, which the internet tells me is the name of the King of the Dragons, mate of Zubeia and father Azymondias, respected by all the elves as the most powerful creature in the whole of Xadia. Clearly. Whether the elves would have taken the same view if aware that the King of the … Continue Reading
Back in March we posted here an explanation of why the “manifestly unfounded” exception to an employer’s DSAR obligations was perhaps less helpful than the ICO’s then guidance suggested. Now there is some new ICO guidance out this week which probably does move the needle slightly more usefully in favour of the employer.… Continue Reading
A new decree (Royal Decree-law 28/2020) was passed on 22 September to regulate remote working in Spain. As for many countries worldwide, Spain has recently seen a marked increase in the number of employees working from home as part of its bid to decrease physical contact between individuals and curb the COVID-19 pandemic. Prior to … Continue Reading
The striking down of the Privacy Shield by the Court of Justice of the European Union (CJEU) last week may have significant consequences for UK and EU employers which are headquartered in the US or which otherwise transfer the personal data of their employees to that country. Brief history – the original EU Data Protection … Continue Reading
Here are brief answers to two more of the questions raised at this week’s webinar on Effective Settlement Agreements. Can we make it a term of a Settlement Agreement that an employee will not make a DSAR after he leaves? Yes and no. Yes, in that he can sign up to such a term. No, … Continue Reading
In an attempt to keep Covid-19 out of the workplace, many employers have been inquiring about the possibility of performing temperature checks before employees enter their premises each day. The Belgian Ministry of Employment’s position until last week was fairly relaxed: its FAQ document referred to the stance taken by the Belgian Data Protection Authority, … Continue Reading
In a bid to reawaken the Australian economy, the Federal Government is developing a return to work health and safety “toolkit” and is encouraging workplaces to become “COVID-safe”. At the same time, the Government is continuing to encourage the public to download its COVIDSafe digital contact-tracing App.… Continue Reading
Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that owns … … Continue Reading
The Greek Data Protection Authority has imposed a 150,000 EUR fine on PriceWaterhouseCoopers Business Solutions SA for – get this – asking their employees’ consent to process their personal data. It may strike you as counterintuitive (and going against everything your mother ever told you) that asking consent could get you into trouble, but where … Continue Reading
In part 1 of this blog series, we asked how employers facing a Data Subject Access Request (DSAR) should be dealing with ‘mixed data’ cases, i.e. when a third party’s personal data is intertwined with that of the requester? Mixed data comes in many forms; for example, an email from John to a colleague saying … Continue Reading
Some DSARs can be wonderfully straightforward: “Can I have a copy of my personnel file?” “Absolutely, here you go” “Can I have a copy of the notes from my appeal hearing?” “Of course, all yours. Any time” However, a large number of DSARs submitted by employees are far more taxing: “Can I have all personal … Continue Reading
In the second of our five part blog series on Data Subject Access Requests (DSARs), we examine the notion of “complexity” and how that might affect the way you respond as an employer to a DSAR. What is “complex”? Under the General Data Protection Regulation (GDPR), data controllers must respond to DSARs “without undue delay … Continue Reading
Just when we thought we were getting to grips with some of the stickier issues around Data Subject Access Requests (DSARs), then along comes the EU General Data Protection Regulation (GDPR) and numerous new ambiguities over how its DSAR provisions might work in practice. We are waiting for the ICO’s guidance and update on its … Continue Reading
Clearly another quiet week over at Acas if its new guidance on employment references is anything to go by. It is, in all honesty, a bit on the basic side, even including an answer to that never-asked question – what is an employment reference?… Continue Reading
Part 7 of this series looked at how far an employer might be exposed if employees whose images were used in internal or external marketing or other corporate communications then withdraw their consent to that processing. Our Global IP and Technology team has now provided some useful further thoughts on this risk, accepting that the … Continue Reading
In many countries, individuals are identified by a unique number issued by the government. Probably the most ubiquitous example is the Social Security Number in the United States, which is generally necessary to obtain employment, open a bank account or obtain a driver’s license, and is used for credit monitoring and other private sector purposes. … Continue Reading
A client put this to us the other day – assuming that a photo or video footage of a current or former employee counts as his personal data, which it does, how far will his GDPR “right to be forgotten” allow him to reach into the employer’s records and require that image to be deleted?… Continue Reading
With a clear link between increased employee wellbeing (both in terms of physical and mental health) and reduced sickness absence, many employers may use renewed New Year ambitions to adopt or promote employee wellbeing programmes. Businesses have introduced measures including step challenges with free pedometers, fruit ‘desk drops’ and health monitoring stations in the workplace. … Continue Reading
Judge Dedov is the one to watch here. He was the only one out of the European Court of Human Rights panel not responsible for a recent decision on employee surveillance which many may feel tilts European law around workplace monitoring altogether too far towards the interests of the employee. Ms Ribalda and her four … Continue Reading
It all began as an everyday tale of Montenegrin academics and some animals, and ended up in a European Court of Human Rights decision with potentially significant consequences for employers across the EU and the UK.… Continue Reading
With apologies for the interruption to this series, here are two further reader questions on the GDPR as it will apply to employers in the UK. I have heard that my corporate email address is my personal data. Does that mean that a DSAR sent to my employer should bring me copies of everything in … Continue Reading
