Joining the growing list of states enacting privacy and data security laws, on July 25, 2019, New York’s governor signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), amending the state’s data breach notification and cybersecurity law. The SHIELD Act applies to “any person or business that owns … … Continue Reading
The Greek Data Protection Authority has imposed a 150,000 EUR fine on PriceWaterhouseCoopers Business Solutions SA for – get this – asking their employees’ consent to process their personal data. It may strike you as counterintuitive (and going against everything your mother ever told you) that asking consent could get you into trouble, but where … Continue Reading
In part 1 of this blog series, we asked how employers facing a Data Subject Access Request (DSAR) should be dealing with ‘mixed data’ cases, i.e. when a third party’s personal data is intertwined with that of the requester? Mixed data comes in many forms; for example, an email from John to a colleague saying … Continue Reading
Some DSARs can be wonderfully straightforward: “Can I have a copy of my personnel file?” “Absolutely, here you go” “Can I have a copy of the notes from my appeal hearing?” “Of course, all yours. Any time” However, a large number of DSARs submitted by employees are far more taxing: “Can I have all personal … Continue Reading
In the second of our five part blog series on Data Subject Access Requests (DSARs), we examine the notion of “complexity” and how that might affect the way you respond as an employer to a DSAR. What is “complex”? Under the General Data Protection Regulation (GDPR), data controllers must respond to DSARs “without undue delay … Continue Reading
Just when we thought we were getting to grips with some of the stickier issues around Data Subject Access Requests (DSARs), then along comes the EU General Data Protection Regulation (GDPR) and numerous new ambiguities over how its DSAR provisions might work in practice. We are waiting for the ICO’s guidance and update on its … Continue Reading
Clearly another quiet week over at Acas if its new guidance on employment references is anything to go by. It is, in all honesty, a bit on the basic side, even including an answer to that never-asked question – what is an employment reference?… Continue Reading
Part 7 of this series looked at how far an employer might be exposed if employees whose images were used in internal or external marketing or other corporate communications then withdraw their consent to that processing. Our Global IP and Technology team has now provided some useful further thoughts on this risk, accepting that the … Continue Reading
In many countries, individuals are identified by a unique number issued by the government. Probably the most ubiquitous example is the Social Security Number in the United States, which is generally necessary to obtain employment, open a bank account or obtain a driver’s license, and is used for credit monitoring and other private sector purposes. … Continue Reading
A client put this to us the other day – assuming that a photo or video footage of a current or former employee counts as his personal data, which it does, how far will his GDPR “right to be forgotten” allow him to reach into the employer’s records and require that image to be deleted?… Continue Reading
With a clear link between increased employee wellbeing (both in terms of physical and mental health) and reduced sickness absence, many employers may use renewed New Year ambitions to adopt or promote employee wellbeing programmes. Businesses have introduced measures including step challenges with free pedometers, fruit ‘desk drops’ and health monitoring stations in the workplace. … Continue Reading
Judge Dedov is the one to watch here. He was the only one out of the European Court of Human Rights panel not responsible for a recent decision on employee surveillance which many may feel tilts European law around workplace monitoring altogether too far towards the interests of the employee. Ms Ribalda and her four … Continue Reading
It all began as an everyday tale of Montenegrin academics and some animals, and ended up in a European Court of Human Rights decision with potentially significant consequences for employers across the EU and the UK.… Continue Reading
With apologies for the interruption to this series, here are two further reader questions on the GDPR as it will apply to employers in the UK. I have heard that my corporate email address is my personal data. Does that mean that a DSAR sent to my employer should bring me copies of everything in … Continue Reading
Illinois enacted its Biometric Information Privacy Act (“BIPA”) in 2008 to regulate, among other things, employer collection and use of employee biometric information. Biometrics is defined as the measurement and analysis of physical and behavioral characteristics. This analysis produces biometric identifiers that include things like fingerprints, iris or face scans, and voiceprints, all of which … Continue Reading
Here are answers to two more questions arising from next year’s GDPR, this time on website recruitment and data breach notification. More to follow in this series soon. We have a contact form section on our website to allow people to submit details (name, email, phone number & CV) if they want to be informed … Continue Reading
This is the next in our series of posts on questions raised at our recent GDPR webinar. If you have any views or further queries in these areas, please do get in touch. What impact will the GDPR have on Model Clauses? Model Clauses are standard contractual terms adopted by the European Commission for the … Continue Reading
What would count as sharing data with a third party? For example, if we are booking employees on an external training course where we would only provide their name, would this amount to sharing data with a third party? The sharing of an employee’s name with an external training provider would certainly amount to the … Continue Reading
At our recent webinar on “GDPR Compliance: How UK Employers Can Meet the 25 May 2018 Deadline” we were asked a number of questions via the chat facility. Those questions showed that with less than a year to run and much to do before then, there is still widespread uncertainty as to the detail of … Continue Reading
Exactly one year from today, Brexit notwithstanding, the EU General Data Protection Regulation comes into effect. This is aimed primarily at commercial progressing of customer data but still has significant ramifications for HR’s handling of employee data. Compliance with the Data Protection Act as it stands will not be enough to protect against breaches of … Continue Reading
Polish Data Protection rules are quite restrictive when it comes to the information that employers may safely request from the candidate or the employee but now there is a new question for them to consider: are you male or female? This is not quite as silly as it sounds. As a rule you can tell … Continue Reading
Foreign employers posting employees to France temporarily, whether to provide services for a client based in France or for their own sake or as part of an intra-group mobility programme, must comply with strict legal requirements. These relate in particular to providing for those staff a set of mandatory employment rules applicable while they are … Continue Reading
As a follow up to our previous blogpost, a new federal law, the Defend Trade Secrets Act of 2016 (DTSA), which went into place on May 11, provides a federal cause of action for trade secret misappropriation. One important employment law aspect of the DTSA that has not received a lot of attention is the requirement that … Continue Reading
As reported last week in our Global Business IP & Technology Blog, the Defend Trade Secrets Act is currently on President Obama’s desk awaiting his imminent signature. Once enacted, the new law will provide the first federal civil claim for misappropriation of trade secrets. Although the new law is monumental in several respects, at least … Continue Reading
