Here is our (late!) monthly data protection news and update blog for August from the Evalian team. As ever, we’re sharing some of the news items you may have missed together with links to 3rd party sites which provide more information.
The summer period has continued to be busy in the world of data protection and the media has hungrily been picking up stories such as the use of facial recognition at Kings Cross and elsewhere across the UK. Challenges around international transfers of personal data following a no-deal Brexit have also made the headlines.
PWC in Greece fined for relying on Consent to process employee personal data
As reported by the European Data Protection Board, the Greek equivalent of the ICO, the DPA issued a €150,000 fine to PWC in Greece for having the wrong lawful basis for processing their employee’s data. As data controller, PWC required employees to give their consent to the processing of their personal data. Other lawful bases were more applicable including contract performance, legal obligation and legitimate interest. Furthermore, PWC had also failed to properly document their lawful basis for processing, therefore, failing the GDPR’s accountability principle.
Our advice: Don’t rely on consent for processing employee personal data except where it is strictly necessary. Consent is rarely considered valid in the workplace due to the imbalance of ‘power’ between employee and employer. Also, employees won’t be able to withdraw consent for most employment processing, which indicates it is not valid.
Having a Facebook ‘Like’ button on your website most likely makes you a joint controller with FB
On 29 July 2019, the Court of Justice of the EU (CJEU) ruled that websites featuring a Facebook ‘Like’ button can be considered as a joint controller in respect of the collection and transmission of website visitor personal data sent to Facebook. The case centres on a German online clothing retailer, FashionID, who embedded the ‘Like’ button on its website. Apparently, regardless of whether the visitor had clicked the like button or was a member of the social network Facebook, visitor data was transmitted to Facebook Ireland without visitor knowledge or consent.
Our advice: Check your corporate website to see what social media plugins you are using and whether these automatically share personal data when someone visits your website. If so, you may be a joint controller for that personal data. You may need to check with your website developer.
ICO launches consultation on new Data Sharing Code of Practice
Unchanged since 2011, the ICO’s Data Sharing Code of Practice is long overdue for an update. Accordingly, the ICO launched a consultation campaign seeking views on revisions to the code to align it with the new GDPR requirements. Significant changes in the draft code address issues such as transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities (RoPA). It also embraces key data sharing provisions set out in the Digital Economy Act 2017 which aims to encourage sharing of data between government departments, specifically safeguards in relation to sharing data about children, ethical considerations when sharing data and in emergencies.
Our advice: The code of practice offers best practice guidance around data sharing. If you regularly share data, we’d recommend finding time to read the Code and thinking about how your practices compare.
ISO 27701 Privacy Information Management System standard launched
The International Standards Organisation (ISO) has published a standard for a Privacy Information Management System (PIMS). Launched on 6th August 2019, the standard covers the protection of privacy, including how organisations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world. It compliments the ISO27000 series of Information Security Management standards and is applicable to all types and sizes of organisations, including public and private companies, government entities and not-for-profit organisations. Presently, there are no certification or registration schemes available, however it is expected that global accreditation bodies will soon announce the introduction of such schemes.
Our advice: We’d recommend waiting for the new standard to mature and for certification bodies to support it. The British Standard BS10012 (also for a PIMS) is available but is not a mainstream certification. We are also still waiting for an update from the ICO on GDPR certification mechanisms (albeit they arguably have bigger issues to address right now given the data protection challenges presented by a no-deal Brexit).
Have a question?
If you have any questions about any of the updates provided, please don’t hesitate to get in touch. You can contact us here.Get in touch