Module 8 - Compliance Considerations

Question 1

What are the four bases upon which an employer can legitimise processing of employee data?

Answer 1

Personal data:
- Legitimate interests.
- Performance of employment contract.
- Performance of an employment law obligation.
- Consent.

Special category data:
- Explicit consent.
- Employment law.

Consider local MS law for employment data storage considerations.

Question 2

What considerations are relevant to bring-your-own-device arrangements?

Answer 2

• Provide employees notice of BYOD requirements.
• Implement a BYOD policy.
• Assess, identify and overseee storage of data and attendant security consideration.

Question 3

What four considerations are relevant to employee monitoring?

Answer 3

• NECESSITY - Is a less intrusive method available?
• LEGITIMACY - Are there lawful grounds for monitoring?
• PROPORTIONALITY of monitoring measures.
• TRANSPARENCY of monitoring measures.

Generally, where surveillance is lawful, the rights and freedoms of the DS should still be respect (article 23, GDPR).

Question 4

What considerations are relevant to the usage of CCTV?

Answer 4

• Local law details specific CCTV requirements.
• If there is large scale processing of data then a DPIA is likely to be required.
• Consider the proportionality of CCTV monitoring.
• CCTV-related processing must also be transparent - consider signposting of CCTV.

Question 5

Under the Electronic Privacy Directive, how must direct marketing be legitimised?

Answer 5

B2B direct marketing:
- Postal - Opt-out must be available;
- Phone - Opt-out must be available;
- Digital - Opt-out must be available,

B2C direct marketing:
- Postal - Opt-out must be available;
- Phone - Opt-out must be available (subject to checking TPS);
- Digital - Opt-in (or ‘soft opt-in’) must be secured.

Cookies - Opt-in required (except where necessary - developer determines what is necessary).