This is an interesting case, and not only for the reasons mentioned in the press. It doesn’t give us much to work with but…
What strikes me, which is often overlooked by organisations are that employees and ex-employees -as is the case here- have rights under GDPR. Every employee is a data subject…. although of course you knew that 😉
What seems to be common with dissatisfied customers applies to unhappy ex-employees (in this case) they exercise their rights under GDPR. This guy wanted to be forgotten and access (on what couldn’t be deleted one can assume). This means that even if your organisation is a role of processor in the delivery of services to your customers, who are the controller, you are still regardless the controller to your employees.
What was used for the transfer of employee data over to China is contractual clauses. However, the award of the fine, a meagre €5k was for not responding to the ex-employee as per his rights, not on the use of contractual clauses…. would be interesting to know more on this.
Thanks for the post, Karen. I read the background articles over the weekend after reading your post. This situation reminded me about a contract negotiation I had with H about a decade ago. This involved a faculty research project. It took me 40 hours to negotiate the contract over the Christmas holiday. At the time there were congressional hearings concerning H and its genesis (founded by a Army General). The FBI got involved and interviewed the faculty member – – and reminded him that if he took their money he would be under FBI surveillance for 7 years. Was a five figure grant worth 7 years of surveillance? He thought yes – but he was warned. It was an interesting situation to say the least.