So hot of the press is that H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.
Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.
It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.
It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.
Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!
PwC developed a facial recognition tool that logs when employees are absent from their computer screens while they work from home. In particular, there have to be a specific excuse for any absence (including toilet breaks).
Too invasive? No doubt. Disproportionate with no likely legal grounds? WP29 Opinion 2/2017 on data processing at work suggests a positive answer, especially given that the tool monitors employees in their private location.
Predictably, this caused a barrage of criticism from different privacy enthusiasts, followed by unconvincing explanations provided by PwC that this tool helps “support the compliance environment required for traders and front office staff in financial institutions”.
Read below to learn more:
At the same time, there might be much more than meets the eye: monitoring of employees from their homes may also occasionally involve monitoring of their family members through webcams. Besides, depending on technical peculiarities and an ability to scan the background in a private premise, such monitoring may also reveal some special categories data about, e.g., employees’ sex life or religious beliefs (Article 9 of the GDPR).
In Finland one of the first fines handed out to a water supply management company which used location data in the vehicles used by employees which is considered systematic monitoring. A DPIA should be conducted.
Taken from DLA Piper blog Followed from a complaint made by an individual. Kymen Vesi processed location data of its employees by locating their vehicles. This location data was used to monitor the employees’ working hours. The Data Protection Ombudsman stressed in its decision that a data controller must carry out a DPIA when the processing likely results in high risk to the rights and freedoms of data subjects. Kymen Vesi should have carried out a DPIA since the processing of location data concerned data subjects in a vulnerable position (employees) and the data was used for systematic monitoring. In reference to the criteria list set in WP29 guidelines on DPIA and determining whether processing is likely to result in high risk, the processing conducted by Kymen Vesi satisfied three of the criteria (processing of location data, data subjects in vulnerable position and systematic monitoring of data subjects) when usually a DPIA is already required when two of the criteria are satisfied.
Read the rest of the blogpost from DLA Piper blog.
At least this is the latest position in Italy, which is rather interesting, and provides some lead in controlling this pandemic in the workplace, reducing the risk on rights and freedoms of employees. The relevant paragraph from the article worth reading and I am referring to is quoted below.
The Italian data protection authority held that serological tests run on employees are privacy compliant in Italy provided that the occupational doctor is the data controller and is the sole individuals aware of the results of the test, communicating to the employer only the suitability/unsuitability of the employee to perform the working activity.
I have never worked in a call-centre, having sat at Level 2-3 IT support in my younger days, but I’ve worked very closely with first-line support and felt the pressure that they are under. Their challenge is process as many calls as possible in shortest time, yet maintain quality. This means that the driver to find ways to identify key performance indicators (KPIs) is strong for the business. The main KPI being length of call which is easy to measure, quality is more difficult.
This has lead to innovations on the tracking of call-centre employees by correlating the metrics on the calls they take with what the employee is doing on their computer screen. This brings us to the use of surveillance, which is not just cameras, but telecommunications made easier with voice over IP together with a piece of software to enable screenshots when the call is being taken.
Is this disproportionate? Me with my privacy hat, says YES. Although clearly to record these actions for a specific purpose, i.e. to train, and help improve quality, effectiveness, could be good. This is not only for providing a quality service, but also for the employees who want to be great at what they do!
Some great guidelines have been published by CNIL. It’s in French of course, but the translation is actually rather good.
Really interesting case on workplace surveillance in Germany. Deustch Bahn (railway operator) has been conducting covert surveillance operations without the consent of their employees. It involved covert surveillance operations that were given exotic code names such as “Babylon”, “Traviata” or “Prometheus” as well as a private detective agency.
Deutsche Bahn has submitted a 37-page report to the German government and parliament. In the report, the Bahn admits that three major screenings took place in 1998, 2002/3 and 2005/6.
Although there’s talk of a legal “grey area”, some lawyers are convinced that Deutsche Bahn’s actions were illegal. “Screening the private data of employees and comparing this with the data of supplier companies is in accordance with German data protection law only if the employees themselves and the workers’ council agree with this beforehand. And this was not done apparently. Read more it will be an interesting case 🙂