Topic: Data privacy and GDPR

Subscribe to Data privacy and GDPR RSS feed

Vicarious Liability – the UK Supreme Court hands down two important decisions.

The Supreme Court has now delivered its judgements on two important cases involving the concept of vicarious liability. In both it has upheld the appeals holding that the employer was not vicariously liable.

The first case is WM Morrison Supermarkets plc v Various Claimants.  The case concerned a data breach by a disgruntled employee of payroll data relating to some of the workforce.  Despite immediate steps being taken by the employer to protect the employees, and the individual being found liable, some of the affected employees brought proceedings against the employer on the basis that it was vicariously liable … Continue Reading

Covert monitoring in the workplace – impact on an employee’s privacy

The Grand Chamber of the European Court of Human Rights (ECHR) has held that Spanish shop workers’ right to privacy under Article 8(1) of the European Convention on Human Rights was not violated when their employer obtained evidence of theft from covert CCTV footage of the employees.

The case involved five employees who worked as cashiers at a supermarket chain.  The employer noticed stock discrepancies and as part of the investigation installed CCTV cameras, both visibly within the store and hidden cameras at the checkouts.  Although customers and staff were aware that CCTV cameras operated, the employees were not aware … Continue Reading

New EU rules for protection of whistleblowers

On 7 October 2019, the EU Council formally adopted the new Whistleblowing Directive that will guarantee whistleblowers EU-wide standards of protection. The Directive obliges both public and private organisations and authorities to set up secure reporting channels, so that whistleblowers can report violations of EU law as safely as possible. Member States have two years to transpose the rules into national law.

The main elements of the new legislation are:

  • Companies with more than 50 employees and national and regional administrations and local municipalities with more than 10,000 inhabitants will be obliged to set up secure reporting channels. They will
Continue Reading

Facilitating HR Management: Electronic medical certificates

As part of the “Third Bureaucracy Relief Act” the German government intends to introduce an electronic submission procedure for medical certificates regarding the incapacity of employees. More than 80 million of such certificates are issued every year by doctors in Germany. Replacing extensive documentation and record-keeping duties will allow medium-sized companies in particular to reduce existing manual processing workloads.

According to current German law an employee must submit a medical certificate of incapacity to the employer at the latest by the fourth day of absence due to illness. In the future, employers will be able to retrieve electronic certificates directly … Continue Reading

Control or trust: Legal claim to home office?

Digitization and  technological advances are accelerating the flexibility of working conditions leading to a changed understanding of leadership. A key topic of debate is the “home office” which is currently used by approximately 12 per cent of employees in Germany for all or part of their working time. On this topic, the German government is currently considering a bill requiring companies to comply with a worker’s desire to work from home – based on their assessment that 40 per cent of all employees could realistically work from home and that the majority of employees would be interested in doing so.… Continue Reading

Vicarious liability in the data breach context – bad news for UK employers

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.

In reaching this conclusion, the Court of Appeal confirmed that the Data Protection Act 1998 (DPA) does … Continue Reading

The GDPR – What does it mean for Employers?

You cannot fail to have noticed that the GDPR (General Data Protection Regulation ((EU) 2016/679)) came into force today.   The Data Protection Act 2018 received Royal Assent on 23 May and ensures that the standards set out in the (GDPR) have effect in the UK.

The GDPR affects the processing of employment data – but what does this actually mean for employers?

Changes to contracts of employment

Many existing contracts of employment will contain clauses giving consent for employers to process their employees employment data. As a result of the GDPR the conditions for obtaining consent to processing of data … Continue Reading

ICO updates its subject access Code of Practice

The Information Commissioner’s Office in the UK (ICO) has updated its Subject Access Code of Practice (the Code) which deals with requests from individuals for personal information. The amendments are mainly to reflect the Court of Appeal’s decisions in the recent cases of Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Deer v University of Oxford [2017] EWCA Civ 121.… Continue Reading

Norton Rose Fulbright’s online guide to global employment law is now available

More and more organisations are growing their global footprint and need to move their people around the world. In this global environment, it is essential to know, understand and comply with employment and labour laws in place across all of the jurisdictions in which organisations engage people. This will help to protect business from unnecessary risk, whether legal, financial or reputational.

We have launched a new interactive online version of our Global employment law guide first published in 2015.

Featuring 28 jurisdictions, our interactive guide helps clients navigate the often disparate and diverse national employment and labour laws, in particular … Continue Reading

Employment Law and Financial Institutions

In the financial sector, in addition to individual employment contracts, working conditions can be subject to various industry related statutes and regulations, collective bargaining agreements and works agreements.

Laws and regulations

As a reaction to the global financial crisis, the participants of the 2008 G20 summit in Washington, including Germany, agreed on the establishment and implementation of global standards of regulation, cross-border supervision and management to avoid conflicts of interest and to create an early warning system to avoid a repetition of the financial crisis.

In response to this resolution, the Financial Stability Board (FSB) published principles for sound compensation … Continue Reading

Use of social media in France: Employee’s rights and obligations

The impact of the use of social media in the workplace has regularly given rise to controversies and debates as how this subject is to be handled by a company’s management. The current state of employment law is still not entirely settled in this respect. It is however possible to provide some guidance on the most common issues arising from such use with regard to employment law (data protection regulations will not be considered in this article).

Access and control of social media in the workplace

As a general rule, employees are allowed to access the internet for non-professional purposes … Continue Reading

Data protection and employment law update (Italy)

The Italian Data Protection Authority (IDPA) is increasingly faced with issues relating to the ways employers may monitor the Internet usage of its employees. In 2016, the Authority handed down two important decisions on this topic.

In the first decision, the IDPA stated that an Italian University (the University of Chieti and Pescara) was acting unlawfully in the way that it used e-mails to trace the identity of Internet users. This University, without having given any prior warning to its employees, implemented a system that retained information regarding personal Internet access, for the purpose of service monitoring, internal security and … Continue Reading

ICO updates its subject access Code of Practice

The Information Commissioner’s Office in the UK (ICO) has updated its Subject Access Code of Practice (the Code) which deals with requests from individuals for personal information. The amendments are mainly to reflect the Court of Appeal’s decisions in the recent cases of Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Deer v University of Oxford [2017] EWCA Civ 121.

In the UK under the Data Protection Act 1998 (DPA 1998) a data subject, such as an employee, has a right, on making a subject access request … Continue Reading

Misclassification of Workers under the Fair Workplaces, Better Jobs Act, 2017 (Bill 148)

On May 23, 2017, the Ontario Government released The Changing Workplaces Review: An Agenda for Workplace Rights Final Report.  The report reviewed numerous aspects of our workforce and the legislation that applies to it.  A portion of the report included a statistic that found a significant increase in the number of individuals that are self-employed without paid help.   The report then provided the following assessment of that statistic:

“[S]ome of the growth in self-employment is the result of deliberate misclassification by businesses that do not wish to incur liability for employees and wish to shed liability for Continue Reading

The GDPR – what does it mean for HR?

The implementation of the General Data Protection Regulation (the GDPR) on 25 May 2018 will see a replacement of the current data protection law set out in the Data Protection Act 1998 and an extension of data protection obligations. Employers process a large amount of data in relation to their employees, not only the information held on personnel files, but also data relating to their use of the computer, access cards and CCTV.  With just under a year to go until its implementation, what steps should employers be taking with respect to prepare for the new rules?

Consent

Personal data … Continue Reading

Monitoring an Employee’s use of the internet

The European Court of Human Rights (ECHR) has held that an employee’s right to respect for private life and correspondence is not breached where an employer monitors the employee’s personal communications at work, subject to reasonableness and proportionality. Whilst this has caused a large amount of media interest in the UK, employers should be aware that this case does not entitle employers to monitor all employee’s emails and social media sites.

In the case from the Romanian courts, an employee was using a business Yahoo messenger account (which he had set up at his employer’s request) to send and receive … Continue Reading

Evidence collected through stratagems is not admissible

The legal context

Under French employment law, the implementation of a means of monitoring an employee’s activity must be justified by the nature of the task to be performed and must be in proportion to the purpose sought. It must also comply with a specific procedure involving informing employees in advance of such means of monitoring, information to and consultation with employees’ representatives (if any) and where relevant the intervention of the French data protection authority. Breach of these rules by the employer permits a court to reject any evidence obtained by illicit means against an employee.

In this context, … Continue Reading

Employees’ rights and obligations relating to the use of social media in Germany

In Germany 80% of all internet users are registered in social networks and 70% of all internet users actively make use of social networks. This development is also increasingly having an impact on the world of employment.

Social media and recruitment

In general, German data protection legislation allows the employer to collect and use an applicant’s/employee’s personal data to the extent necessary to decide whether or not to hire the applicant and in order to carry out or terminate the employment. Personal data must generally be collected directly from the applicant/employee. However, personal data may be collected from other sources … Continue Reading

Employees’ rights and obligations relating to the use of social media in France

The impact of the use of social media in the workplace has regularly given rise to controversies and debates as how this subject is to be handled by a company’s management. The current state of employment law is still not entirely settled in this respect. It is however possible to provide some guidance on the most common issues arising from such use with regard to employment law (data protection regulations will not be considered in this article).

Access and control of social media in the workplace

As a general rule, employees are allowed to access the internet for non-professional … Continue Reading

Employees’ rights and obligations regarding the use of social media in the UK

The importance of a clear policy on employees’ use of social media 

Whilst there is legislation which is relevant to the use of social media by employees in the UK, there is no legislation which specifically governs its use. Consequently, policies on the use of social media, both in and outside the workplace, are encouraged so that it is made clear to employees firstly, whether the use of social media sites is permitted at all and, if it is, the rules which govern their use.

How extensive a policy should be will vary considerably depending on the size, sector and … Continue Reading

LexBlog