Stay tuned! Sign up to receive our fortnightly digest via email.

Non-material damage under the GDPR

In one of its recent decisions the CJEU clarifies the right to compensation for non-material damage for data subjects. The request was made in proceedings between a natural person and Juris GmbH, concerning compensation for the damage suffered by the claimant as a result of various processing operations involving their personal data which were carried out for marketing purposes, despite the objections he had sent to that company. The CJEU upheld its previous decision, (of 25 January 2024 MediaMarktSaturn, C‑687/21), that infringement of the GDPR which confers rights on the data subject is not sufficient to constitute ‘non-material damage’, irrespective of the gravity of the damage suffered by that person:

“The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Art. 82 (1) of the GDPR, as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.” 

At the same time, it is not sufficient for the data controller, in order to be exempted from liability, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Art. 29 of the GDPR. More legal reasoning of the case as well as rules on determining the amount of damages due as compensation for damage can be read in the court ruling. 

 ‘Pay or okay’ consent model

The EDPB adopted a long-awaited Opinion on Valid Consent in the context of Consent or Pay models implemented by Large Online Platforms. In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they only offer users a binary choice between consenting to the processing of personal data for behavioural advertising purposes and paying a fee. The EDPB underlines that personal data cannot be considered a tradeable commodity, and controllers should consider the need to prevent the fundamental right to data protection from being transformed into a feature that data subjects have to pay to enjoy. 

Thus, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, with a form of advertising involving the processing of less or no personal data. 

GDPR enforcement: new rules, strict deadlines, dispute resolution

On 10 April, the European Parliament adopted amendments to a proposal laying down additional procedural rules relating to the enforcement of the GDPR. In its 2023 work programme, the Commission announced that it would propose harmonising some national procedural aspects to improve cooperation between national data protection authorities. The MEPs amendments include:

• the right of all parties to equal and impartial treatment regardless of where their complaint was lodged;
• their right to be heard before any measure is taken that would adversely affect them, and 
• their right to procedural transparency, including access to a joint case file. 

MEPs want to standardise procedural deadlines for a supervisory authority to acknowledge that they have received a complaint and declare it admissible or inadmissible. Then, the authority would have to determine if the case is a cross-border one, and which authority should be the lead authority. Draft decisions must be delivered within nine months of receiving the complaint, outside of certain exceptional situations.

MEPs also want to clarify the rules involving amicable settlements, (consensual, negotiated resolutions to disputes). However, these do not prevent a DPA from starting its own initiative investigation into the matter. Finally, all parties to complaint procedures have the right to effective judicial remedies, for example when DPAs do not take necessary actions or comply with deadlines. 

FISA Section 702 reauthorisation

Last week the US House of Representatives voted to reauthorise Section 702 of the Foreign Intelligence Surveillance Act, (FISA), which includes a crucial provision allowing for American citizens to be surveilled without a warrant for another two years. The law has made it possible to monitor foreign communications in great detail, but it has also resulted in the gathering of phone conversations and correspondence from US individuals. 

Some privacy protections, such as the ban on sweeping up communications about a target along with communications to or from the target, were maintained. However, other amendments, including a new definition of internet service providers, might broaden FISA’s application. Prior to the statutory expiration of Section 702 on April 19, the measure now goes to the Senate. More analysis by the Lawfare Institute can be read here. 

More legal updates

Child safety online: On 10 April, the European Parliament endorsed certain derogations to the E-Privacy Directive to combat online child sexual abuse. In particular, MEPs adopted a temporary extension that allows the voluntary detection, by internet platforms, of child sexual abuse material, (CSAM), online. The implementation measures follow strict data protection safeguards pursuant to the GDPR, (legal basis for data processing, data retention policies, restricted data transfers, etc.). The derogation will be extended until 3 April 2026 so that an agreement on the long-term legal framework can be reached. The provisional rules will now have to be formally adopted by the Council before they can become law. 

US privacy legislation: Last week, a bipartisan group of lawmakers in Congress announced the Federal Privacy Bill, (APRA), with the likelihood of long months of discussions before the bill’s passage. This comprehensive draft legislation promises clear, national data privacy rights and protections for Americans, boosts data minimisation in the commercial sector and curbs large data holders and brokers, harmonises the existing state data privacy laws, and establishes new enforcement mechanisms and a private right of action for individuals. At the same time, the Federal Trade Commission would still have the authority to provide further recommendations and rules covering a significant portion of the APRA. 

Right of access basics 

The Luxembourg data protection authority has published a new illustrative factsheet, (only available in French), on the right of access. Any individual can ask a private or public entity, (the data controller), whether it holds their personal data and obtain a copy of the data processed. This right allows in particular to check whether the data is correct. The organisations can be asked to provide the categories of data processed, retention periods, explanations on how to exercise your rights, the lawful basis for processing, other recipients of your data, data transfers to third countries, data sources, and explanations on decisions made by automated processing or profiling. 

However, the right of access is not an absolute right. The organisation may refuse to provide you with data about third parties in some cases or a confidentiality obligation may be imposed by law. The organisation must respond to the request within one month including the justifications for refusal or possible delays in providing information. If the organisation does not respond, does not meet deadlines or you are not satisfied with its response, you can submit a complaint to the data protection authority. 

AI development and data protection guide

The French data protection authority CNIL has published its first recommendations on the development of artificial intelligence, in a way that respects personal data. The recommendations, (in French only), concern the development of AI systems involving the processing of personal data, (Machine Learning, general purpose AI, systems that are trained “once and for all” or continuously). The points addressed in the initial recommendations make it possible to:

• determine the applicable legal regime;
• define a purpose;
• determine the legal qualification of the actors;
• define a legal basis;
• perform tests and verifications in case of data reuse;
• carry out an impact assessment if necessary;
• take data protection into account when making system design choices;
• take data protection into account in the collection and management of data.

More official guidance

Legal basis for customer health data processing: When obtaining data from a person about their health condition, their explicit consent is required – confirms an administrative court in Poland. In the related case, a law firm contacted people injured in traffic accidents to represent them against insurance companies in courts in order to obtain compensation and pensions, as well as reimbursement of treatment and rehabilitation costs. The company obtained information about potential customers based on, among other things, press releases, online publications or content available on social media, as well as information provided or disseminated by organisations engaged in charitable activities. 

Subsequently, when meeting prospective clients, a representative of the law firm received only oral consent to the processing of personal data ahead of a possible conclusion of a contract with these persons but did not record or register it in any way. Also, the collection of this data was not necessary to perform the contract, because the persons from whom the data was obtained were not yet customers. However, this data was processed for other purposes, (eg. examining the profitability of concluding a contract with a potential customer and possibly establishing contact with such a person again). 

Recruitment data: The Latvian data protection regulator reminds us that an employer must avoid excessive data processing when selecting applicants. For example, a job advertisement should indicate as specifically as possible what information the employer expects from the candidate, and develop its own CV form. Also, after submitting their data, applicants as data subjects have the right to submit information requests asking for clarification on various aspects related to the processing of their personal data, so the employer must ensure that it is able to respond to such requests. Finally, there must be established procedures for how information obtained during the selection process, including applicants who are not hired, is stored and deleted. 

In the event that, after data collection, the employer concludes that data processing could also be carried out for a purpose different from that originally collected, the employer must assess whether this purpose is compatible with the initial processing, and also ensure that the applicant is informed. If the employer chooses to use the services of recruitment companies to find suitable employees, it is important to determine the role of such service providers and if the company is considered a data processor, an agreement on the data processing must be concluded. 

Avast non-anonymised data fine

Internet security company Avast has contested a fine of approx 13 mln euros from the Czech data protection agency over transferring the non-anonymised data of 100 million users to its subsidiary Jumpshot in 2019. Although Avast stated that it used robust anonymisation techniques, it was proven that at least some of the data subjects using its antivirus program and browser extensions could be re-identified. Moreover, the purpose of processing this data was not (only) to create statistical analyses, as Avast stated. 

In fact, the pseudonymised Internet browsing history was linked to a unique identifier. Jumpshot, among other things, presented itself as a company that made data available to “marketers,” providing them with insight into online consumer behaviour and offering “atomic-level” tracking of user journeys. The decision, (a cross-border case under the EU one-stop-shop procedure), comes after a 16.5 million fine from the US Federal Trade Commission and restrictions on selling user data for advertising. Avast, now part of Gen Digital, faces challenges both in the Czech Republic and the US.

Other enforcement decisions

Biometrics abuse in the workplace: In the UK, dozens of companies including national leisure centre chains are reviewing or pulling facial recognition technology and fingerprint scanning used to monitor staff attendance after a clampdown by the Information Comissioner’s Office. In February, the regulator found that the biometric data of more than 2,000 employees had been unlawfully processed at 38 centres managed by Serco Leisure. The ICO’s latest recommendations require companies to consider alternative and less intrusive options rather than biometrics scanning to meet their staff management objectives. In light of the ICO decision, a number of other leisure centre operators, like Virgin Active and 1Life, are either reviewing or stopping the use of similar biometric technology, according to The Guardian.  

Ransom attack on a healthcare system: Italian privacy regulator Garante issued fines on several technical and administrative entities, (in the Lazio region), in proceedings opened after a cyber attack on a regional healthcare system back in 2021. The ransomware was introduced into the system through a laptop used by an employee. It blocked access to many health services, preventing, among other things, management of reservations, payments, collection of reports or registration of vaccinations. Local health authorities, hospitals and nursing homes were unable to use some regional information systems, through which data on the health of millions of patients is processed, for a period of time that ranged from a few days to a few months. 

Outdated systems and inadequate management of the data breach failed to mitigate the negative consequences of the attack – from the inability to determine which of the servers were compromised by the IT service provider, to the inability to avoid further propagation of malware targeting numerous healthcare facilities under the umbrella of the data controller, (the regional administration). 

Audit methodology

The UK ICO conducted a consensual data governance audit of East Surrey College, (ESC). The recommendations by the regulator not only provided the ESC with independent assurance of compliance but also could serve as guidance for other organisations concerning:

• Data Governance and Accountability, (creating a privacy culture; comprehensive and up-to-date data maps and ROPA; training needs analysis).
• Records Management, (eg, creating a local-level asset register alongside the ROPA; correct use of attachments, encryption and the security of personal data in transit).
• Data Sharing, (reviewing, updating and creating data sharing policies, procedures and registers; documenting and appropriately justifying the lawful basis for sharing personal data;  data sharing agreements containing sufficient detail;  documenting and regularly reviewing technical and organisational security arrangements with data sharing parties, etc). 

Data security

Underestimated risks to data subjects: The Dutch national data protection agency AP claims that an excessive number of Dutch organisations that suffer from cyberattacks neglect to notify individuals that their personal information has been compromised. Approximately 70% of the time, organisations underestimate the likelihood of an attack. Therefore, the individuals whose personal information was compromised are unable to defend themselves against potential fraud or other crimes committed by online criminals.  They often target IT suppliers that manage large amounts of personal data. However, the organisations contacting them generally remain responsible if anything happens to this data. 

Countering cyber threats: An organisation that takes security measures seriously will not only be able to protect its data but will also be a trusted partner and a role model for others. The Estonian privacy regulator reiterates some simple but important recommendations on how to safely handle personal data in everyday work: 

• data encryption and pseudonymisation for long-term data storage;
• strong password rules or at least two-factor authentication;
• monitoring system activity and detecting unusual activity or requests;
• an incident response plan that is reasonable and clear;
• regular training or testing so that employees recognise scams and phishing emails;
• security audits, testing; 
• involvement of the data protection specialist;
• implementation of the information security standards;
• authorised processor due diligence.

The post Data protection digest 3 – 17 Apr 2024: non-material damage dilemma when losing control of your data appeared first on TechGDPR.

Legal processes

‘Machine learning is no excuse to break the law’: The US Federal Trade Commission alleged that Amazon, (Alexa voice assistant), kept kids’ data indefinitely to further refine its voice recognition algorithm. If approved by the federal court, on top of a multimillion fine, Amazon will have to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. Reportedly, Amazon is not alone in seeking to amass data to refine its machine-learning models. 

Similarly, the FTC proposed enforcement against Amazon’s subsidiary, Ring. The allegations say the company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

China SCCs: On 1 June, China’s new Standard Contractual Clauses for the cross-border transfer of personal data went into force. Entities using the SCCs must meet two requirements: a) a data transfer impact assessment must be performed by the data exporter, and b) the data exporter must sign SCC-compliant agreements with overseas recipients of the data. The Chinese SCCs do not distinguish between an exporter or receiver being a controller or a processor, in contrast to the EU SCCs. As an alternative to SCCs, organisations may also be required to undergo a security check by the Cyberspace regulator or certification by recognised institutions. Read more analysis by connectontech.com. 

Montana’s new privacy law and TikTok ban: Montana became the first US state to ban the use of TikTok and prohibit mobile application stores from offering the Chinese app within the state by next year. The ban covers state networks, but also third-party firms conducting business for or on behalf of the state from using applications with ties to foreign adversaries. The state would fine any entity, (an app store or TikTok), 10,000 dollars per day for each time someone “offers the ability” to access the platform or download the app. How these prohibitions will be implemented, though, is still unclear. 

Montana’s Governor also signed a new Consumer Data Privacy Act, joining California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia, which already enacted comprehensive consumer privacy laws. The law is scheduled to take effect in October 2024.

Health care data: The US Federal Trade Commission is modernising the Health Breach Notification Rule, clarifying the rule’s applicability to health apps and similar technologies, many of which aren’t covered by HIPAA. Changes will be made to the terms “identifiable health information,” “breach of security,” “health care provider,” and “health care services or supplies,” as well as the information that must be included in the consumer notice, and more. In parallel, to bridge the gap between HIPAA safeguards and health data that is obtained outside of conventional medical settings, Washington enhanced the protection for customers’ identifiable health information by passing the “My Health My Data Act”. 

Official guidance

Generative AI: The US Congressional Research Service published a paper on Generative AI and Data Privacy. Recently the term “general-purpose models”, (GPAI), was created by academics and policymakers to refer to software programs like ChatGPT that can do a variety of tasks. Large language models, (LLMs), which have the ability to detect, predict, translate, summarize, and produce language, are the foundation for many general-purpose AI applications. Duolingo, Snapchat, and other companies have partnered with OpenAI to deploy ChatGPT in their services. However, individuals may not know their data was used to train models that are monetized and deployed across such applications. 

SAR guidance: The UK Information Commissioner’s Office has published new guidance for businesses and employers on responding to Subject Access Requests. Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. This includes where you got their information from, what you’re using it for and who you are sharing it with. 

Organisations must respond to a SAR from a worker without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests. At the same time, the UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. 

Right to object and right to erasure: The EDPB summarises the right to object in connection to the right to be forgotten in complaints from data subjects. Requests to stop processing personal data for marketing purposes and to delete already gathered data are frequently linked. Most of the cases show deficiencies in the internal procedure adopted to deal with such requests, including the accuracy of the procedure and internal communication, the timeframe for processing requests, and the accountability of the system for receiving/tracking complaints.

Workforce monitoring: Employers tend to control employees’ work performance, to keep track of the duration and frequency of the employee’s work, but also of their location and other indicators. As a basic setting, the systematic monitoring of employees using automated means, (cameras, apps), is considered a non-standard solution, states the Latvian data protection authority. It can only be used for short-term employee monitoring, and only if less privacy-intrusive means will not achieve the goal. Such processing must be clearly agreed upon in advance and must be understandable to both parties. Otherwise, this can undermine mutual trust with the employee, and even may contribute to a decline in the quality of work.

Enforcement decisions

Meta/Facebook enforcement: The largest GDPR fine to date of 1,2 bln euros has been issued by the Irish data protection authority on Meta Ireland. Following the “Schrems II” ruling Meta affected data transfers to the US on the basis of the Standard Contractual Clauses in conjunction with additional measures. But they did not prevent fundamental risks to data subjects in view of US state surveillance practices. 

Meta now must return already transferred personal data and stop other illegal processing within the next few months. The decision may have similar effects for any digital service provider subject to US surveillance laws and relying on EU Standard Contractual clauses until the problems have been resolved by the adoption of the upcoming  EU-US Data Privacy Framework by the Commission. 

Charity organisation: The ICO completed an audit of Age UK Wiltshire, (charitable and voluntary sector). AUKW requested an audit in January and submitted an audit questionnaire detailing their data protection compliance concerns. After the investigation, the main areas for improvement were identified: 

• Review and update existing data protection policies and create new policies covering records management, data sharing, DPIA, and information security. 
• Ensure that data protection training is mandatory for all staff, including annual refreshers and specialised seminars. 
• Complete an information audit to help the organisation have an understanding of all of the information that is held and its flows. 
• Create an Information Asset Register, (IAR), to record the information assets identified by the information audit and ensure that the IAR is periodically reviewed.
• Review and update the current subject access requests, (SARs), and policy, including completing identity checks, that are communicated to staff.
• Create and maintain a SARs log as a documented record of all completed and ongoing SARs. 

Video surveillance: The Italian privacy regulator ‘Garante’ imposed a 50,000 euro fine on a clothing company, (with over 160 stores), for having installed video surveillance systems in various company outlets. The company had justified the need to defend against theft and to ensure the safety of employees and corporate assets, and prevent unauthorized access. The investigation showed that all the shops were equipped with at least 3 video cameras, active 24 hours a day, 7 days a week, in the areas reserved for workers and suppliers. In larger outlets, it was up to 27. The fine was issued, taking into account the significant number of employees involved, (over 500), and points of sale, as well as the absence, (or violation), of authorization or agreement with the trade union representatives.

Tax data: The Belgian data protection authority decided to prohibit the transfers of data of Belgian “Accidental Americans” by the Belgian Federal Public Finance Service to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian data protection regulator, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. The regulator also orders the public service to inform in a complete and accessible manner the data subjects of the data processing carried out as part of the FATCA agreement and of its modalities. It also asks to carry out a DPIA.

Automated rejection of credit card application: Berlin’s supervisory authority imposed a 300,000 euro fine against a bank after a lack of transparency over the automated rejection of credit card applications, according to the EDPB summary. A Berlin-based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant’s income, occupation and personal details. Based on the information requested and additional data from external sources, the bank’s algorithm rejected the application without any particular justification. Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed poor creditworthiness in his case. 

Biometric ID checks: Mobile World Congress’s organizer received a 200,000 euro fine in Spain for doing inadequate biometric ID checks at the 2021 venue. For the “in-person” option, the organizer requested a complainant to upload passport details, including photographs that were transferred to a service provider in a third country for facial recognition security purposes. However, the legal basis for it was verified from consent to legal obligation in different notices. Plus, neither the privacy policies nor the email communications provided clear information on data transfers to a third country. Additionally, the organiser’s DPIA failed to assess risks or the proportionality and necessity of the system implemented, (called BREEZZ).

Doctissimo fine: Following a complaint by the Privacy International association, the French privacy regulator fined the doctissimo.fr website 380,000 euros. It mainly offers articles, tests, quizzes and discussions related to health and well-being for the general public. The regulator noted infringements concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on user’s terminals. Additionally, the company processes personal data with other entities, in particular for the marketing of advertising spaces on the website. These relationships of joint responsibilities were not framed by any contract.

Google Analytics: The Finnish data protection commissioner has issued a notice to the meteorological institute about the transfer of personal data to the US via website tracking technologies. The institute had not defined or applied the legal basis for the transfer of data in the use of reCAPTCHA and Google Analytics services. Nor had it suspended data transfers without delay after the CJEU’s “Schrems II” decision, even though it no longer had a valid basis. The institute has taken steps to remove the tools and services from its website. The order also includes the deletion of data that had been transferred illegally to the US. 

Data security

Mobile device management: Mobile devices make it easier for employees to complete their job from home, at the workplace, or while on the road. In order to reduce an organisation’s risk profile, it is critical to manage security and device health. The US NIST explains the benefits of Mobile Device Management when an employee’s personal or corporate-owned device can be enrolled into an MDM solution to apply enterprise configurations, manage enterprise applications, and enforce compliance. To learn more about how to use standards-based, commercially available products to meet security and privacy needs you can download the latest guidance by NIST here and here. 

De-identification: The Government of Canada publishes instructions on de‑identification as a privacy‑preserving technique. Although the pseudonymisation of data is a step toward anonymisation, it still permits re-identification. The acceptable risk level must be determined based on the context. it is always preferable that privacy experts work together with data specialists. For instance, there are activities that increase the risk of re‑identification, such as integrating datasets or data matching, so it is important to continually assess privacy and re‑identification risks, even after applying privacy safeguards. 

Big Tech

NHS data sharing: According to the Guardian, NHS trusts are sharing sensitive data about patients’ health conditions, medical appointments, and treatments with Facebook without their knowledge and despite promises to never do so. An Observer investigation revealed a monitoring feature, (Meta Pixel), on the websites of 20 NHS trusts that has been collecting medical and patients’ browsing data for years and sharing it with the tech giant. The information contains specific details such as sites viewed, buttons pressed, and keywords searched, and matched to the user’s IP address. This included patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

Microsoft cookies: Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country’s data protection agency CNIL for privacy violations, govinfosecurity.com reports.  In December the CNIL fined the company 60 million euros for a deceptive cookie policy that it claimed made it impossible for Bing users to stop data collection. CNIL gave Microsoft three months to comply with its cookie policy or risk further penalties of 60,000 euros per day.  In particular, Microsoft needed to obtain French Bing users’ consent to enable cookies used to combat advertising fraud.

The Privacy Sandbox: Google announced the next stages of Privacy Sandbox – General availability and supporting scaled testing. In Q1 of 2024, it plans to deprecate third-party cookies for one per cent of Chrome users. This will support developers in conducting real-world experiments that assess the readiness and effectiveness of their products without third-party cookies. This will follow the introduction in Q4 of 2023 of the ability for developers to simulate Chrome third-party cookie deprecation for a configurable percentage of their users. 

The post Data protection digest 17 May – 1 June 2023: amassing data for machine learning is ‘no excuse for breaking the law’ appeared first on TechGDPR.

Therefore, it is important to understand GDPR compliance. In most cases, the company that posts its vacancy and embarks on the recruitment process will be considered the data controller. This will make them responsible for adhering to several obligations.

Notably, here are some specific and recurrent instances, in the course of recruitment, headhunting and hiring, where a controller should look closely at the GDPR to make sure it is implementing the most appropriate and compliant solution. 

Legal bases: which is the most appropriate?

The lawfulness principle of the GDPR, first introduced in Article 5, requires that data is processed in a lawful manner, meaning that it must rely on at least one of the legal bases listed in the following Article 6. Not all legal bases are, however, always going to be applicable or the most appropriate choice, especially when dealing with candidates sourced online or applicants. The same holds true for current employees.

The imbalance of power when relying on consent

The European Data Protection Board (EDPB) acknowledges in their guidelines 05/2020 on consent, that there is a clear imbalance of power between an employer and their employee. Undeniably, the same is to be considered between a potential employer, and a prospective employee, or applicant. Although there is no dependency yet, one can still argue that an employer has a stronger bargaining position over a candidate that wishes to work for them. Therefore, the EDPB generally advises against the use of consent as a legal basis for processing activities carried out in this context. That is because, it would be difficult to prove that consent is freely given, as required by definition in Article 4 of the GDPR. In practice, it is likely that a candidate would feel obliged to provide their consent to any use of their data, as they might assume it gives them a better chance to get the job.

Legitimate interest is a good option, but comes with requirements

Instead, relying on legitimate interest might be preferable. However, the controller must still be mindful that it will also come with requirements. Based on Article 6 of the GDPR, the legitimate interest of the controller, cannot override the interests or fundamental rights and freedoms of the data subject. Which means that to begin with, the organization will have to, first and foremost, identify what the specific legitimate interest pursued is. Generally, sourcing individuals online, perhaps on professional social networking platforms, to find suitable candidates for a specific position, can be in the interest of growing a team and overall bettering an organization. However, merely identifying the interest is not enough. One would have to also balance this interest with the rights and freedoms of the data subject, also known as a balancing test, by performing a legitimate interest assessment.

Performance of a contract can be relied upon, but with limitations

Similarly, the legal basis of necessity for the performance of a contract might actually be the most appropriate for the processing of data of individuals who apply for an open position. Specifically, when interpreting the Article 6(1)(b) provision: in order to take steps at the request of the data subject prior to entering a contract. However, this might require strict adherence to the definition. It would have to be a contract that the data subject has requested. Therefore, for processing activities in the context of online recruitment and headhunting, it is unlikely that this legal basis can be relied upon. Instead, as mentioned above, legitimate interest might be the only option.

Online recruitment and the duty to inform

On the topic of online scouting and headhunting, there are further legal obligations that controllers need to be mindful of, when processing personal data for this purpose. Those being, depending on how these activities are carried out, the requirements of Article 14.

Reaching out to the candidate in due time

First and foremost, it is crucial to actually contact the candidate, if their data has been processed. In fact, Article 14 requires this communication to be done within a reasonable period after obtaining the personal data and at the latest within one month. That time-frame should also serve as a retention period for the data processed for this purpose, should the candidate not respond, for example. 

The communication should also require all the information to ensure that the transparency principle is met. Therefore, ideally the candidate should be directly informed, or at the very least be provided with a specific privacy notice indicating all the information required by Article 14 e.g. the identity of controller, the purpose of processing, the categories of data processed, etc…

Honoring data protection principles and data subject rights

Needless to say, the controller should adhere to the other principles of the GDPR. Notably, data minimization, by processing only the information that is strictly required to source the ideal candidate.

Furthermore, a controller should also inform candidates of and be mindful of data subject rights. Specifically ensuring that mechanisms are in place to allow for candidates to exercise them, and ensuring that the data be processed for a specific purpose, so once that has been fulfilled, the data should no longer be processed. In practice: if the data is only processed to reach out to potential candidates, and they reject the offer but do not expressly request the data to be erased, their personal information should still be erased, unless it serves another explicitly indicated purpose.

Processing special categories of data in recruitment

In accordance with Article 9 of the GDPR, special categories of data include the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data related to sex life or sexual orientation.  As a general rule, processing data that falls under these categories is prohibited. However there are exceptions. Related to the context of hiring potential employees, two might be particularly relevant: explicit consent from the data subject and necessity to carry out legal obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law, based on national law provisions.

How does this apply to recruitment?

There are several reasons. For example: a potential  employer might wish to request information about a candidate’s disability to make relevant adjustments, perhaps for interviews and, if relevant, for the work moving forward. Furthermore, many companies have established equal opportunity programs, dedicated for specific minorities and/or in a certain field. Alternatively, they wish to monitor whether they meet equal opportunity requirements. Some organizations might even get recognition for ensuring high standards for diversity e.g. Stonewall Top 100 employers in the UK, Human Rights Campaign Corporate Equality Index. However, in order to monitor those metrics and ensure diversity, they process special categories of data, such as race, disability (health data) and sexual orientation. 

Explicit consent or national law obligation?

As mentioned before, using explicit consent might be an issue, because it is hard to truly guarantee that it is freely given in this context. Especially when applying for an equal opportunity program, it is unlikely that the applicant has any choice but to disclose the relevant information, as that will be the deciding factor as to whether they meet the criteria to enter into the program. 

Instead, one can rely on the second exception, related to national legal obligations. In many countries, laws that ensure the equal treatment of minorities and penalize discrimination at work, often also include articles or sections that require positive action, in the field of employment. For example, in Germany, positive action is required by §5 of the Equal Treatment Act (AGG). In the UK, where the UK GDPR applies, this is provisioned in Article 159 of the Equality Act 2010. 

Organizations are left free to decide how to implement this, but this freedom has gradually led to defining metrics and equal employment opportunities. Since this is a way to exercise a legal right of the data subject, and a legal obligation of the controller, one could preferably rely on this exception, rather than explicit consent. 

In fact, best practice would be to rely on the national legal obligation exception where such exceptions apply, but request data subject’s explicit consent, which gives them the option not to reveal this information e.g. prefer not to say.

In conclusion…

Under the GDPR, controllers must process personal data of candidates and applicants lawfully. Not all legal bases are equally applicable: in the context of recruitment, relying on legitimate interest or performance of a contract might be more reliable than relying on the applicant’s consent, although those also have their rules and limitations too. 

Furthermore, a controller must ensure to note and follow the obligation to contact candidates that it scouts online, and keep in mind the one month deadline to get in touch.

Lastly, controllers might wish to get acquainted with national legal obligations in the scope of equal employment, as legal obligations in those frameworks provide them with a legal basis to process special categories of data, for the purpose of promoting diversity in the workplace. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Understanding GDPR Compliance in Recruitment appeared first on TechGDPR.