Koumentakis

Tag: personal data protection

  • Teleworking and Personal Data

    Teleworking and Personal Data

    Teleworking & Personal Data [: and the utopia (?) regarding their protection …]

    Telework is a special form of flexible employment, and it holds a special value. Its utilization has, in recent times, been impressive. Yet normal -thanks to the pandemic. It is true that safeguarding personal data has not been our priority. Would it, however, be unrealistic to try to protect them?

     

    Flexible forms of employment and telework: a familiar reality in today’s world.

    Flexible forms of employment are gaining ground in the job market. To some extent, they seem to have been demonized by some people. They are, however, a reality. Probably not unpleasant for the vast majority of employees who enjoy the benefits that come with them.

    Distance working and (its most common form) teleworking have begun to slowly gain ground, in our country’s labor market. These B.P. (: before the pandemic). We have analyzed common telework  in a previous article.

    The national legislature has addressed telework in the past. The relevant legislative effort, however, has gaps. However, the application of this form of work had remained at the discretion of both parties involved. Employer and employee had to agree to apply telework.

    The need of businesses to utilize the service of their employees is always a given. And this does not change at the time of the pandemic.

    The extraordinary circumstances created by coronavirus (SARS-CoV-2) resulted in the adoption of emergency measures. Among them is the employer’s ability to (unilaterally) determine “… that the work provided by the employee in the workplace under an individual contract, will be carried out with the system of remote work” (art. 4 par. 2 of LD/ 11.03.2020).

    Working remotely has, in our minds, become identified with teleworking. The latter (: teleworking) has become the necessary means to ensure continuity in the provision of services to a large number of businesses. To continue to employ a large number of employees.
    The vast majority of businesses already enjoy its benefits.

    As a result (among others of emergency measures), telework has been established-even temporarily. This event is a good omen for its further use and development. And A.P. (: in the era after the Pandemic).

    However, the turn to telework for the temporary handling of some emergencies, was not organized. Many businesses appear, even today, poorly prepared: They have to face the challenges as they come. These businesses (and not only them) are exposed to significant risks. Among the most important risks: the risk for the security of personal data.

     

    The risk relating to personal data

    Teleworking often involves remote processing of personal data. A processing that does not offer the protection that, as a rule, a corporate network offers. Employees who have remote access to the employer’s infrastructure are not protected by the (cyber) security measures that (usually) cover the business’s facilities. The risk of unauthorized access to personal data appears – and is – increased. Loss, unauthorized use or destruction of relevant data by employees, associates and customers may also occur.

    This danger is not unprecedented. It had already been identified by the Working Party (of Article 29) (Opinion 2 / 08.06.2017 on the processing of data at work).

    A lot has happened since then. Extraordinary conditions, mass and “knee-jurk” turn to teleworking, the need to raise awareness and inform the controllers, processors, employees regarding the obligations arising from the GDPR and law 4624/2019, were some of those things. All that, among other things, led the Personal Data Protection Authority (DPA) to issue Guidelines. Specifically, in the “Guidelines of the Protection Authority for taking security measures in the context of teleworking”.

     

    The Guidelines of the DPA

    The DPA draws attention to the seriousness of the risks posed by remote work. It emphasizes the need for adequate information of employees and valuable assistance of the Controller (DPO-when deemed necessary of such to exist by law). It also points to the obligation of businesses to protect the personal data of their employees. A protection that is particularly important in the case of teleworking. The reason; The blurring of the boundaries between professional and private life. The need to protect the latter. Reasonably, as “the employee, due to the fact that they at home, has a higher expectation for the protection of their private life.”

    In addition, the DPA recommends taking specific measures when applying telework. These measures regard: (a) Internet access, (b) the use of e-mail/messaging applications, (c) the use of terminals/storage devices, (d) teleconferencing.

    Specifically:

    • Regarding the Internet access

    Ensuring safe remote access to the business’s information system is considered vital. The DPA recommends the use of a virtual private network. A network in which data is encrypted and users are authenticated (eg IPSec VPN). The business must determine and limit the resources to which remote access is allowed. To the absolutely necessary, depending on the duties of each teleworker.

    Teleworkers, in turn, need to use a secure WPA2 (Wi-Fi Protected Access II) secure protocol with a strong password when connected to the Internet over a wireless network (Wi-Fi). They should also avoid storing files with personal data on online storage services (eg Dropbox, One Drive). Unless the appropriate conditions are ensured and the appropriate guarantees (eg encryption) …

    • Regarding the use of e-mail applications / messaging

    When addressing e-mails, the DPA points out the need to avoid the use of personal e-mail addresses when teleworking. Receipt and sending of messages, which may contain personal data, must be done through the professional e-mail address of the business. However, there is also the case of technical inability to use the professional e-mail address. In this case, the Authority recommends the need for appropriate encryption of the content of personal data messages. It even reminded that the use of personal data in the subject of the e-mail message should be avoided.

    In addition (although it goes without saying) the Authority recommends avoiding the use of messaging applications (text and / or video) for the purposes of teleworking, when these messages contain personal data, the leakage of which would pose a risk.

    • Regarding the use of a terminal device / storage media

    The DPA also emphasizes the special care that the employee must take – always according to the employer’s directions – for the devices (eg computer, laptop, etc.) through which telework is provided.

    Indicatively: These devices must have installed and regularly updated antivirus programs. In addition, they must have the latest updates of the software of the applications and operating system installed. Internet browsing programs (eg Firefox, Chrome, etc.) used by teleworkers should also be updated to the most resent versions available. It is also advisable for teleworkers to either use anonymous browsing or delete their browsing history that is related to telework at the end of each task. They must also separate the files that contain personal data (related to their work) from their personal files. It is possible (at least not unlikely) that third parties (members of, for example, the employee’s family) have access to the computers used. For this reason, the devices, but especially the specific files and work environments, must be “locked” (: protected) with strong passwords.

    Correspondingly, however, businesses must support teleworkers with appropriate encryption procedures of files that contain personal data. Especially when such files are stored in a portable / detachable storage medium (eg usb stick). Businesses also need to support the backup process. In particular, with regard to personal data files, which are processed in the context of teleworking activities.

    • With regard to teleconferences

    The pandemic was the cause for a significant, further, exploitation of teleconferences and the facilities they offer. However, in terms of teleconferencing, satisfactory measures must be taken to ensure the security of personal data.

    In particular, according to the DPA, the use of platforms that support security services (encryption) is mentioned as a requirement for the conduct of teleconferences. In addition, in cases of scheduled teleconferences, the relevant link should not be made public (eg on social media). Finally, businesses that utilize teleconferences must carefully study the terms of use and the terms of personal data protection when selecting the appropriate teleconferencing platform.

     

    The risk of businesses of taking disproportionate measures to protect personal data

    In an effort to mitigate the risk of personal data, businesses may be exposed to another risk. A danger lurking on the opposite side. That of obtaining disproportionate, and ultimately illegal, means of personal data protection. In particular, they may consider it justified to use software that has the ability, for example, to record the sequence of keyboard characters and mouse movements, to record screenshots (either randomly or at regular intervals), to record the applications used (and their time of use) and, on compatible devices, activating webcams and collecting recorded material.

    These technologies are widely available. However, the Working Party of Article 29 (Opinion 2 / 08.06.2017) has already ruled on them. In particular, it considered that the processing carried out in the context of these technologies is disproportionate. The employer cannot substantiate the legal basis of their legal interest. Such practices are prohibited. Employers must not adopt them (obviously not even) in the context of telework. A pandemic cannot be an excuse.

     

    Teleworking (continues to be) an important tool in dealing with some of the consequences of the pandemic.

    Concepts, connection and communication protocols, platforms previously unknown to the general public have already become widely known. To a great extent: familiar. Sometimes even: necessary work tools.

    We already know very well that technology tools expand horizons and capabilities. But they also increase risks. Some of the risks increased are related to the management and protection of personal data.

    The DPA reminds us of those risks.

    In any case: Teleworking is not at any risk from the care for personal data. On the contrary, personal data are at risk from the (careless) use of telework. Their protection, in the context of telework, is not a utopia.

    Let us concern with their protection. But not because the “Authority says so”.

    The risks we face from their misuse are real.

    And closer than we think.

    And serious.

    And economically measurable.

    stavros-koumentakis

    Stavros Koumentakis
    Senior Partner

     

    Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.

  • GDPR: The next day: Biometric data and employment

    GDPR: The next day: Biometric data and employment

    The GDPR has been in place since May 25, 2018, and every day we reveal that adjusting to its requirements affects the philosophy and operation of a business. One such issue is the entry – control of employees by taking biometric data (e.g. fingerprints). Why is that so? Because while I can “clock on, on behalf of my colleague” so that my colleague “has a little bit more of morning sleep”, I cannot deceive the smart machine that “reads the fingerprints or the iris”. The GDPR sets strict barriers to such choices.

    Pursuant to Article 9 par.1 of the Regulation, the processing of biometric data is generally forbidden for the purpose of undeniably identifying a person. Such processing is permitted, exceptionally, with the explicit consent of the Subject and in any case in accordance with the consensus guidelines No. 259 / 28.11.2017, adopted by the European Data Protection Board. It is a crystallized position of the Working Party 29 that there can be no question of free consent in the case of a “power imbalance”, as is the case for the employer-employee relationship.

    Already since the application of Law 2472/1997, the Data Protection Authority has issued decisions on the processing of biometric data in the workplace. In these decisions, the position of the Greek Authority is developed that such processing is not necessary to achieve the employees’ time schedule compliance monitoring. As a result, such records constitute an excess, the abusive nature of which is not waived by any employee’s consent.

    The Decision 56/2009 of the DPA in a relevant case, is Indicative of the scope of the exception. According to this decision, the Authority did not find it illegal to use fingerprint recognition equipment because it concerned specific employees who would have special access to a particular site, which could be classified as the highest security due to compliance with “Certification Authority Keys” namely on the basis of the public interest. In fact, this decision deals with the issue in terms of authorization, substance, and legitimacy and not technical, as the specifications had already been met: (a) data encryption, (b) non-maintenance of data, and (c) non-connection to a central system.

     

    The decision 50/2007 is indicative of DPA’s consistent position

    The Decision 50/2007 for another case is indicative of the Authority’s consistent position. Although the company’s argument was based on the fact that “the system is based on the method of finger’s geometry and the data collected from it are recorded and stored in a file that is encrypted while fingerprints are neither collected nor stored”, the DPA has overtaken the specific arguments and insisted that “the introduction and use of biometric data is a processing of personal data of employees which is not necessary for the purposes of monitoring the entry and/ or exit to premises/buildings and observance of their entering and leaving hours and is therefore illegal”.

    Ultimately, receiving biometric data at a working environment is only possible by way of exception. Balancing the needs of the company and the requirements of the Regulation undoubtedly leads to choices that will also prevent the company from being harmed and employees’ rights not be affected.

    Petrini Naidou
    Senior Associate

    P.S. A brief version of this article has been published in Greek in MAKEDONIA Newspaper (February 24, 2019).

     

  • Personal Data Protection And Companies

    Personal Data Protection And Companies

    [vc_row][vc_column][vc_column_text] European requirement the enforcement for Personal Data Protection. New compliance rules (Regulation 2016/679)

     

    Preamble: What Does Non-Compliance Mean

    It is true that any new obligation created for a company burdens its operating costs. But could anyone suggest non-compliance with the obligations under this Regulation for Personal Data Protection?

    To this case we could not remain indifferent. European Regulation (2016/679) is in force without the need for ratification by the Greek legislator.

    Sanctions threatened? Unsustainable! Without going into the details of criminal sanctions, the maximum penalties (fines) amount to € 10.000.000 or € 20.000.000 and at a percentage of 2% or 4% respectively of the infringer’s worldwide turnover (if the above amounts are below the respective percentages on its worldwide turnover!)

    Things are NOT simple …

     

    The Existing Institutional Framework

    The need to protect individuals from the constantly evolving (due to the rapid developments in technology) exposure of their Personal Data and the creation of a secure modus operandi of the data processors is underlined by the European Regulation 679 of 27 April 2016, which shall be in full effect for all Member States (among which our country, of course) on 25.5.2018.  

    In accordance with Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (and its revisions), the Greek legislator has incorporated the European Directive 95/46 / EC “On the protection of individuals with regard to the processing of personal data and the free movement of such data”.

    The key foundations for the Protection of Personal Data that had already been set twenty years ago referred to the identification of:

    (a) the basic concepts such as “record”, “data subject”, “simple data”, “sensitive data”, “controller”, “processor”

    (b) the rights of the Subjects of Processing (each of us)

    (c) the obligations of Personal Data Controllers (natural and legal persons, bodies and organizations with whom we are required to have transactions in our daily lives from our employer to the Register of a Taxation); and

    (d) the establishment of the Personal Data Protection Authority, which would then function independently, as a supervising body and as an institutional guarantor for verifying compliance with the European requirements.

    The Personal Data Protection Authority has been set up and operating since then, it undertakes vigorous action while its decisions have become a serious item in the agenda of not only the legal world bit also of the public opinion, as for example in the case of identifying religion in identities.

    The European Parliament chooses in this Regulation a more dynamic position than the previous Directive, since the former is a law of increased formal validity (it raises upward the laws of each member – state) and is (unlike the Directive) directly applicable horizontally (its incorporation by the national legislator is not required).

     

    The Tightening For The Protection Of Personal Data In The Context Of The European Regulation

    The Regulation strengthens the protection framework and in particular:

    (a) the Controller is required to choose the most secure, organizational and technical measures both at the time when the data collection and processing measures are defined and at the time of processing.

    The obligations of the Controller and the Processor expanded (: record-keeping – specifications – processing activities) and acquire specific responsibility to receive and be able to demonstrate that it has taken all necessary measures to ensure that processing is carried out in accordance with the Regulation.

    (b) The rights of the Subjects are enhanced, including: (i) the right of access, (ii) the right of correction (or completion) (iii) the right to be forgotten (conditionally, the right to erase data), (iv) the right to object (v) the portability of data.

    (c) It is specifically provided for cases of systematic, extensive and large-scale assessment of personal data or systematic monitoring on a large scale of public places, an obligation to carry out an impact assessment of potential risks and consequences for the rights and freedoms of individuals arising from the type, the framework, the scope and the purpose of processing.

    (d) the Controller is required to immediately inform the authority of any breach of the system security (within 72 hours as from the moment he becomes aware of such)

    (e) the Controller (in cases explicitly mentioned in the Regulation, indicatively large-scale processing of data and / or sensitive data) appoints a Data Protection Officer, an internal supervisor (employee or external partner) (such as a security technician) who will ensure compliance with the regulatory framework (in conjunction with any specific regulation, if any, envisaged by the national legislator in the scope of his discretion) and has direct contact, cooperation with and reporting obligation for any violation to the Personal Data Protection Authority.

    (f) There are provided considerably stricter sanctions than the existing administrative and criminal penalties, with fines of between € 10.000.000 or € 20.000.000, and a percentage of the company’s turnover, as the case and the offender may be (if that percentage exceeds the above amounts).

    A significant difference with the current legal framework is that no disclosure to the Authority is foreseen, rather than the availability of the material (: processing file) at the direct request of the Authority. However, each national legislator may specify his requirements and request for Disclosures or Licenses, especially in cases related to processing of sensitive personal data. In order to examine the possible adoption of legislative measures for the implementation of the Regulation, a Legislative Committee has been already set up (Government Gazette 1913 / 27.6.2016) whose work we expect to be completed before the implementation of the Regulation.

    It is imperative that each Controller reviews (with the appropriate collaborators) the security status of his technical systems and of its organizational structure so that he is ready to comply with the requirements of the Regulation.

     

    However, Is There, Any Time?

    As already mentioned, the date the new European Regulation comes into effect is 25.5.2018 – i.e. at first reading, we have enough time to act. Still, is that the case?

    Many factors are to be evaluated in order to provide the answer: “Okay, we have a lot of time”.

    The kind of business activity, compliance with the current institutional framework, the concentration (and / or handling) of sensitive, apart from simple, personal data, and so on.

    Let us not rush to answer that “we do not have sensitive personal data”. Do we ask for criminal records for some of our employees? Do we have a record of the health status of some of them? Do we have security cameras for the security of our company?

     

    Conclusion

    While we expect what (also) the national legislator will impose, the institutional framework for the protection of personal data has already become more complex. Threatened sanctions not only are significant but also, in fact, dramatically high.

    Preparing the company, most of the time, is neither easy nor quick.

    The need for more detailed information, a first assessment and for the first procedural steps, is present.

    Today!

     

    [/vc_column_text][/vc_column][/vc_row]

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.