Blog » WHEN SHOULD YOU DO IMPACT ASSESSMENT AT WORKPLACE BASED ON GDPR?
WHEN SHOULD YOU DO IMPACT ASSESSMENT AT WORKPLACE BASED ON GDPR?
03 December 2018
Do use GPS tracking in your company cars? Do control your employees in home-office by measuring keyboard or mouse activity? You should use these devices with care, because according to the latest guidance of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) you might need an impact assessment before setting up such system, to be compliant with GDPR.
What is impact assessment?
Impact assessment is an analysis that aims to reveal the nature of the data processing, its necessity, proportionality, and help the risk management by measuring these risks and define activities to handle them.
GDPR does not define exactly what this assessment should include, we can find only some hints about what should be definitely included:
- a systematic description of the planned processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures aiming to handle the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
When do you need such assessment?
Basically you need to do impact assessment when the data processing is likely to result in a high risk to the rights and freedoms of the data subjects. Regarding this, the GDPR contains some explanation, but it is quite general.
In order to understand what is considered to be a high risk, you need practical examples, so we gathered the most common workplace situations from the list of the NAIH, which are the followings:
- Scoring, especially based on the performance at work, reliability, behaviour, location or movements, if this has an influence to the obligations that you must fulfil towards the employee.
This covers for example the case if you measure the performance of your employees with some kind of counting or other system continuously, and you use these results as a base for increasing salary, giving bonus or even modifying or terminating the employment contract.
- Profiling, including a systematic assessment based on the performance at work, reliability, behaviour, location or movements of the employee on a large scale.
For example, if you record the location of the employees by a chip card automatically to control whether they do anything suspicious that is different from the daily routine.
- Systematic monitoring: the systematic monitoring of the employees on a large scale in case it is made by using CCTV systems, drones, or any other innovative technologies (Wi-Fi tracking, Bluetooth tracking, body camera).
It is important to note that you don’t need impact assessment in all cases of CCTV operation, only if it is suitable for systematic monitoring on a large scale – typically together with other devices. For example, if the video cameras are able to detect and recognize faces or number plates.
- Processing location data, if it can result in systematic monitoring or profiling. For example, you use GPS in the cars used by your employees.
- Monitoring the work of your employee, if the personal data of the employees are processed and assessed in a systematic way on a large scale. For example, you apply a CCTV in order to detect and counteract theft or fraud, or you monitor the internet usage or e-mails of the employees.
- Processing employee data on a large scale for a purpose different from the original one. For example, if you have e-mail addresses from all of your employees used for concluding a contract with you, but you would like to use all these data for marketing purposes, you will need impact assessment.
- Applying new technological solutions during the data processing. Including the processing of data on a large scale via internet or other channels that were produced by sensors, and give information about the person’s reliability, behaviour, location or movements, and based on which profiling is made. For example, if you check the mouse usage of the employee to control the working time.
This is not an exhaustive list, even the regulation uses the word “in particular” for the explanation, meaning you should not have a rest if your data processing does not fall in any of the above categories. If there is a high risk, you have to do impact assessment even none of the descriptions fits you.
What is this good for?
On the one hand the impact assessment makes it easier to fulfil the requirements of the GDPR, and it is also important to be accountable, as the assessment is also an evidence for executing the right actions.
You should also keep in mind that if you fail to do the obligatory impact assessment, the authority may impose a penalty (up to 10 million EUR), so avoiding this is might be also an important factor when making impact assessment.
An impact assessment is a complex and difficult process, and making it incorrectly can also result in fine just like processing data without it. For this reason, if you suspect you might need impact assessment based on the above, you should definitely hire a professional to do it for you.
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »