Privacy and Employee Surveys in Germany June 2020 Speakers Dr. - - PowerPoint PPT Presentation

privacy and employee surveys in germany
SMART_READER_LITE
LIVE PREVIEW

Privacy and Employee Surveys in Germany June 2020 Speakers Dr. - - PowerPoint PPT Presentation

Jul 10, 2023 279 likes •521 views

Privacy and Employee Surveys in Germany June 2020 Speakers Dr. Annette Demmel, Tarek Hajj-Khalil Partner, Berlin Associate, Berlin T +49 30 72616 8226 T +49 30 72616 8110 E annette.demmel@squirepb.com E tarek.hajj-khalil@squirepb.com

slide-1
SLIDE 1

Privacy and Employee Surveys in Germany

June 2020

slide-2
SLIDE 2

2

squirepattonboggs.com

Speakers

  • Dr. Annette Demmel,

Partner, Berlin T +49 30 72616 8226 E annette.demmel@squirepb.com Tarek Hajj-Khalil Associate, Berlin T +49 30 72616 8110 E tarek.hajj-khalil@squirepb.com

slide-3
SLIDE 3

3

squirepattonboggs.com

Agenda

  • General considerations
  • Employee surveys and personal data
  • Consent as the main legal basis
  • Ideas for the architecture
  • Involving the works council?
  • Conducting a data protection impact assessment?
  • Employee surveys and Covid-19
slide-4
SLIDE 4

4

squirepattonboggs.com

The context

  • Employee surveys become more and more important.
  • In times of Covid-19, for example, companies often would like to know how

their employees are doing while in home office.

  • However, are employee surveys allowed at all? And if so, what should be

kept in mind?

slide-5
SLIDE 5

5

squirepattonboggs.com

Possible procedure

The employer transmits email addresses of potential participants of the survey to the service provider. The service provider creates the survey and sends an invitation email to the potential participants. In the invitation email, the potential participants get further information (e.g. via link to the privacy policy) and that they have to click

  • n the link to participate.

The participants are then redirected to the survey page of the service provider. The service provider does not collect the IP address of the participants, but may collect a few other data, such as the time of participation, the browser used, etc. The service provider evaluates the results and sends aggregated results to the employer.

slide-6
SLIDE 6

6

squirepattonboggs.com

Involved parties

Employees Supervisory Authorities Data Protection Officer

Employer

Service Provider

processor

surveys

(joint controller)

advises Works Council

slide-7
SLIDE 7

7

squirepattonboggs.com

Data categories in employee surveys

(Directly) personal data

  • Employee email address
  • Employee IP address
  • Assignment to an organisational unit of the employer
  • Job profile of the employee

(Indirectly) personal data

  • Survey data (aggregated data, raw data)
  • Whether survey data is personal data depends on whether it is anonymized
  • If the survey data is only pseudonymized, it will most likely constitute even

sensitive personal data

slide-8
SLIDE 8

8

squirepattonboggs.com

Survey data - all anonymous, or not? IP Addresses Problem 1

  • The service provider may not collect the IP addresses of the employees
  • However, he may use cookies to allow the survey to be resumed after interruptions
  • Still, this should rather be avoided, where possible

Email Addresses Problem 2

  • The service provider may not collect the email addresses of the employees
  • Strictly speaking, the service provider, however, obtains it; at least in a logical

second when the employee starts the survey.

Group Specific Surveys Problem 3

  • This may give great results, but German supervisory authorities do not consider

survey data anonymous if they belong to a group of less than 10 persons.

slide-9
SLIDE 9

9

squirepattonboggs.com

May the employer oblige the employees to participate in the survey?

  • Most likely not.
  • Particularly difficult in regard to anonymous surveys.
  • Except if the survey is closely tied to carrying out their specific job.
slide-10
SLIDE 10

10

squirepattonboggs.com

Possible legal bases for employee surveys

consent

+

  • verriding

legitimate interest

+/-

fulfilment

  • f the work

contract

slide-11
SLIDE 11

11

squirepattonboggs.com

The declaration of consent must be…

prior specific explicit informed freely given withdrawable in writing or electronic

slide-12
SLIDE 12

12

squirepattonboggs.com

Informed Consent - Information towards employee

  • controller, processor, recipients, data categories, purposes of processing, data

sources, data transfers, storage periods, rights of data subjects, possibility of withdrawal

  • in the case of sensitive data: explicit mentioning of sensitive data!

What to inform about?

  • “in a concise, transparent, clearly distinguishable manner and easily accessible

form, using clear and plain language”

  • visualization is allowed!
  • In Germany, employers are, in principle, required to obtain employee consent in

written or electronic form How to inform?

  • The employer must inform about the employee`s right to withdraw his/her

consent at any time prior to the consent

  • The withdrawal must be as easy as the giving of the consent itself
  • Right to withdraw may be problematic when survey data are anonymous!

How to inform about the right to withdraw?

slide-13
SLIDE 13

13

squirepattonboggs.com

Informed Consent - consent in written or electronic form

  • It should not be given together with other declarations

If consent shall be given in written form

  • It must be given consciously and unambiguously:

pre-ticked boxes, silence, or inactivity are void!

  • It must be documented
  • The employee must be able to access its content at any

time

  • It must be withdrawable at any time with future effect
  • The form may not be unnecessarily disruptive to the

participation in the survey If consent shall be given in electronic form

slide-14
SLIDE 14

14

squirepattonboggs.com

Informed Consent - further considerations

Information on purpose of survey

be as specific as possible be in line with your general attitude and practice mention, where possible, any measures planned on the basis of the results mention, where applicable, why and how anonymous results will be published or transferred

Information on the architecture

mention where the data will be stored name and describe the software used for the survey explain the storage period as concretely as possible

slide-15
SLIDE 15

15

squirepattonboggs.com

Freely given consent

  • Art. 7 par. 4 GDPR
  • Consent may not be freely given if the participation in the survey “is

dependent on the consent to the processing of personal data that is not necessary for the performance” of the survey.

  • Rec. 43 GDPR
  • “Consent is presumed not to be freely given if it does not allow separate

consent to be given to different personal data processing operations despite it being appropriate in the individual case […]”

  • Sect. 26 par. 2 Federal Data Protection Act
  • “[…] the employee’s level of dependence in the employment

relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely

  • given. Consent may be freely given in particular if it is associated with a

legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests.”

slide-16
SLIDE 16

16

squirepattonboggs.com

Hint!

Document the conducted employee surveys; and inform about the employee surveys not only in the declaration of consent, but also in your… Records on Processing Activities Technical and Organisational Measures Data Protection Impact Assessments Privacy Policy Accountability Report Data Breach Response Plan Legitimate Interest Assessments

slide-17
SLIDE 17

17

squirepattonboggs.com

Ideas for the architecture

Software Processor

Open source? Barrier-free?

2 Software

Certified? Servers in the EU? In how far are audits possible? Avoidable, e.g. by not allowing the survey to be resumed after an interruption?

Cookies

Special authorization for persons evaluating & administrating the survey and its results?

Admins

slide-18
SLIDE 18

18

squirepattonboggs.com

Does the works council need to be involved?

  • Depends on the specific concept of the employee survey, for example its

technical design.

  • May be required according to Sec. 87 of German Works Council Constitution

Act:

(1) The works council shall have a right of co-determination in the following matters in so far as they are not prescribed by legislation or collective agreement:

  • 1. matters relating to the rules of operation of the establishment and the conduct of

employees in the establishment […]

  • 6. the introduction and use of technical devices designed to monitor the behavior or

performance of the employees […]

slide-19
SLIDE 19

19

squirepattonboggs.com

Does a Data Protection Impact Assessment (DPIA) need to be conducted?

  • DPIAs shall be conducted, where the type of processing is likely to result in a high

risk to the rights and freedoms of natural persons. (Art. 35 par. 1 GDPR)

  • Nine criteria, two of which are generally sufficient for the necessity of a DPIA (according

to Article 29 Working Party):

  • Evaluation or scoring
  • Automated-decision making with legal or similar significant effect
  • Systematic monitoring
  • Sensitive data
  • Data processed on a large scale
  • Matching or combining datasets
  • Data concerning vulnerable data subjects
  • Innovative use or applying new technological or organisational solutions
  • The processing itself “prevents data subjects from exercising a right or using a service or a

contract”

  • Also consider positive or negative lists by supervisory authorities.
  • Eventually conduct a “DPIA light”, irrespective of a legal obligation!
  • Minimum content of a DPIA is stipulated in Art. 35 par. 7 GDPR
slide-20
SLIDE 20

20

squirepattonboggs.com

In times of Covid-19

  • … extraordinary circumstances for processing data which must be taken into

account when planning employee surveys

  • Recommendation: Follow the specific Covid-19 guidelines by supervisory

authorities!

  • … particular interest and focus on protecting both business interests as well

as (the privacy of) employees

  • In Covid-19-specific employee surveys,
  • questions on the situation of the home office environment of employees can be

both privacy challenging and privacy enhancing.

  • questions on the health situation of employees for the purpose of containing

infections at the workplace should rather not be asked within the survey itself, but - if appropriate - within a more adequate setting.

  • Legal basis for such questions might be Art. 9 (2) lit. b GDPR in conjunction with Sec. 26

(3) Federal Data Protection Act

slide-21
SLIDE 21

21

squirepattonboggs.com

Questions

slide-22
SLIDE 22

22

squirepattonboggs.com

Thank you

  • Dr. Annette Demmel,

Partner, Berlin T +49 30 72616 8226 E annette.demmel@squirepb.com Tarek Hajj-Khalil Associate, Berlin T +49 30 72616 8110 E tarek.hajj-khalil@squirepb.com

slide-23
SLIDE 23

23

squirepattonboggs.com

Abu Dhabi Atlanta Beijing Berlin Birmingham Böblingen Bratislava Brussels Cincinnati Cleveland Columbus Dallas Darwin Denver Doha Dubai Frankfurt Hong Kong Houston Leeds London Los Angeles Madrid Manchester Miami Milan Moscow New Jersey New York Palo Alto Paris Perth Phoenix Prague Riyadh San Francisco Santo Domingo Seoul Shanghai Singapore Sydney Tampa Tokyo Warsaw Washington DC

Global Coverage

Africa Brazil Caribbean/Central America India Israel Mexico Turkey Ukraine Office locations Regional desks and strategic alliances