ICO blog post on the impacts of the collapse of the Safe Harbour arrangement following the Court of Justice of the European Union’s decision on the Schrems case, finding that the Safe Harbor arrangement did not ensure adequate protection for personal data transferred from the EU to the US in line with the eight data protection principle. The post includes some contextual background, the implications for organisations, the need to act, and potential future developments.
Background of the case
The company had detected that one of the employees might have been misappropriating funds in one of its stores. Based on this suspicion, the company decided unilaterally to install video-surveillance cameras alerting to the cameras’ installation in a visible place on the shop’s window, but without informing its employees formally.
On 3 March 2016, the Spanish Constitutional Court issued the Judgment 7222-2013. In that resolution, it has stated that when a company suspects that some irregularities are being committed, the monitoring of its employees with video-surveillance cameras without their specific consent is justified. Then, it is not necessary to inform the employees of the specific purpose why such cameras are being installed.
More specifically, the Judgement stated the following:
a) Legitimate purpose. The camera was installed due to the suspicious activity that one of the employees in the store was stealing from the cash register.
b) The employee was generically informed about the video-surveillance cameras installation as it had. Under those circumstances, the Constitutional Court stated that it was not required to explicitly inform the employees the reason why the mechanism had been carried out.
c) Proportionality. The installation allowed the company to verify the irregularities committed by the employees (suitable), the video-surveillance camera was the last way to be implemented by the company in order to know who exactly was stealing money (necessary), the recording were limited exclusively to the cash register area (proportional).
On March 2016, the Italian data protection authority issued a Fact Sheet on data protection officers (DPOs) in light of the upcoming General Data Protection Regulation (GDPR). It highlights a wide range of requirements assigned to them such as; their duties, eligibility prerequisites, responsibilities, etc.
The Fact Sheet addresses to all bodies which process data. Furthermore, it encompasses every activity that requires regular and systematic monitoring of data subjects on a large scale according to Article 35 GDPR.
For that reason, the Fact Sheet underlines that the DPO shall have an appropriate knowledge of the legal data protection framework working diligently and without any conflicts of interest. In the words of Matteo Colombo, President of the Italian Association of Data Protection Officer (ASSO DPO), “(…) the DPO should receive multidisciplinary training and education in compliance, human resources and trade union law, be computer literate and, last but not least, have a good knowledge of the English language.”
According to the President of the Italian Association of DPO, the implementation of the DPO may improve the effective protection of personal data and privacy in Italy.