The COVID-19 pandemic has triggered substantial social changes and a seemingly never-ending rollercoaster of legislative amendments and re-adoptions. Both social and legislative changes occurred in the Employment Sector, inevitably including the sphere of Personal Data Protection (PDP).
Remote working and the desire of employers to monitor the performance and processes of their employees has given rise not only to a series of legislative amendments but also to a series of misconceptions about these amendments and about compliance with existing legislation.
One of the first rounds of COVID-related changes in Ukraine included the establishment of a new exception to the requirement of consent for personal data processing: a data subject’s consent is not required when the processing is necessary for the purpose of combating the virus. This was a common headline in the news in April and May of 2020. However, this exception is only applicable to specific entities (i.e., the Ukrainian Ministry of Digital Transformation), and does not apply at all to most private businesses. The processing of personal data (especially sensitive data) remains subject to many restrictions and additional compliance actions must be taken before, during, and after processing (for sensitive data).
Another common misconception is that video-surveillance does not constitute the processing of personal data. Even though it’s very tempting to trust this statement, it is misleading and should not be relied upon. It has been well established that an image of a person contained in a video is in itself personal data. When using such monitoring instruments, an employer (or anyone conducting monitoring) must follow the usual “compliance steps” for personal data processing.
The pandemic has also provided fertile soil for remote work tracking and monitoring software. Most of the software packages offered on the market contain built-in confidentiality disclaimers and personal data processing consent. However, these do not offer a panacea for PDP compliance. One should choose software that provides an option for the person being monitored to pause the monitoring. This will ensure that no excessive personal data is collected (especially sensitive data). For example, financial data, private correspondence (conversations with other employees on non-work-related topics might also include private life details), etc.
It is commonly (and incorrectly) understood that where someone consents to processing, the processor is free to collect any data (or all the data provided for in the consent). Again, data processing consent is not a magic shield from PDP-law violation. It is well established that even when a personal data subject consents, if the scope of data collected and processed exceeds what is necessary to process for the purpose at hand, such processing is unlawful.
For example, when tracking an employee’s activities, software can collect data regarding time spent by an employee on a project that helps the employer monitor and assess the employee’s performance; but if the software collects and transfers to the employer such data as screenshots of bank account details or online payment information, etc., even when included in the consent, this exceeds the lawful purpose of processing and constitutes a PDP-law violation. Moreover, collecting sensitive personal data will trigger additional compliance requirements (such as sensitive data processing notification).
Furthermore, the earlier described “lawful data” is usually used for a lawful purpose (such as work performance evaluation). However, an employer should still be on guard when, for example, a decision related to an employee is made based exclusively on this data. Ukrainian law specifically protects data subjects from any automated decision affecting their rights. Depending on the particularities of the software and the procedure by which the decision (for example, to fire an employee or to distribute bonuses) is adopted, such decision could potentially result in a PDP-law violation. The same is true for profiling.
Evidently, most of the PDP law that was already in place is still applicable and relevant to “COVID-19 amended relations,” and businesses simply need to consider it as carefully as possible and not rely upon tempting but misleading statements.
All of this is also applicable to subcontracting relations and the data collected from subcontractors when monitoring their services.
By Maria Orlyk, Managing Partner, and Diana Valyeyeva, Associate, CMS Reich-Rohrwig Hainz, Kyiv
This Article was originally published in Issue 8.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.