Łukasz Rutkowski
Łukasz Rutkowski, attorney-at-law, advises clients from a range of industries, including financial services, banking, e-commerce, IT, logistics and FMCG. He has participated in GDPR implementation projects and compliance audits. He analyses products, processes, IT solutions (software, mobile apps) and services (e.g. using profiling, AI and the internet of things) for compliance with data protection regulations (including industry regulations) and e-privacy regulations.He supports clients in conducting data protection impact assessments and handling data subject requests.
When an employee has been absent for a long period of time, or in other circumstances where an employer is having difficulties contacting an employee via official means of communication, HR departments often wonder whether they can use an employee's private contact data. Some more cautious employers introduce employee questionnaires requesting a private e-mail address or telephone number, or collect this data from employees in a different way. How does the issue of obtaining private contact data look from a data protection law perspective?
Exit interviews, namely interviews which employers hold with employees whose employment is ending, are widely used by HR departments and may provide useful information regarding managing the workplace. In today’s piece, we will take a look at exit interviews from the perspective of data protection legislation.
This is the fourth in a series of articles in which we discuss the duties of a data controller with respect to data protection breaches in the employment context, drawing on Guidelines 01/2021 on Examples regarding Personal Data Breach Notification adopted on 14 December 2021 (version 2.0) from the European Data Protection Board (EDPB).
This is the third in a series of articles in which we discuss the duties of a data controller with respect to data protection breaches in the employment context, drawing on Guidelines 01/2021 on Examples regarding Personal Data Breach Notification adopted on 14 December 2021 (version 2.0) from the European Data Protection Board (EDPB).
This is the second in a series of articles in which we discuss the duties of a data controller with respect to data protection breaches in the employment context, drawing on Guidelines 01/2021 on Examples regarding Personal Data Breach Notification adopted on 14 December 2021 (version 2.0) from the European Data Protection Board (EDPB).
Responding appropriate to a data breach is one of the fundamental duties of data controllers under the EU’s General Data Protection Regulation (GDPR). But practice shows that complying with these duties often poses major problems for data controllers, including when the breach occurs in an employment context. These difficulties include in particular assessing:
- Whether a breach has occurred
- The risk associated with the breach
- What legal duties are imposed on the data controller in relation to the breach
- What measures should be implemented in connection with the breach.