Data protection type question

[Beezerk]

A colleague of mine is having a big issue with some of his personal details (name and address) being used in a 3rd party app our employer is rolling out. He’s asked the gaffer to remove his address but so far he’s hit a brick wall. I’m not using this new app yet but I’m getting an earful if this from my colleague every morning lol.
Does anyone know the score? Can an employer use some of his personal data like this, is the employee within his rights to request it be removed?
Another dimension to this as well, my colleague was told it was all secure so no one else could access his app account, yet there is one shared password for all accounts and he was able to log in as someone else and view their details 😂

 

[Lord Tyrion]

GDPR - just tell him to repeat those 4 letters. That should be enough.

I would be amazed if this new legislation allows this without his permission.

 

[Beezerk]

Thanks mate, it did seem a bit odd like they’ve crossed a line somehow.
I’m trying my best to keep out of it lol as the guy is really annoyed about the whole situation.

 

[Lord Tyrion]

I don't see how any employer can justify putting your personal details out there. Totally unacceptable to me and I am pretty certain against GDPR. There is work and there is home. They are very different things.

 

[Khamelion]

I'm not that up on my data protection, but if his details are being stored digitally then he can see them, I dare say he may have unwittingly agreed to the use of his details when he signed a contract or similar. Not sure there is a great deal he can do under current legislation, but as LT mentioned when GDPR comes into effect on the 25th May he can ask to have any or all personal details removed from being digitally stored.

You have to 'opt in' or allow it by agreeing to new terms and conditions, but you can ask to have them removed at any time.

As an example, you will, if you haven't already get an email from your golf club asking you to allow them to store your personal details.

 

[Beezerk]

Well that was a quick turn around, apparently the gaffer has relented and removed the unnecessary data from the app. The lad is now getting pop ups asking if he needs assistance though, quite specific as well by using his first name so they must have stored the data on their servers already. This one could run 😂

 

[need_my_wedge]

https://www.eugdpr.org/key-changes.html

 

[ScienceBoy]

GDPR - just tell him to repeat those 4 letters. That should be enough.

I would be amazed if this new legislation allows this without his permission.

But more to it than that. GDPR doesn’t get here for another month. Then you also need to ask what personal data they have, what is the legal basis for processing and can you have a copy of it.

If it’s legitimate interest of the data subjec then challenge. If it’s contractual then ask to see the contract. If it’s consent then withdraw consent.

Companies will rely on consent as a last resort. The usual order will be contract, legitimate interest and then finally consent (excluding some options for clarity).

Contest is the weakest and easiest to withdraw so it’s possibly disruptive to not have processing of data in a contract instead.

 

[Lord Tyrion]

But more to it than that. GDPR doesn’t get here for another month. Then you also need to ask what personal data they have, what is the legal basis for processing and can you have a copy of it.

If it’s legitimate interest of the data subjec then challenge. If it’s contractual then ask to see the contract. If it’s consent then withdraw consent.

Companies will rely on consent as a last resort. The usual order will be contract, legitimate interest and then finally consent (excluding some options for clarity).

Contest is the weakest and easiest to withdraw so it’s possibly disruptive to not have processing of data in a contract instead.

I understand that but I suspect this boss does not fully understand the ramifications of GDPR yet which is why simply uttering those 4 letters should be enough, a little knowledge etc. Even if he does understand, those 4 letters will be enough unless he absolutely wants to take this to the deadline and push matters to the limit. Far simpler, as he apparently now has done, just to remove the information he had posted.

 

[Mudball]

IMO,. the employer cannot use it unless, the employment contract states that they have the right to use it. If my office wants to do a press release with my name, then they can do it. Equally my physio has 2 locations he works from 1) from his clinic and 2) from his garage at home. The garage address is provided on the website but while it is his home, it is still a work address. So without knowing the details cannot comment.. but it is highly unlikely that it would be done

As most have already mentioned.. GDPR regulations can force the company to remove it. Remember your firm can be fined 4% of its global turnover on misuse of personal data. So gently use that to remind him again to delete it.

On a different note, you have another problem if you have shared passwords. If this is available and know to everyone then it can be easily compromised and provide access to third parties with malicious intentions. Your CISO (if you have one) should be worried or be looking for another job.