This is why data protection takes such thought! Age is a protected characteristic in English Law, i.e. there are specific protections to ensure there is no discrimination in employment, justice, social care etc. It isn't however classified as sensitive personal data for data protection purposes. TheRead more
This is why data protection takes such thought!
Age is a protected characteristic in English Law, i.e. there are specific protections to ensure there is no discrimination in employment, justice, social care etc.
It isn’t however classified as sensitive personal data for data protection purposes.
The governance pathway therefore is that there has to be purpose and legal basis for processing, with additional policy considerations that are the responsibility of other professionals within the organisation for its operational use.
You are absolutely right in that it is very complex. Maybe a simpler way would be to think about the one defining factor for all sensitive data - that all of them 'could' result in prejudice/affect human rights. Defining yourself as a 'man' or a 'woman' will have a nominal affect (in theory!) but thRead more
You are absolutely right in that it is very complex.
Maybe a simpler way would be to think about the one defining factor for all sensitive data – that all of them ‘could’ result in prejudice/affect human rights.
Defining yourself as a ‘man’ or a ‘woman’ will have a nominal affect (in theory!) but there are those who think that defining yourself as ‘non-binary’ is an affectation and will attach other labels to you including suppositions about your sexuality, sex life etc.
In which case you either need to change your system or you need to stop recording - neither is going to be easy or cheap. Or you run systems in parallel, one that records and one that doesn't. Still not easy. Sorry!
In which case you either need to change your system or you need to stop recording – neither is going to be easy or cheap.
Or you run systems in parallel, one that records and one that doesn’t. Still not easy.
Sorry!
Yes - plus any website which offers, or appears to offer, goods and services to EU residents also has to have one. So unless you make it explicitly clear that you can't/don't do this, you have to have cookie consent management.
Yes – plus any website which offers, or appears to offer, goods and services to EU residents also has to have one.
So unless you make it explicitly clear that you can’t/don’t do this, you have to have cookie consent management.
I would agree with Dominga. The company's duty in recommending the product is to do the appropriate due diligence to ensure that it conforms with the company's general privacy policy. It shouldn't be sharing employee data with any third party without consent in this instance
I would agree with Dominga.
The company’s duty in recommending the product is to do the appropriate due diligence to ensure that it conforms with the company’s general privacy policy. It shouldn’t be sharing employee data with any third party without consent in this instance
Hi Dominga I would define it as such because it isn't a biologically assigned gender (unless an individual is intersex or has a medical condition), it is a self-determined gender assignment and therefore individuals who define themselves in this way deserve additional safeguards because they may beRead more
Hi Dominga
I would define it as such because it isn’t a biologically assigned gender (unless an individual is intersex or has a medical condition), it is a self-determined gender assignment and therefore individuals who define themselves in this way deserve additional safeguards because they may be subject to prejudice as a result of their declaration.
Does this make sense?
You are a UK domiciled company, you have to treat all data the same, i.e. if it was UK resident data. Consent isn't the only legal basis for recording calls, and it would only work if the system can actually stop the recording of individual calls on request and can identify that the call is from a cRead more
You are a UK domiciled company, you have to treat all data the same, i.e. if it was UK resident data.
Consent isn’t the only legal basis for recording calls, and it would only work if the system can actually stop the recording of individual calls on request and can identify that the call is from a country that requires consent. Remember that an automated system might decide that a call from Germany requires consent but it is actually a caller from the UK on holiday in Germany so it wouldn’t.
For instance: saying ‘we record calls for training and monitoring purposes’ when you do nothing with them and using legitimate interest as your legal basis doesn’t stand up.
So before going down the rabbit hole of trying to discover which countries have different rules, I would investigate whether you have a system capable of dealing with the outcome of your investigations and whether indeed you have a real purpose for recording calls in the first place.
I use this all the time as an example of how your Privacy Notice should reflect your organisation's values. It might not have every single element it should have, but it has been done with a lot more thought that some of the legal sounding ones I have to correct.
I use this all the time as an example of how your Privacy Notice should reflect your organisation’s values.
It might not have every single element it should have, but it has been done with a lot more thought that some of the legal sounding ones I have to correct.
As Dominga says, it is very dependent on how you phrase the question and also that you need to have a clear reason for asking it. For instance, knowing the gender identity might enable you to create initiatives to increase inclusivity. But if you don't have a clear reason for processing this data thRead more
As Dominga says, it is very dependent on how you phrase the question and also that you need to have a clear reason for asking it.
For instance, knowing the gender identity might enable you to create initiatives to increase inclusivity. But if you don’t have a clear reason for processing this data then you shouldn’t be collecting it.
Once you add in an option such as non-binary then you are into special category data territory and that is explicit consent under Art 9
The best comparison I have seen can be found here: https://www.mll-news.com/wp-content/uploads/2020/12/Overview_Swiss_FADP_GDPR_English_Final_181220.pdf
Special Category Data and Age
HellenB
This is why data protection takes such thought! Age is a protected characteristic in English Law, i.e. there are specific protections to ensure there is no discrimination in employment, justice, social care etc. It isn't however classified as sensitive personal data for data protection purposes. TheRead more
This is why data protection takes such thought!
See lessAge is a protected characteristic in English Law, i.e. there are specific protections to ensure there is no discrimination in employment, justice, social care etc.
It isn’t however classified as sensitive personal data for data protection purposes.
The governance pathway therefore is that there has to be purpose and legal basis for processing, with additional policy considerations that are the responsibility of other professionals within the organisation for its operational use.
Gender and Special Category Data
HellenB
You are absolutely right in that it is very complex. Maybe a simpler way would be to think about the one defining factor for all sensitive data - that all of them 'could' result in prejudice/affect human rights. Defining yourself as a 'man' or a 'woman' will have a nominal affect (in theory!) but thRead more
You are absolutely right in that it is very complex.
See lessMaybe a simpler way would be to think about the one defining factor for all sensitive data – that all of them ‘could’ result in prejudice/affect human rights.
Defining yourself as a ‘man’ or a ‘woman’ will have a nominal affect (in theory!) but there are those who think that defining yourself as ‘non-binary’ is an affectation and will attach other labels to you including suppositions about your sexuality, sex life etc.
UK based call centre recording calls of international callers – consent required or not
HellenB
In which case you either need to change your system or you need to stop recording - neither is going to be easy or cheap. Or you run systems in parallel, one that records and one that doesn't. Still not easy. Sorry!
In which case you either need to change your system or you need to stop recording – neither is going to be easy or cheap.
See lessOr you run systems in parallel, one that records and one that doesn’t. Still not easy.
Sorry!
Does a EU website need a cookie consent popup?
HellenB
Yes - plus any website which offers, or appears to offer, goods and services to EU residents also has to have one. So unless you make it explicitly clear that you can't/don't do this, you have to have cookie consent management.
Yes – plus any website which offers, or appears to offer, goods and services to EU residents also has to have one.
See lessSo unless you make it explicitly clear that you can’t/don’t do this, you have to have cookie consent management.
Indirect suppliers
HellenB
I would agree with Dominga. The company's duty in recommending the product is to do the appropriate due diligence to ensure that it conforms with the company's general privacy policy. It shouldn't be sharing employee data with any third party without consent in this instance
I would agree with Dominga.
See lessThe company’s duty in recommending the product is to do the appropriate due diligence to ensure that it conforms with the company’s general privacy policy. It shouldn’t be sharing employee data with any third party without consent in this instance
Gender and Special Category Data
HellenB
Hi Dominga I would define it as such because it isn't a biologically assigned gender (unless an individual is intersex or has a medical condition), it is a self-determined gender assignment and therefore individuals who define themselves in this way deserve additional safeguards because they may beRead more
Hi Dominga
See lessI would define it as such because it isn’t a biologically assigned gender (unless an individual is intersex or has a medical condition), it is a self-determined gender assignment and therefore individuals who define themselves in this way deserve additional safeguards because they may be subject to prejudice as a result of their declaration.
Does this make sense?
UK based call centre recording calls of international callers – consent required or not
HellenB
You are a UK domiciled company, you have to treat all data the same, i.e. if it was UK resident data. Consent isn't the only legal basis for recording calls, and it would only work if the system can actually stop the recording of individual calls on request and can identify that the call is from a cRead more
You are a UK domiciled company, you have to treat all data the same, i.e. if it was UK resident data.
See lessConsent isn’t the only legal basis for recording calls, and it would only work if the system can actually stop the recording of individual calls on request and can identify that the call is from a country that requires consent. Remember that an automated system might decide that a call from Germany requires consent but it is actually a caller from the UK on holiday in Germany so it wouldn’t.
For instance: saying ‘we record calls for training and monitoring purposes’ when you do nothing with them and using legitimate interest as your legal basis doesn’t stand up.
So before going down the rabbit hole of trying to discover which countries have different rules, I would investigate whether you have a system capable of dealing with the outcome of your investigations and whether indeed you have a real purpose for recording calls in the first place.
Writer’s HQ Privacy policy
HellenB
I use this all the time as an example of how your Privacy Notice should reflect your organisation's values. It might not have every single element it should have, but it has been done with a lot more thought that some of the legal sounding ones I have to correct.
I use this all the time as an example of how your Privacy Notice should reflect your organisation’s values.
See lessIt might not have every single element it should have, but it has been done with a lot more thought that some of the legal sounding ones I have to correct.
Gender and Special Category Data
HellenB
As Dominga says, it is very dependent on how you phrase the question and also that you need to have a clear reason for asking it. For instance, knowing the gender identity might enable you to create initiatives to increase inclusivity. But if you don't have a clear reason for processing this data thRead more
As Dominga says, it is very dependent on how you phrase the question and also that you need to have a clear reason for asking it.
See lessFor instance, knowing the gender identity might enable you to create initiatives to increase inclusivity. But if you don’t have a clear reason for processing this data then you shouldn’t be collecting it.
Once you add in an option such as non-binary then you are into special category data territory and that is explicit consent under Art 9
FADP
HellenB
The best comparison I have seen can be found here: https://www.mll-news.com/wp-content/uploads/2020/12/Overview_Swiss_FADP_GDPR_English_Final_181220.pdf
The best comparison I have seen can be found here:
See lesshttps://www.mll-news.com/wp-content/uploads/2020/12/Overview_Swiss_FADP_GDPR_English_Final_181220.pdf