Interested to hear people’s thoughts on something I’ve been involved with a lot lately as employees receive more benefits.
My global company is procuring a mental well-being a service/app as part of a drive to encourage employees to take care of themselves. Individuals log their mood/activity etc and it in return get personalised tips to improve their mental well-being. The company gives no data to the providers and gets nothing in return. it’s just paid for access for all employees and promoted it on the intranet (reinforcing that this is in no way mandatory). We can take it or leave it.
What would your thoughts/involvement be as a privacy pro?
I would agree with Dominga.
My thoughts would be that the company providing the app are an independent Controller and that you definitely shouldn’t send them details of employees or create accounts on their behalf. If employees decide to download and sign up for the app then, the app provider will be responsible for complying with data protection standards and informing the individuals how data will be processed. However, if I were DPO at your company, as the employer, I would want to make sure that the company I am promoting is not a cowboy and that they have the right standards in place, because once an organisation is logging moods, behaviours etc, they start to have access to sensitive data and they need to protect it, also making sure they can fulfil all their duties like DPIAs, DP by design, informing the data subject etc. Their business model sounds like it should be watertight in terms of data protection.