The DIFC Data Protection (DP) Law (DIFC Law No. 5 of 2020) came into force on 1 July this year, with organisations given a short grace period of three months until 1 October 2020 to ensure compliance with the new provisions.
The new DP Law makes significant changes to the DIFC's existing data privacy regime; introducing changes to the duties and obligations of employers – in their capacities as data 'controllers' – that are owed to their employees when processing their 'personal data'. There are a number of important issues employers should be considering and taking action on now.
Where an employer processes personal data, Article 29 of the DP Law lists the information that employers must provide – as a minimum – to their employees. Within this information, the employer must tell its employees of the lawful ground(s) for which it processes their personal data.
In light of the reforms made to the DIFC's data privacy regime, employers should be revisiting their employee privacy polices to ensure compliance with the new DP Law. Where an employer has identified that it can no longer rely on employee 'consent' as its lawful basis for processing personal data, the employee privacy policy will need to be updated, in conjunction with the employment contract.
As a starting point, employers must process personal data for a legitimate purpose in accordance with Article 9 of the DP Law.
Additionally, employers need a lawful basis before they may process personal data and special categories of personal data, with the latter term referring to particularly sensitive forms of personal data that additional safeguards apply to.
Luke Tapp
Partner
Owing to the imbalance of power between an employer and employee, the DIFC commissioner of data protection has said that it can be hard for an employer to evidence that the employee consented 'freely' to the processing of their personal data
Traditionally, employers have relied on employee 'consent' as the lawful ground for processing their personal data, however employers must now show that consent was "freely given in a clear statement of words".
Owing to the imbalance of power between an employer and employee, the DIFC commissioner of data protection has said that it can be hard for an employer to evidence that the employee consented 'freely' to the processing of their personal data; especially where consent is wrapped up in the terms of the employment contract. This is because employees who have consented to the processing of their personal data must be able to withdraw their consent at any time.
Accordingly, any exercise of this right, where an employer relies on 'consent' as its lawful basis, may leave the employer exposed; the employer will need to stop processing the employee's personal data "as soon as is reasonably practicable".
To echo the commissioner's position, the recommendation for employers relying on consent is to consider the availability of an alternative lawful ground, for example:
Potentially reliance may be placed on the employment contract as inferred from the employment relationship.
When thinking about alternative lawful grounds, the commissioner has stipulated that employers should avoid using 'consent' as the lawful basis, and having another 'back up' ground in case consent is withdrawn. This approach carries the risk of providing employees with unclear information and may complicate the exercise of their data subject rights.
One of the main changes introduced by the DP Law is the enhancement of data subject rights with reference to their personal data by:
There are a number of data subject rights that employers need to understand:
Also known as a subject access request (SAR), this right gives employees a right to receive, within one month and without charge, a copy of their personal data held by the employer.
The concept of 'personal data' is defined widely under statute, and providing an employee with a copy of all of their personal data can be an onerous task for the employer. Therefore, initial steps employers should take when responding to a SAR include:
Employees have the absolute right to withdraw, at any time, consent given to the processing of their personal data, discussed above in detail.
Where, for example, the employer is unable to show that the personal data is no longer necessary for its original purpose, the employee will have the right to have their personal data erased. This right is also known as the 'right to be forgotten'.
Employers should consider this data subject right to erasure, alongside the employers' retention obligations under the DIFC Employment Law.
Unless the employer can show that it has a compelling legitimate ground that overrides the interests of the employee, the employee may object to the processing of certain of their personal data.
Employers should ensure that they do not discriminate against an employee for exercising one of their other data subject rights under the DP Law. This data subject right is different to the rights under the DIFC Employment Law, which permit an employee to claim discrimination based on a 'protected characteristic'. This is a new provision introduced by the DP Law that could have far-reaching implications for the employment relationship.
If, in response to an employee exercising one of their data subject rights, the employer has to stop processing employee personal data, this could threaten the continuance of the employment relationship. However, and in light of the risk of a fine of up to $100,000 for any contravention of a data subject's rights, employers will need to carefully manage employee personal data rights against its business demands.
The approaching compliance deadline date of 1 October 2020 should spur employers that have yet to review employee policies, contracts and data processing to urgently do so and put a plan in place to make any necessary changes. There are additional issues employers should be thinking about too:
The new and updated definitions in the DP Law. For example, consideration should be given to when the employer may be acting in the capacity of a 'controller', 'processor' and/or 'joint controller' in relation to employee personal data; as well as the updated meaning of 'special categories of personal data' to include communal origin, political affiliation and criminal record information;
Employers need to be clear who are classified as 'employees' for the purposes of the DP Law. Where businesses engage contractors or consultants, it is likely that different lawful grounds will need to be identified for the processing of 'non- employee' personal data and special category personal data.
In addition to the risk of fines and other regulatory sanctions, compliance with the DP Law will be vital to upholding employee relations, maintaining client and stakeholder confidence and supporting business continuity and growth.
Co-written by employment law expert Ruth Stephen of Pinsent Masons - [email protected].