Europe, Boring Until it's Not
-
- Posts: 3360
- Joined: Thu Dec 01, 2016 9:36 am
- Location: Aalborg, Denmark
Re: Europe, Boring Until it's Not
If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?
Fame is not flattery. Respect is not agreement.
-
- Posts: 3513
- Joined: Wed Nov 30, 2016 8:39 am
N
That's super. A regulation we are required to follow that nobody understands. What could go wrong?Hastur wrote: The confusion is great and everyone is waiting in great anticipation for the first cases to be heard.
You have to implement your compliance policies before we'll show you what the compliance policy is. ~Nancy Pelosi of Europe
I keep asking how someone's work email, employee ID and work email address can be considered personal information, though. Nobody has answered that to my satisfaction.
Account abandoned.
-
- Posts: 3513
- Joined: Wed Nov 30, 2016 8:39 am
Re: Europe, Boring Until it's Not
We can't do business in Europe unless we implement a program to strip away all this data within 30 days of the employee leaving. It's bizarre, because some of our projects take months, so an employee who asked for something to be done, and we go to do it, but now we have no idea who asked for it, because that person left the company two months ago.BjornP wrote:If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?
Crazy.
Account abandoned.
-
- Posts: 5297
- Joined: Wed Nov 30, 2016 2:43 am
- Location: suiþiuþu
Re: N
I don't think it is unless it can somehow be connected to something personal, like an address, payroll or phone number. You're not allowed to keep those entries after a certain amount of time. Just delete everything that is personal and connected to people you no longer do business with.Kath wrote:That's super. A regulation we are required to follow that nobody understands. What could go wrong?Hastur wrote: The confusion is great and everyone is waiting in great anticipation for the first cases to be heard.
You have to implement your compliance policies before we'll show you what the compliance policy is. ~Nancy Pelosi of Europe
I keep asking how someone's work email, employee ID and work email address can be considered personal information, though. Nobody has answered that to my satisfaction.
An nescis, mi fili, quantilla prudentia mundus regatur? - Axel Oxenstierna
Nie lügen die Menschen so viel wie nach einer Jagd, während eines Krieges oder vor Wahlen. - Otto von Bismarck
-
- Posts: 1881
- Joined: Tue Jul 18, 2017 2:10 pm
Re: Europe, Boring Until it's Not
The point of written law ceases to be if people do not know before hand what is being asked of them.
-
- Posts: 3360
- Joined: Thu Dec 01, 2016 9:36 am
- Location: Aalborg, Denmark
Re: Europe, Boring Until it's Not
From what I can google on the directive, the employee has no right to demand his data be deleted until at least five years after end of finished employment. That's the limit to how long an employer can retain personal data on former employees (if we're talking hiring contracts, copies of timesheets, end of employment contract). At least according to a Danish accounting firm's site on the matter of the directive, I'm looking at right now.Kath wrote:We can't do business in Europe unless we implement a program to strip away all this data within 30 days of the employee leaving. It's bizarre, because some of our projects take months, so an employee who asked for something to be done, and we go to do it, but now we have no idea who asked for it, because that person left the company two months ago.BjornP wrote:If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?
Crazy.
Fame is not flattery. Respect is not agreement.
-
- Posts: 3360
- Joined: Thu Dec 01, 2016 9:36 am
- Location: Aalborg, Denmark
Re: Europe, Boring Until it's Not
Don't know if it will actually help you or what sort of guidelines or documentation your company's given you to work from, Kath, but this is the official site for the GDPR site, and the section dealing with how companies should respond to it:
https://ec.europa.eu/info/law/law-topic ... sations_en
Also did a brief search for a US firm advising on the GDPR and found this result:
https://www.whitecase.com/publications/ ... regulation
https://ec.europa.eu/info/law/law-topic ... sations_en
Also did a brief search for a US firm advising on the GDPR and found this result:
https://www.whitecase.com/publications/ ... regulation
Fame is not flattery. Respect is not agreement.
-
- Posts: 3513
- Joined: Wed Nov 30, 2016 8:39 am
Re: Europe, Boring Until it's Not
So, it really is loosey-gooseyBjornP wrote:Don't know if it will actually help you or what sort of guidelines or documentation your company's given you to work from, Kath, but this is the official site for the GDPR site, and the section dealing with how companies should respond to it:
https://ec.europa.eu/info/law/law-topic ... sations_en
Also did a brief search for a US firm advising on the GDPR and found this result:
https://www.whitecase.com/publications/ ... regulation
So, I suppose if the employee had put his employee number somewhere, for whatever reason, and some random person gets access to my system, and finds that number, they could theoretically compare the two numbers. It's a long way to get there, though."Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Either, way, I have 10 hours in this already, with easily 30 more to go to scroll through every table that has an employee ID, which is hundreds. I'm just one small system.
This is costing our company thousands of hours, I'll bet. What I have to do is nothing compared to what others have to do.
They should be very, VERY clear on what is PII, because nobody really has a great understanding if a work email address is PII, so we are caring for it, just-in-case.
Account abandoned.
-
- Posts: 3360
- Joined: Thu Dec 01, 2016 9:36 am
- Location: Aalborg, Denmark
Re: Europe, Boring Until it's Not
Hey, maybe if you hired Hastur's company, they could cut down on the manhours you guys need to process those requests? Quite frankly, as with so much coming out of the EU, I didn't even know it existed until you brought it up. Knew about general data protection rules, but not that they extended to what employers could store of employee data.
Fame is not flattery. Respect is not agreement.
-
- Posts: 5297
- Joined: Wed Nov 30, 2016 2:43 am
- Location: suiþiuþu
Re: Europe, Boring Until it's Not
It means it's doesn't apply automatically and uniformly to all EU countries but all member states must implement it into their national laws before a deadline. In this case, the deadline is May 25, 2018.BjornP wrote:If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?
An nescis, mi fili, quantilla prudentia mundus regatur? - Axel Oxenstierna
Nie lügen die Menschen so viel wie nach einer Jagd, während eines Krieges oder vor Wahlen. - Otto von Bismarck