GDPR website

The data protection law that covers workers (and citizens) in Europe is called the ''General Data Protection Regulation'' - or simply "''the GDPR''". It became effective from May 25 2018 and provides a baseline for citizens' and workers’ data rights. However, as we will see, with regards to workers' data rights, the GDPR could be improved through collective bargaining. Throughout this guide, you will be asked to compare the practices in your workplace with your rights as they are protected in the GDPR. You will receive tips and inspiration to support your negotiations for stronger workers’ data rights. In the GDPR, data subjects (in our case us as workers) have eight data subject rights. You might want to open <a href="https://www.workersdatarights.org/the-8-data-subject-rights-in-the-gdpr/ " target="_blank">[this]</a> document and have it by your side as you go throgh the tool. The first section of this tool looks at ''transparency'': what the law says you should know about how your data is being used. <table> <tr> <td>(button:)[[Let’s jump in!->Transparency]]</td> </tr> </table> (set: $section to "Introduction")

<div id=head>''Transparency''</div> This section of the guide focuses on transparency. It tries to understand whether management has been transparent about the digital tools and systems they are using, the purpose of these tools, and whether workers have been advised of their rights. Transparency is important because it helps workers to understand how information is being collected about them and how it is used. This empowers workers to exercise control over their information and protect their rights. <table> <tr> <td>(button:)[[Next->Management transparency]]</td> </tr> </table> (set: $section to "Transparency section")

In many (but not all) situations, GDPR requires that management tells workers when and how they collect workers' data, and the tools and software they use to collect it. The articles in the law that regulate this are often called the “Transparency Requirements.” The GDPR includes two articles on transparency: <a href="https://www.workersdatarights.org/article-13-gdpr/" target="_blank">Article 13</a> and <a href="https://www.workersdatarights.org/article-14-gdpr/" target="_blank">Article 14</a>. They regulate what information employers must provide workers where their personal data are collected directly or indirectly from the data subjects (the workers). Take a look at these articles if you aren’t sure. To your knowledge, ////''has management told workers in your workplace when and how they collect workers’ data, and if so, what tools and systems they are using? '' <table> <tr> <td>(button:)[[Yes->Yes, I am sure it does8]]</td> <td>(button:)[[No / not sure->Not sure / no1]]</td> </tr> </table> (set: $section to "Transparency section")

Hmm. This is not good. The two transparency articles regulate what information management must provide you with //before// they start using a digital tool that processes your (the workers) personal data, or personally identifiable information. <a href="https://www.workersdatarights.org/article-13-gdpr/">Article 13</a> of the GDPR has to do with the situation where management collects data directly from the workers. It lists the type of information that management should tell workers, which includes things like the reason for collecting the data, the data categories they are collecting and where it is being collected from. <a href="https://www.workersdatarights.org/article-14-gdpr/" target="_blank">Article 14</a> lays out the requirements if data is not collected //directly// from the worker, but for example from data brokers, business partners or other controllers. Importantly, in the case of indirect collection of personal data, Article 14(2)(f) GDPR requires the controller (the employer) to inform the data subjects (the workers) about ''the source'' of such data. A source may be another entity or party, but also includes a technical source (like open sources, sensors, CCTV or online tracking tools). Given you haven't been notified of all of the information you have a right to receive, you can advise management of their non-compliance with the legal requirements, and agree on where and how this information should be shared so all employees are correctly informed. ''Note'' It is also important to think about these notification requirements in relation to the so-called legal basis for processing data. <a href="https://www.workersdatarights.org/article-6-gdpr/">Article 6</a> outlines the six different legal bases that are valid in the GDPR. * The employer must have a valid lawful basis in order to process workers' personal data. * Most lawful bases require that processing is ‘necessary’ for a specific purpose. If the employer can reasonably achieve the same purpose without the processing, they won’t have a lawful basis. * According to the European Data Protection Supervisory Board, management cannot really rely on "consent" as the legal basis for processing your data due to the power imbalance between management and labour. So they must rely on one of the other legal basis, and they must provide you with information about this Have a good look at these articles and show them to management. Then proceed. <table> <tr> <td>(button:)[[Next->Negotiating]]</td> </tr> </table> (set: $section to "Transparency section")

That is not great! Recall <a href="https://www.workersdatarights.org/article-13-gdpr/">Article 13</a> of the GDPR, which has to do with the situation where management collects data directly from the workers. It lists the type of information that management should tell workers, which includes things like the reason for collecting the data, whether or not it is mandatory or voluntary and where it is being collected from. <a href="https://www.workersdatarights.org/article-14-gdpr/" target="_blank">Article 14</a> lays out the requirements if data is not collected //directly// from the worker, but for example from for example from data brokers, business partners or other controllers. Importantly, in the case of indirect collection of personal data, Article 14(2)(f) GDPR requires the controller (the employer) to inform the data subjects (the workers) about ''the source'' of such data. A source may be another entity or party, but also includes a technical source (like open sources, sensors, CCTV or online tracking tools). * If you haven’t been notified of all of the information you have a right to receive, you can advise management of their non-compliance with the legal requirements, and agree on where and how this information should be shared so all employees are correctly informed. * ''Note'' It is also important to think about these notification requirements in relation to the so-called legal basis for processing data. <a href="https://www.workersdatarights.org/article-6-gdpr/">Article 6</a> outlines the six different legal bases that are valid in the GDPR. ** The employer must have a valid lawful basis in order to process workers' personal data. ** Most lawful bases require that processing is ‘necessary’ for a specific purpose. If the employer can reasonably achieve the same purpose without the processing, they won’t have a lawful basis. ** According to the European Data Protection Supervisory Board, management cannot really rely on "consent" as the legal basis for processing your data due to the power imbalance between management and labour. So they must rely on one of the other legal basis, and they must provide you with information about this. Have a good look at these articles and show them to management. There may still be more you can do to map out what kind of data collection is happening your workplace. We will explore this in the next section. <table> <tr> <td>(button:)[[Next: Mapping data collection->Mapping data collection]]</td> </tr> </table> (set: $section to "Transparency section")

Good to hear! You have now completed the section on transparency. But there may still be more you can do to map out what kind of data collection is happening your workplace. We will explore this in the next section. <table> <tr> <td>(button:)[[Next: Mapping data collection->Mapping data collection]]</td> </tr> </table> (set: $section to "Transparency section")

Keep negotiating with management to ensure they provide you with the required information on all the tools and systems they are using. There may still be more you can do to map out what kind of data collection is happening your workplace. We will explore this in the next section: Mapping Data Collection. <table> <tr> <td>(button:)[[Next: Mapping data collection->Mapping data collection]]</td> </tr> </table> (set: $section to "Transparency section")

<div id=head>''Challenging invasive systems''</div> Now that you have thought about all the tools and systems that management has deployed, you may want to negotiate for a ban of any systems that are highly invasive. As we'll explore, highly invasive systems might be ones that process very sensitive data, such as biometric information. They can be automated systems that have such a great impact on your rights that management, not the systems, should be held liable for their outcomes. Or they could be systems that introduce some other risk to workers’ interests, like the creation of unfair bias. Let’s find out more about these systems, and which ones you might advocate to ban in your workplace. <table> <tr> <td>(button:)[[Next->If any of these Systems]]</td> </tr> </table> (set: $section to "section on Invasive Systems")

Examples of systems that are often highly invasive include: * Facial recognition * Emotional recognition * Systems processing biometric data - such as finger prints or iris scans. * Fully automated systems aimed at disciplining workers or allocating work or overtime * Automated systems for creating a pool for redundancy * Automated systems calculating redundancy pay If any of these systems are being used by your employer, you may want to negotiate a ban of their use in your workplace. If your employer won’t agree to a ban, you could try get agreements in place so the employer is held liable and responsible for their use. These are just some examples: take a broad view of the data collection that the employer is carrying out and its impacts on workers. Look to challenge the tools and systems if you do not feel the balance is acceptable. <table> <tr> <td>(button:)[[Next->The GDPR gives data subjects]]</td> </tr> </table> (set: $section to "section on Invasive Systems")

In the EU, the GDPR gives workers certain rights that may be useful in your negotiations with management about the use of these invasive systems. Let’s take a look at what the law says: * <a href="https://www.workersdatarights.org/the-8-data-subject-rights-in-the-gdpr/">GDPR Article 21: The Right to Object</a> gives data subjects the right to object to the processing of their data. It basically says that a worker has the right to object to the processing of his or hers personal data if the employer cannot justify that they have a legitimate interest in doing so. For your consideration, an employer can generally determine if their processing is based on legitimate interests if they are using workers' data in a way that the worker would expect or otherwise deem reasonable – and where the processing has a minimal impact on their privacy. If not, the right to object could become a powerful tool. This right could become relevant if you think the employer or a third party is for example profiling you or the workers in a way that overrides the interests, rights and freedoms of the worker. Union busting tools could be an example of this. * <a href="https://www.workersdatarights.org/the-8-data-subject-rights-in-the-gdpr/">GDPR Article 22: The Right to Avoid Solely Automated Decision-Making</a> Article 22 gives workers the right not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of their information intended to provide a profile of that person. This right may help workers in situations where AI is used to analyse data and profile them. //(We will unpack this right in more detail in the next section, on Automated Decisions.)// Read the law carefully to understand whether these rights apply in your situation, and use them to advocate against invasive systems. Now, let’s move onto the section on Automated Decisions. <table> <tr> <td>(button:)[[Next->Automated decision making and profiling]]</td> </tr> </table> (set: $section to "section on Invasive Systems")

<div id=head>''Mapping Data Collection''</div> The previous sections aimed to inform you about your rights and good practices concerning transparency about the tools and systems that are being deployed. We will now look a little closer at where management gets data from – its sources and categories. <table> <tr> <td>(button:)[[Next->data collection basics]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

<div id=head>''Automated decision-making and profiling''</div> You have already determined what systems and tools are being used; now we are turning our attention to automated decision-making systems and profling. Let’s jump in. <table> <tr> <td>(button:)[[Next->Automated and Profiling]]</td> </tr> </table> (set: $section to "section on automated decision-making")

''Automated decision-making'' is the process of making a decision by automated means – in other words, by using AI to analyse large amounts of information in order to reach an outcome. //Solely// automated decision-making means that the decision was made without any meaningful human involvement. ''Profiling'' is any process to classify a person's personality, behaviour, interests, and habits, usually by analysing any kind of information about them, in order to make predictions or decisions about them. (In the context of digitised workplaces, the effects of profiling can include someone being hired, promoted, disciplined, or fired.) For workers and unions seeking to ensure diverse and inclusive labour markets, it is important you get to know these terms well, as they are one of the biggest data-driven threats to workers’ rights. Let’s see what the GDPR says on this. <table> <tr> <td>(button:)[[Next->GDPR Provides]]</td> </tr> </table> (set: $section to "section on automated decision-making")

The GDPR provides data subjects with a right against automated decision making and profiling. * <a href="https://www.workersdatarights.org/the-8-data-subject-rights-in-the-gdpr/">Article 22, paragraph 1</a> of the GDPR notes: that data subjects have the right //“not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” // Let’s unpack this article and our rights a bit more. <table> <tr> <td>(button:)[[Next->Unfortunately GDPR]]</td> </tr> </table> (set: $section to "section on automated decision-making")

This article is difficult to follow, but it provides us with rights that we should always remember. Algorithmic management with no human intervention can and must be challenged! Click on the tip box here to unfold how Article 22 should be understood. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' Article 22'': Recapping, article 22 paragraph 1 says a person has a right not be subject to an //decision based solely on automated processing // or //profiling// which //produces legal effects//, or // similarly significantly affects him or her// . ''What does this mean?'' //Solely automated processing// ** Legally speaking, for something to be //solely// automated there must be no human involvement in the decision-making process. Read about an interesting court ruling that ruled against "symbolic acts" of human involvement as a way to prevent workers from claiming this right here: {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' Important case'': In a 2023 ruling the Amsterdam Court of Appeal upheld the appeal of a group of drivers against the ride-hailing companies Uber and Ola Cabs. Significantly, the Court of Appeal rejected Uber’s attempt to rely on ‘humans in the loop’, who were supposed to have reviewed and checked the algorithms’ decisions. The Court found that on the facts such reviews were “not… much more than a purely symbolic act”. In consequence the algorithmic decision-making was ‘solely automated’, and the drivers’ rights not to be subject to automated decision making for significant decisions under GDPR Article 22 were engaged, as well as the right to an explanation under GDPR Articles 13-15. </div< </div> ](modal|} (link-repeat:"ⓘ Court ruling")[(show:?modal)]. This is interesting as it indicates that management cannot get away with verifying the decision of a machine through a tick-box exercise without being able to sunstantially prove that they have made their own judgement. //Profiling// ** In GDPR article 4, paragraph 4 //"‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;"// ** What this means is that personal data often from many different sources is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles of individuals. Article 22 says we have the right not to subject to profiling that has legal affects, or the similar, such as getting fired. Remember this right! //Legal effect// ** A legal effect is something that affects someone’s legal rights. //Similarly significant effects// ** These are more difficult to define but could include, for example, automatic worker assessments which affect your job prospects, or e-recruiting practices without human intervention </div< </div> ](modal|} (link-repeat:"ⓘ Unpacking Article 22")[(show:?modal)] Now let’s see what we can do about this in the workplace. <table> <tr> <td>(button:)[[Next->Informed]]</td> </tr> </table> (set: $section to "section on automated decision-making")

Has management informed employees and prospective employees whether they are subject to significant decisions based solely on automated processing? <table> <tr> <td>(button:)[[Yes->Yes7]]</td> <td>(button:)[[No->No7]]</td> </tr> </table> (set: $section to "section on automated decision-making")

This is not good at all. Bring your rights as detailed in Article 22 to the attention of management and ask whether decisions are being made based solely on automated processing. If they say it doesn’t take place, ask who is responsible for evaluating whether a system’s processing outcomes should be followed. Management must be able to explain who is involved, and how they are qualified and empowered to do more than just 'rubber stamp' automated decisions. If they can’t, the decision-making might be in violation of article 22 in the GDPR and they should stop. If you are still in doubt, you can trigger <a href="https://www.workersdatarights.org/about-subject-access-requests//"target="_blank">data subect access rights</a> (article 15). Article 15.1.(h) says that you have the right to access information about: * "the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject." Keep probing! Let’s sum this all up before moving on to the next, and last, section: third-party data access. <table> <tr> <td>(button:)[[Next: Summing up: Automated decision.making and profiling]]</td> </tr> </table> (set: $section to "section on automated decision-making")

Good. They have to as well. As we discussed before on DPIAs, significant automated decision-making and profiling are a high-risk type of processing. Employers MUST therefore carry out a DPIA in these circumstances and remember they must consult with you.. If you in any way doubt that management has given you all the information you need, you have the possibility of finding out by triggering <a href="https://www.workersdatarights.org/about-subject-access-requests//"target="_blank">data subject access rights</a> (article 15). Article 15.1.(h) says that you have the right to access information about: ** "the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject." Let’s sum this all up before moving on to the next, and last, section: third-party data access. <table> <tr> <td>(button:)[[Next: Summing up: Automated decision.making and profiling]]</td> </tr> </table> (set: $section to "section on automated decision-making")

Welcome to our tool for'' Negotiating Data Rights in Workplaces in the EU ''It aims to give step-by-step help for workers and union representatives to negotiate for stronger data rights in workplaces in the GDPR area. Click the ''ⓘ'' below for more information. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>ⓘ About this tool<br><br>This tool consists of 6 sections. Each of them relates to important data protection rights you have as management processes workers’ data. For example, if they are analysing it using AI, using particularly invasive or harmful systems to track workers, or using your personal information in other ways they did, or didn’t, tell you about. Each section brings your legal rights to you and offers tips for how to discuss these with management. You can navigate between sections by clicking on the links at the bottom of the page below the line. We recommend you go through the tool chronologically though. For further details about the tool and the team that created it, check our <a href="https://www.workersdatarights.org/about//" target="_blank">About page</a>.</div< </div> </div< </div> ](modal|} (link-repeat:"ⓘ About this tool")[(show:?modal)] As you go through the tool, you will notice some words have an orange colour. These are clickable links. This tool was created by <a href="https://www.thewhynotlab.com/" target="_blank">The Why Not Lab</a> and <a href="https://www.awo.agency/" target="_blank">AWO Agency</a>. When you're ready to get started, click the button below! <table> <tr> <td>(button:)[[Next->Let's begin]]</td> </tr> </table> (set: $section to "Introduction")

<div id=head>''''''Third-party data access </div>'''' ''''''The vast majority of tools and systems that process your data at work are not developed by your employer. This is why we need to focus on third party data access. For example, your employer might be using a workforce management system, or a third party system to manage your wage payments. Experts estimate that over 90% of all systems used in workplaces today are third party systems. But before digging into the question of third party data access, let’s briefly look at why this is important. One of the largest threats to diverse and inclusive labour markets is the datafication of work and workers. Datafication refers to turning aspects of human life into data. This data can be shared, re-purposed and used in different ways. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' TIP'': Professor Shoshana Zuboff, who wrote ''''''the book //The Age of Surveillance Capitalism// (read review <a href="https://blogs.lse.ac.uk/lsereviewofbooks/2019/11/04/book-review-the-age-of-surveillance-capitalism-the-fight-for-the-future-at-the-new-frontier-of-power-by-shoshana-zuboff/" target="_blank">here</a>) is a leading critic of this. She calls for a ban of what she calls “markets in human futures” – the buying and selling of profiles, inferences and datasets that ultimately are profiting from and shaping our lives and career opportunities! </div< </div> ](modal|} (link-repeat:"ⓘ We should ban markets in human futures")[(show:?modal)] This new market for data is worth billions of dollars. It incentivises mass data generation and leads to increased data sharing. One of the problems of sharing data with multiple third parties is that it becomes harder for workers to know and control how their information is being used. There are now more people/companies with access to your data, and third-parties are often less accountable to you. It is therefore really important to have firm agreements between your employer and any eventual third-party data processers to prevent your data from being reused, bundled, sold and traded. Let’s dive in! <table> <tr> <td>(button:)[[What the GDPR says about third parties->the GDPR0]]</td> </tr> </table>(set: $section to "section on third party access")

The GDPR doesn’t say that information cannot be shared with a third party. But there are certain rules that apply when sharing information with a third party, and other rules when sharing information with a third party in a foreign country. This part is split into 2: The first is about 3rd parties located within the EU. The second part for 3rd parties located outside of the EU. <table> <tr> <td>(button:)[[Next->Yes9]]</td> </tr> </table>(set: $section to "section on third party access")

Do you know if management shares information with third parties? In other words: have they notified you of this? <table> <tr> <td>(button:)[[Yes->Yes10]]</td> <td>(button:)[[No->No10]]</td> </tr> </table>(set: $section to "section on third party access")

Okay. You can skip to the section on further processing. <table> <tr> <td>(button:)[[Next section->Further Processing]]</td> </tr> </table>(set: $section to "section on third party access")

That is good to hear. In the GDPR, your employer cannot share your data freely to third parties (such as developers or other companies). They must adhere to certain conditions in the GDPR and they must inform you. Following <a href="https://www.workersdatarights.org/article-13-gdpr//"target="_blank">(text-colour:(hsl:0,0.8039,0.5,0.7))[Article 13]</a> and <a href="https://www.workersdatarights.org/article-14-gdpr//"target="_blank">(text-colour:(hsl:0,0.8039,0.5,0.7))[Article 14]</a> your employer must inform you of the intended purposes for processing the personal data; and the lawful basis for the processing. This includes any 3rd party access and their processing. If you have not been informed, show management articles 13 and 14 and require the information! Sharing personal data with a third party is an act of processing. The employer therefore also requires a ‘lawful basis’ for that sharing as described in <a href="https://www.workersdatarights.org/article-6-gdpr//"target="_blank">(text-colour:(hsl:0,0.8039,0.5,0.7))[Article 6]</a>. Employers should make a record of which lawful basis they claim to rely on, and so should you. If you don't think a lawful basis applies, then the sharing with the third party may be challenged. For example (i) the employer might rely on necessity for a contract, but the sharing is not truly necessary for the employment contract, or (ii) the employer might rely on legitimate interests (such as a commercial interest in selling the data on), but these interests are outweighed by workers' rights and interests. Knowing the identity of the third parties makes it easier to find out more about how they are processing information. It is also important to know whether the third parties are processing your data for new purposes. Let's look at at that now. <table> <tr> <td>(button:)[[Next->New Purposes]]</td> </tr> </table> (set: $section to "section on third party access")

That is not great and could well be a violation of the GDPR. Following <a href="https://www.workersdatarights.org/article-13-gdpr//"target="_blank">[Article 13]</a> and <a href="https://www.workersdatarights.org/article-14-gdpr//"target="_blank">Article 14</a> your employer must inform you of the intended purposes for processing the personal data; and the lawful basis for the processing. This includes any 3rd party access and their processing. If you have not been informed, show management articles 13 and 14 and require the information! Sharing personal data with a third party is an act of processing. The employer therefore also requires a ‘lawful basis’ for that sharing as described in <a href="https://www.workersdatarights.org/article-6-gdpr//"target="_blank">(text-colour:(hsl:0,0.8039,0.5,0.7))[Article 6]</a>. Employers should make a record of which lawful basis they claim to rely on, and so should you. If you don't think a lawful basis applies, then the sharing with the third party may be challenged. For example (i) the employer might rely on necessity for a contract, but the sharing is not truly necessary for the employment contract, or (ii) the employer might rely on legitimate interests (such as a commercial interest in selling the data on), but these interests are outweighed by workers' rights and interests. Knowing the identity of the third parties makes it easier to find out more about how they are processing information. It is also important to know whether the third parties are processing your data for new purposes. Let's look at that now. <table> <tr> <td>(button:)[[Next->New Purposes]]</td> </tr> </table> (set: $section to "section on 3.3 Foreign transfers")(set: $section to "section on third party access")

Do you think management transfers workers’ data to third parties outside of the EU? <table> <tr> <td>(button:)[[Yes->Yes11]]</td> <td>(button:)[[No / Not sure->No / I am not sure11]]</td> </tr> </table>(set: $section to "section on third party access")

In the GDPR, your employer cannot share your data freely to third parties outside of the EU. They must adhere to certain conditions.Rea d all about them <a href="https://www.workersdatarights.org/3rd-parties-outside-the-eu//"target="_blank">here</a>. Also, you have the same rights to be informed about data transfers to third parties outside of the EU as you do to inside the EU. [[Head back through those.->Yes10]] ''If you believe management is not in compliance with any of these information obligations and data transfer requirements, they are potentially in breach of the GDPR. Notify your data protection authority if management doesn't postiively react to your questions. '' Now it's time to set those clear limits for what third parties can and can't do with your data. <table> <tr> <td>(button:)[[Take me there->Clear limits]]</td> </tr> </table> </table> (set: $section to "section on third party access")

In the GDPR, your employer (text-style:"underline")[cannot] share your data freely to third parties outside of the EU. They must adhere to certain conditions. Read all about them <a href="https://www.workersdatarights.org/3rd-parties-outside-the-eu//"target="_blank">here</a>. Also, you have the same rights to be informed about data transfers to third parties outside of the EU as you do to inside the EU. If you believe management is not in compliance with any of these information obligations and data transfer requirements, they are potentially in breach of the GDPR. Notify your data protection authority if management doesn't postiively react to your questions. Now it's time to set those clear limits for what third parties can and can't do with your data. <table> <tr> <td>(button:)[[Take me there->Clear limits]]</td> </tr> </table> (set: $section to "section on third party access")

It’s great that you are aware of the provision that they are relying on to justify the transfer. Below are a few points to consider with regards to their reliance. In terms of POPIA, consent has to be voluntary, specific and informed. Has management provided enough information about the transfer to inform the consent? If management is relying on the performance of the employment contract, consider whether the transfer is really necessary for the performance of the contract. If they are relying on a contract between management and a third-party, ensure that the contract is in the interest of the data subject. In South Africa, our Information Regulator hasn’t provided a list of countries that it considers to automatically provide the same level of protection as POPIA. This is important to bear in mind if management says the third party is bound by an instrument that provides the same level of protection as POPIA. Proceed to the next section to explore whether the data is being used for new purposes. <table> <tr> <td>(button:)[[Next->Further Processing]]</td> </tr> </table> (set: $section to "section on third party access")

Oh dear! That’s not great – management should be transparent about this. There are a few sections in POPIA which may help you obtain this information. 1. You can rely on <a href="https://wnl.altadvisory.africa/popia-section-18/" target="_blank">section 18</a> of POPIA which requires management to disclose whether they intend to transfer information to a third party in a foreign country, and the level of protection that will be afforded to the information. This should be done at the time of collection, so management may be non-compliant with this section. There are a few exceptions, so look carefully at section 18 to understand if you can rely on it. 2. Management may be relying on workers' consent to transfer the information – check the employment contract to see if this is the case. Remember that in terms of POPIA, consent should be specific and informed, so they should have provided sufficient information on this to ensure that is the case. Continue now to wrap up the tool! <table> <tr> <td>(button:)[[Next->Congratulations]]</td> </tr> </table> (set: $section to "section on third party access")

<div id=head>''''''Congratulations! </div>'' You have now completed this tool. Hopefully it has highlighted entry points for your negotiations with management to strengthen data protection in the workplace. We wish you all the best as you enter into dialogue with management. Remember to share your findings with your union, and if all dialogue fails and you suspect that management is in violation of the GDPR, you can and must contact your national data protection authority. In solidarity! (set: $section to "end of the tool")

__________________________________________________________________________________________ This is the $section. Navigate sections: [[Introduction->Introduction]] | [[Transparency]] | [[Mapping Data Collection->Mapping data collection]] | [[Data Protection Impact Assessments->Data Protection Impact Assessments]] | [[Invasive Systems->Challenging Invasive Systems]] | [[Automated Decisions->Automated decision making and profiling]] | [[Third Party Access->Third party access to data]] |

(replace: ?modalhooks)[{ (css:" position: fixed; display:block; z-index: 1; left: 0; top: 0; width: 100%; /* Full width */ height: 100%; /* Full height */ overflow: auto; /* Enable scroll if needed */ background-color: rgba(0,0,0,0.4); ")[ (css:" display:block; margin: 15% auto; padding: 20px; width: 80%; border: 1px solid white; ")|modal>[ (css:"float:right")+(link-repeat:"x")[(replace: ?modalhooks)[]] ] ] }]

|modalhooks>[]

{ <!– Create a variable to track the position within the $typewriterText string –> (set: $typewriterPos to 1) <!– Create a hook to hold the typed text –> |typewriterOutput>[] <!– Set a delay of 0.1 seconds per loop –> (live: 5ms)[ <!– Add the next character to the hook –> (append: ?typewriterOutput)[(print: $typewriterText’s $typewriterPos)] <!– Update the position –> (set: $typewriterPos to it + 1) <!– If it’s gone past the end, stop –> (if: $typewriterPos is $typewriterText’s length + 1)[ (stop:) ] ] }

In some cases, it may be clear when data is collected -- for example, when you submit your banking details, give the employer your contact information or when you sign an employment contract. In other cases, it is less clear -- for example, when an employer uses a system or tool that generates and collects information. For example, an employer may require that the workers download an app to their private mobile phones so they can change shifts, check in and out at work, record sick days and more. This apps enables the employer to collect lots of information (location, time at work, number of shifts) about the employees activities. <table> <tr> <td>(button:)[[Next->Mapping the data]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

<div id=head>''Have your say!''</div> GDPR article 35 on Data Protection Impact Assessments includes two crucial items that will support workers to have a role in the governance of data processing. This first is ''item 9'', which reads: //"Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations."// What this item says is that management "shall seek" which means *must* seek the views of the workers affected by the data processing. If management, as they should, live up to this legal requirement, workers and their representatives will have a strong entry point into influencing what data management can collect, for what purposes and why. Use this right! The second is'' item 11,'' which reads: * //"Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations."// This item literally says that the controller (in our case management) should regard impact assessments as something that should be continous and ongoing. Assessing risks as a one-time exercise is not acceptable especially where a processing operation and the risks it might imply are dynamic and subject to ongoing change. What this item opens up for is continous governance of data processing. Combined with item 9 management should/must involve you as the affected workers and/or your representatives. Let's look into this a little more... <table> <tr> <td>(button:)[[Next->A closer look]]</td> <table> <tr> (set: $section to "section on Impact Assessments")

<div id=head>''Article 35 GDPR - Data Protection Impact Assessment''</div> Digital systems that process workers' personal data can very well pose a risk to the rights and freedom of the worker. This is why the GDPR requires that an employer must do a <a href="https://www.workersdatarights.org/article-35-gdpr/" target="_blank">Data Protection Impact Asssesment (DPIA)</a> before putting the system into operation. A DPIA is used to identify and mitigate risks that arise from processing (in our case) workers' data. ''Management's obligations ''A DPIA must be conducted if the processing of data is likely to result in a high risk to the rights and freedoms of individuals. In workplaces, we could argue that all digital systems used to monitor and evaluate workers are high risk as they could have serious consequences on the worker. Management must conduct a DPIA //before// a digital system that processes your data is taken into use. ''What must be included in a DPIA?'' The GDPR sets out the minimum features of a DPIA (Article 35(7), and recitals 84 and 90): * a description of the envisaged processing operations and the purposes of the processing; * an assessment of the necessity and proportionality of the processing; * an assessment of the risks to the rights and freedoms of data subjects (in our case the workers); * the measures envisaged to: ** address the risks; ** demonstrate compliance with the GDPR In the next step, we will look at two further provisions concering DPIAs - namely that management should involve you when writing a DPIA and that they should periodically review them! Both of these provisions open the door for your active involvement in limiting risks and harms. <table> <tr> <td>(button:)[[Next->Key DPIA provisions that you should use]]</td> <table> <tr> (set: $section to "section on Impact Assessments")

''''Excellent!'''' But it doesn't really stop there. Article 35 does not oblige the data controller (management) to make their DPIAs public or in any other way share it with the data subjects (meaning you!). This is a gapping hole in the legislation. Try to ask management for a copy of the DPIA so you can check whether they took your input into consideration and what risks they have identified. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' TIP'': If you can get a copy of the DPIA, share it with your union to boost collective learning. Maybe similar systems are being used in other workplaces, but haven't been afforded the same risk profiles. The more you know across the union about these systems, the stronger your combined efforts will be! </div< </div> ](modal|} (link-repeat:"ⓘ Get and share")[(show:?modal)] ''Did they share the final DPIA with you? '' <table> <tr> <td>(button:)[[Yes->Yes they did]]</td> <td>(button:)[[No / not sure->I don't think they have ]]</td> </tr> </table> (set: $section to "section on Impact Assessments")

''This is bad news. '' Ask around amongst your colleagues, and if no one has been consulted remind management of their obligations as depicted in <a href="https://www.workersdatarights.org/article-35-gdpr/" target="_blank">GDPR art 35 item 9</a> . {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' TIP'': In some workplaces, discussions about the DPIA take place in the work's council, or in occupational health and safety committees. It is a good idea to try to agree with management who should be consulted as part of the DPIA process, and in which body. A fixed procedure is recommendable. </div< </div> ](modal|} (link-repeat:"ⓘ Good practices")[(show:?modal)] You must make sure management involves you in the DPIA. When they do, head back to <td>[[here->Yes, they have!]]</td>, but for now let's continue by moving on to the next section on some of the systems that are so invasive, they should be banned. <table> <tr> <td>(button:)[[Next->Challenging Invasive Systems]]</td> <table> <tr> (set: $section to "section on Impact Assessments")

That’s good to hear. Does the information provided give you a sufficient understanding of why these systems and tools are being used and the data they collect or generate? <table> <tr> <td>(button:)[[Yes, I think so->Yes4]]</td> <td>(button:)[[No/Not sure->No4]]</td> </tr> </table> {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ How much information is management required to give workers?''<br><br><a href="(modal|} (link-repeat:"ⓘ What are the transparency requirements in the GDPR?")[(show:?modal)]">Article 13</a> of the GDPR includes a list of all the information management should tell you when collecting data, these are known as the notification requirements. It is important to consider these notification requirements alongside the so-called legal basis for collecting and processing data. The GDPR requires that management must have a legal basis for processing your data (<a href="https://www.workersdatarights.org/article-6-gdpr/">see Article 6</a>). It recognises a few different reasons as valid legal bases, including: * That the processing is necessary to carry out actions for the conclusion or performance of a contract between the worker and the employer; * Processing protects a legitimate interest of the data subject. <p>According to the European Data Protection Supervisory Board, management cannot really rely on "consent" as the legal basis for processing your data due to the power imbalance between management and labour. So they must rely on one of the other legal basis, and they must provide you with information about this. Check to see which legal basis management is relying on. It is important to note that management cannot try to get you to provide consent through adding a clause in your employment contract. Or by asking you to sign an addendum. <p>If you have codetermination rights, remind management that you should be consulted on the introduction of new technologies //before// they are designed or bought and introduced into the workplace.</div> </div> ](modal|} (link-repeat:"ⓘ How much information is management required to give workers?")[(show:?modal)] (set: $section to "Transparency section")

''This is really good news.'' Have a careful look at the risk assessment - do you agree with management? The DPIA can offer some hints on what you should look out for as the system is used. Is it causing harm to particular groups of workers? What has management done to mitigate this? Do you think individuals or groups of individuals are being treated unfairly that the assessment hasn't identified? If so talk to management immediately. Remember to share the DPIA with your union to boost collective learning. Maybe similar systems are being used in other workplaces , but haven't been afforded the same risk profiles. The more you know across the union about these systems, the stronger your combined efforts will be! You now have an idea of what data processing systems management are using. You have provided input to the risks associated with each system. It's now time to look at some of the systems that are so invasive, they should be banned. <table> <tr> <td>(button:)[[Next->Challenging Invasive Systems]]</td> <table> <tr> (set: $section to "section on Impact Assessments")

''Bother. '' Legally speaking they are not obliged to either. This makes no sense whatsoever, so try to keep asking management whether you can establish a fixed process for discussing the DPIAs and evaluating them. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' TIP'': If you can get a copy of the DPIA, share it with your union to boost collective learning. Maybe similar systems are being used in other workplaces, but haven't been afforded the same risk profiles. The more you know across the union about these systems, the stronger your combined efforts will be! </div< </div> ](modal|} (link-repeat:"ⓘ Get and share")[(show:?modal)] But all is not lost. You have an idea of what data processing systems management are using. You have provided input to the risks associated with each system. It's now time to look at some of the systems that are so invasive, they should be banned. <table> <tr> <td>(button:)[[Next->Challenging Invasive Systems]]</td> <table> <tr> (set: $section to "section on Impact Assessments")

''Wonderful!'' Did they share the final DPIA with you? <table> <tr> <td>(button:)[[Yes->Yes they did]]</td> <td>(button:)[[No / not sure->I don't think they have ]]</td> </tr> </table> This question is really important because Article 35 does not oblige the data controller (management) to make their DPIAs public or in any other way share it with the data subjects (meaning you!). This is a gapping hole in the legislation. Try to ask management for a copy of the DPIA so you can check whether they took your input into consideration and what risks they have identified. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' TIP'': If you can get a copy of the DPIA, share it with your union to boost collective learning. Maybe similar systems are being used in other workplaces, but haven't been afforded the same risk profiles. The more you know across the union about these systems, the stronger your combined efforts will be! </div< </div> ](modal|} (link-repeat:"ⓘ Get and share")[(show:?modal)] (set: $section to "section on Impact Assessments")

Management is obliged to inform you if data is being processed for new purposes as part of the transfer. In the GDPR. the principle of purpose limitation <a href="https://www.workersdatarights.org/article-5-gdpr/"target="_blank">Article 5 1(b)</a> states that data (text-style:"underline")[cannot] be further processed for new purposes that are //incompatible// with the purpose for which they were collected (whether by the employer or a third party). The test of incompatibility of the new purposes will depend on the specific situation. As a rule of thumb, if the new processing is unexpected or surprising, it is unlikely that the new purpose is compatible with the original purpose. If you think a transfer to a third party involves processing for a new, incompatible purpose, it could be challenged. For you this means putting pressure on management to reveal: * a. whether they have granted permission for the repurposing of data, * b. the processor's specification of how and why personal data will be reused. It is really important that you know this, as you here can protect your rights and prevent the commodification of workers! <a href="https://www.workersdatarights.org/checks-on-3rd-parties/"target="_blank">Tips for logging all of this</a>. Now let's look at what the GDPR says about the transfer of your data to third parties who reside (text-style:"underline")[outside] of the EU. <table> <tr> <td>(button:)[[Next->3.3 Foreign transfers]]</td> </tr> </table> (set: $section to "section on third party access")

''Set Clear Limits to 3rd Party Data Access and Use '' Given everything you now know about who is accessing your data and what legal rights you have as well as what managerial obligations there are, it's time for you to negotiate for clear limits as to what 3rd parties may do with your data. Recall, one of the largest threats to inclusive and diverse labour markets is the buying and selling of the data about you all, including any inferences or profiles drawn using your data. Note that a clear limit here can be concerned with the following (non exclusive list): * where the data is stored * whether the 3rd party can reuse or repurpose it * Whether the employer or 3rd party can sell any datasets that include workers' personal data or personally identifiable information. * transparency requirements * clear safeguards - how is the 3rd party securely handling your data <table> <tr> <td>(button:)[[Finishing up->Congratulations]]</td> </tr> </table> (set: $section to "section on third party access")

''Has management consulted you, or your colleagues, as part of their risk assessment? '' <table> <tr> <td>(button:)[[Yes->Yes, they have!]]</td> <td>(button:)[[No / I don't think so->No /not sure]]</td> </tr> </table> (set: $section to "section on Impact Assessments")

''Tips to end this section'' 1. According to Article 13 and 14, management must inform you on the types of data from workers they are collecting and why. Discuss with management article 13 and 14 and say you would like to check with them that all information on how workers' data is being processed has been or will be provided. 2. Agree with management where and how this information should be shared so all employees are correctly informed. 3. Consider negotiating with management the right to be consulted on new technologies //before// they are designed/bought and introduced into the workplace. 4. Check that new recruits are not obliged to sign an "informed consent" clause in their contracts. Informed consent is not generally a legal basis for processing workers' data. See GDPR article here 5. If you are still unsure that management are providing information about all of their processing, you could consider having one or more workers submit data subject access requests to the employer. 6. Remember that management must inform you of the legal basis for processing, and that typically they cannot rely on the one called "informed consent". Check <a href="https://www.workersdatarights.org/article-6-gdpr/" target="_blank">Article 6.</a> 7. If you disagree with some of the data sources, or when during the day the data are collected, try to negotiate with management to limit the data collection. Also, management must according to the GDPR be able to prove that: * the processing of all of the data they collect acheives the purpose of collecting this data. * There are not less intrusive ways they could reach the same outcome. * How they will prevent function creep * and how they will ensure data quality and data minimisation. Let’s move onto the next section, which explores how your employer should assess how their digital systems might affect workers’ rights, in order to minimise any harm. <table> <tr> <td>(button:)[[Data Protection Impact Assessments]]</td> </tr> </table> (set: $section to "section on Impact Assessments")

Recall article 22 includes two rights: 1. The right not to be subject to decisions based solely on automated systems 2. The right not to be subject to profiling The condition is that you can claim these rights if automated decision making or profiling produce legal effects concerning you or similarly significantly affects you. Legal effects can be that you lose your job, don't get a job, get discriminated against and the like. In relation to profiling, and the consequences of these profiles, it can oftentimes be hard to prove that you did not receive a pay rise, or get offered a job or promotion due to profiling. This is why we must work towards gaining access to management's DPIA, which they must make when automated decision-making or profiling is occuring. If management is not open to discussion - consider triggering your <a href="https://www.workersdatarights.org/about-subject-access-requests//"target="_blank">data subect access rights</a> (article 15). And remember, management must prove that they have sufficient managerial oversight mechanisms in place, if they claim automated decision-making or profiling does not take place. Try to get good agreements in place with management concerning: * involvement in and access to DPIAs * transparency around who in management is responible for each system/tool and who is involved in oversight proedures * clarity around how you and your colleagues can exercise your <a href="https://www.workersdatarights.org/the-8-data-subject-rights-in-the-gdpr//"target="_blank">8 data subject rights </a>. Now let us move on to the next, and last, section: third-party data access. <table> <tr> <td>(button:)[[Next: Third-party data access->Third party access to data]]</td> </tr> </table> (set: $section to "section on automated decision-making")

''Let's dig in '' To explore how management is using workers’ data, you first need to know what data employers have, how they collect it and how they are using it. If you already know this information, keep it at hand as you work through the tool. If you //don’t //have this information yet, don’t worry: the first two sections – Transparency and Mapping Data Collection – aim to help you get these details. These sections are also useful if you want to confirm whether management has fully complied with the legal requirements relating to transparency and collection. ''Note this!'' If you are a shop steward, according to <a href="https://www.workersdatarights.org/article-80-gdpr/"target="_blank"> Article 80 </a>in the GDPR a data subject (in our case a worker) can mandate you and your union to lodge a complaint or court case, or receive compensation on their behalf. More generally, a worker can ask their union to represent them when exercising their GDPR rights (like the Right of Access). Be prepared to evidence that you are authorised to represent the worker (e.g. with a signed authority from them). This is important for you to remember as we go through this guide. When you're ready to get started, click the button below! <table> <tr> <td>(button:)[[Next->the GDPR]]</td> </tr> </table> (set: $section to "Introduction")

As we learned in the previous section, management is obliged to inform you about how they process your personal data and for what purposes. To be totally sure you have a complete picture of this, a good step is to map the digital tools you encounter during your work day. From the moment you enter your workplace, to the routines you have. Do you enter and exit work using an electronic key card (that's data!). Do you use a computer (that's data!). Do you have to input information onto a wearable device (that's data!). Are there security cameras (that's data!)? Try to map you work day from the moment you enter or start work, to the moment you leave or stop work. Remember to think about any devices or systems that you might take home with you that are owned by your workplace. Write down all of the digital systems you encounter and try to list what data they are collecting from you or the device you have to use. <table> <tr> <td>(button:)[[Next->Tips for mapping]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

(text-style:"bold")[Tips for mapping] Here are some tips as you map your working day and the digital systems you or your members might encounter 1. Are any of these common data-collection systems and digital tools used in your workplace? * (Semi)-automated hiring/firing systems (e.g. to vet job candidates or assess workers' performance) * Scheduling tools * Workplace sensors * Productivity/efficiency measurements, including real-time tracking * Location tracking devices/wearables * Handheld devices * Software to monitor your keyboard inputs, browsing activity, or other work-from-home surveillance. * Workforce management systems * Human Resource apps What data are they collecting? What do you think about the purposes, or how management might use the data? 2. If you haven't received the privacy policy of the system/tool you know is being used, ask for it and read it carefully. It will include information about the data sources/categories of data extracted. For example, before you download an app from the employer onto your phone, read the privacy policy carefully. Does the app track your location 24 hours a day? Is that ok? Write it all down. 3. Do an internet search for any articles or other information about the system. Maybe other workers' or experts have already analysed it and have some critical information. 4. Consider if there are any logical deductions you could make. For example, an automated hiring system might extract data from a candidate’s CV, or from automated interviews or assessments. (See for example <a href="https://www.hirevue.com/"target="_blank">[HireVue]</a>). It also might use third-party data from companies (such as <a href="https://fama.io/"target="_blank">[this one]</a>) who profile people for recruitment processes. For each digital system you come across in your working day, write down what data you think it is collecting. ''Compare your findings with what management has informed you as part of their Article 13 and 14 obligations. '' ''Are there differences? '' <table> <tr> <td>(button:)[[Yes->Mapping differences]]</td> <td>(button:)[[No / not really->Not sure / no10]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

Show your list to management and ask for a meeting. If management doesn't seem to be engaging constructively with you, you could consider to trigger some further rights in the GDPR. Namely article 15 on the Right of Acesss. Read about it <a href="https://www.workersdatarights.org/the-8-data-subject-rights-in-the-gdpr/"target="_blank">[here]</a>. Article 15 gives a worker the right to access the information (personal data) that the employers has on them. You could consider getting several colleagues to submit this request and compare the results with what management has told you. Use this article with caution though. The employer can in certain very limited circumstances, per Article 12(5) GDPR, charge a ‘reasonable fee’ for the administrative costs of complying with your request if they believe it is ‘manifestly unfounded or excessive’ (which the employer must prove). <table> <tr> <td>(button:)[[Evaluate the data ->Evaluate the data]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

That's really good news. Keep your mapping notes handy and add to them as new systems are deployed by management. Share them with your union. Similar systems can be used in other workplaces. Let's now evaluate that data: <table> <tr> <td>(button:)[[Evaluate the data->Evaluate the data]]</td> </tr> </table> (set: $section to "section on Mapping data collection")