A big thanks to Todd for stepping in last month and writing such a wonderful cat-themed post. His blog on global drug testing facts was very timely. We have received many requests this past year for international drug screening services; it seems to be a topic in the forefront of many employers’ minds.
So on to this month’s post. Grab yourself a comfy spot with my Boris and brush up on some of the latest draft guidance from the EDPB (European Data Protection Board).
The EDPB, a name that rolls off the tongue just as easily as the former Article 29 Working Party, which it replaced, is a legal body of the European Union. It was established by Section 3 of the GDPR (General Data Protection Regulation). It consists of a head of a supervisory authority of each Member State and the European Data Protection Supervisor, or their representatives. The European Commission may participate in the activities of the EDPB but has no voting rights.
The mission of the EDPB is to ensure the consistent application of the GDPR within the EU. One notable difference between the EDBP and the Article 29 Working Party, is the EDPB can make binding decisions, where the Article 29 Working Party could not. The EDPB provides guidance and opinions on GDPR and advises the European Commission on data protection issues and proposed legislation.
If the EDPB speaks, it is wise to listen.
The EDPB endorsed several of the Article 29 Working Party Guidelines. Many of these are important for employers and screeners to understand. The Guidelines are available here: https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en. Topics such as consent, breach notification, and records of processing activities are relevant to screening activities and provide clarification on how GDPR should be applied and interpreted.
In November, the EDPB published draft Guidelines on Article 3 of GDPR, which addresses the territorial scope of GDPR—specifically answering the question of whether you are or are not covered by GDPR. These Draft Guidelines are helpful in several ways. The document provides examples of situations when an organization not in the EU is or is not covered by GDPR. Example 13 on page 16 of the Draft goes as far as stating, “human resources management, including salary payment by a third-country company cannot be considered as an offer of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3.” This example may help organizations understand if the screening they conduct (if they are an employer) or the services provided (if they are a screening provider) fall under GDPR. The Draft also discusses the designation of a Representative (required if the entity processing personal information is covered by GDPR but does not have an establishment in the EU, unless they meet the exemption requirements). There has been considerable discussion about the Representative requirement in the privacy community and clarity around the role of the Representative and requirements of having one is welcomed.
Keep the EDPB’s website easily accessible, as they are likely to be very active: https://edpb.europa.eu/edpb_en. And take a look at the Draft Guidelines on territorial scope. It’s not a difficult read. I also highly recommend following the web pages of your favorite Data Protection Authority. The UK’s Information Commissioner’s Office (https://ico.org.uk/) has a wealth of information in their site, as do many other Data Protection Authorities.
By the way, if your company is an NAPBS member, and you are interested in learning more about GDPR, consider joining the Task Force to provide a response to the recent EDPB Guidelines on Territorial Scope. Contact firstname.lastname@example.org for more information. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN