30 September 2020 - Events
Despite its comprehensive scope and application, the General Data Protection Regulation (GDPR) does not cover absolutely every personal data processing activity in the European Economic Area. As a matter of common sense, the legislation specifically excludes from its scope ‘any purely personal or household activity and thus with no connection to a professional or commercial activity’.
In practice, this means it is fine to maintain lists of contact details of friends or use social media to send your family festive greetings without first presenting them with a GDPR-compliant privacy notice (which thankfully avoids the need to find a lawful basis for sticking their faces on dancing elves).
But what about the grey areas? What happens when social networking is used not only to circulate novelty e-cards but also to promote a business or where your “#nofilter” posts on The Gram finally promotes you to Influencer status? The powers that be in the UK and EU have been unequivocal in agreeing that ‘purely personal’ can have no ‘professional or commercial’ element and that this must be interpreted in ac restrictive manner.
One grey area in particular which has probably not received the GDPR attention it deserves is in respect of the employment of domestic workers. For example, any employer of a nanny will need to process certain amount of their personal data to know, at a minimum, who is coming to their house and how that person can be contacted and paid. As far as the person employing such domestic workers is concerned, their work is primarily a matter of the household and of no other business. However, the domestic worker who comes into a household to do a job they are paid for would treat their stay in that household clearly as a commercial activity.
Processing of such information is not a GDPR-exempt activity and the regulator will enforce the information rights these individuals have against their employer. Where employers cannot rely on the household exemption, they are under an obligation to take measures to satisfy at least the bare minimum requirements of the applicable data protection law.
Most notably, this requires the employer (as the “data controller” determining the purpose and means of the processing) to comprehensively inform the domestic worker on the specifics of the processing, including what third parties may access the employee’s information, whether by way of a privacy notice or within the employer’s terms of engagement. In many instances, this would be a straightforward task to complete, but it often gets overlooked.
But what about accounting for trickier processing scenarios such as when CCTV is operational in the household or when connected devices, such as smart speakers are present on the premises and may be recording the domestic worker’s activities? Such devices may record personal data such as images or voice recordings, which is not necessary for the performance of the employment contract and this needs to be notified and may need to be justified on a different basis.
Google’s very own Rich Osterloh (SVP, Devices and Services) announced he would tell visitors to his house that there is a smart speaker operating in the background. Employers of domestic workers need to understand how these devices work and the impact on data processing before they introduce them into the home but sadly this information is not always readily accessible from the relevant provider (although try asking your Alexa or Siri about their processing and you should be gifted with their stock responses on data processing).
Overall, the key to compliance here is twofold:
1) understanding that just because an activity happens in your household does not make it a GDPR-exempt activity;
2) notifying domestic workers (in a clear and transparent manner) how you are processing their data, especially where the data processing is more intrusive and not necessarily expected.