Digital Revolution Toolkit

Challenge 4: Data and GDPR

The European Union adopted the General Data Protection Regulation (GDPR) in 2018 with fines for failure to comply that can reach up to 20 million Euros. Not only is data protection a fundamental right in the EU Charter, having good data protection builds trust, and saves time and money. When deciding to collect data, and in order to follow the regulation properly, it can be very helpful to get legal expertise in ensuring that member data is safe and secure.

As an example, the ETUC worked with a legal team and a data protection officer to implement safeguards for handling collected data. A Data Protection Implementation Agreement (DPIA) and a Data Protection Agreement (DPA) was signed with any company or online tool that it worked with in order to ensure the highest level of data protection.

Solution 1: Collect only the data that is directly relevant and required

GDPR is the legal basis to ensure that only necessary and proportional data is collected as is outlined in Article 80. This just means that you must:

  • Describe the measures that are used to collect data;
  • Define your objectives;
  • And choose the option that is the least intrusive but most effective. 

If you really think about it, GDPR is just the legal basis for following good data practices. This works for campaigns, tackling the far-right in the online sphere and in organising efforts. 

An organising database should store and process meaningful information about:

  • Members – job status, vulnerability, level of activity in the union, etc.
  • Potential members and activists
  • Individual workers’ relationship with the union 
  • Identification of organic leaders/workers with influence
  • Identification of workplace issues
  • Charting activities / “structure tests”
  • Member retention and activation/ mobilisation
Solution 2: Have a clear data protection policy and appoint a Data Protection Officer (DPO)

It is very important that you let people know how their data is used and how you will treat it. As colleagues from the European Trade Union Institute (ETUI) remind us, data must be: 

  • Processed lawfully and in a transparent manner 
  • Collected for explicit and legitimate purposes
  • Limited to what is necessary
  • Accurate and kept up to date
  • Retained only for the time needed
  • Processed in a secure manner
  • Supported by the principle of accountability

This is just a short overview of obligations but ensuring that you are following all of the rules requires an expert in data and the rules around GDPR. 

As an example, the ETUC hired legal advice and a data protection officer when setting up their action-europe platform. This was useful for fulfilling article 35 of GDPR which is to create a Data Protection Impact Assessment (DPIA) for high-risk processing of data. As the ETUC was using a new technology for the first time, it was key to get it right so that supporters who signed petitions understood what would happen with their data and also that their data would be protected from breaches or unlawful use.

Solution 3: Respond to users’ privacy rights

It is natural that everyone wants to know what is happening to their data. Your duty is to proactively respond to data handling requests. Keep in mind that:

  • Each person is in control of her/his data.
  • Everyone can choose to share data or stop sharing it at any moment.
  • Do not share people’s data without their consent.

The key principles here are consent and legitimate use. This makes sense above and beyond a legal point of view. You want to collect data to use for campaigns, to mobilise, to recruit, etc. so it is natural that you want engaged people who consent to working with you.

Solution 4: Be specific, not all workplaces/ unions are the same

Although GDPR is more or less the same in every current/ former EU Member State, the way data protection is actually regulated can vary. There are also big differences in laws and regulations that apply to unions, and the way employers behave in different types of workplaces. You can collect data under GDPR – but you need to be careful about certain things, like: 

  • What your union’s data policy says 
  • Your purposes in giving union members access to the data 
  • How you store your data
  • How you get consent from workers who are not (yet) union members to keep their data in the database

For more information on how unions can make the best use of EU data protection rules to protect workers’ private data, check out industriAll Europe’s GDPR Toolbox for Trade Unionists. 

Solution 5: Use GDPR to protect workers

Employers are collecting more and more data on workers to use it for algorithmic management to control their lives and working conditions.  The ETUI reminds us that there are ways to use GDPR that specifically protect workers, just a few examples:

  • Employers cannot use key-logging and mouse movement detection software to ensure that employees are online, as that is disproportionate.
  • Employers cannot use access control to buildings to evaluate a worker’s performance.
  • Employers cannot use video analytics to be alerted if someone stops moving on an assembly line.

To find out more, please refer to this paper: Pfleife (2017) https://iapp.org/news/a/wp29-releases-extensive-employee-privacy-guidance/