JISCMail - DATA-PROTECTION Archives

Thanks, Claire. Circulating your comment below to the wider list.

In the absence of having to avoid the need to get consent, I am happy to add necessary for performance of a contract to my defence to a regulator investigation!

R

From: Claire E Miller [mailto:[log in to unmask]]
Sent: 04 April 2016 15:50
To: Marchini, Renzo <[log in to unmask]<mailto:[log in to unmask]>>
Subject: RE: email address as personal data

Renzo,

Could you not argue that the processing is necessary for the performance of a contract (employment contract), insofar as the contract of employment could not be performed adequately if the email was not sent because the employee would not be following reasonable instructions required in return for their salary and the employment relationship would break down? A very tenuous argument, admittedly, but the situation you describe below can't be the intended outcome, even if it's only arrived at when sticking to the strict letter of the law.

Regards,

Claire

Claire Miller
Information Governance Officer
Legal Services
University of Central Lancashire

From: Marchini, Renzo [mailto:[log in to unmask]]
Sent: 04 April 2016 15:32
To: Claire E Miller <[log in to unmask]<mailto:[log in to unmask]>>; [log in to unmask]<mailto:[log in to unmask]>
Subject: RE: email address as personal data

Thank you, Claire.

I agree with your answers. Or at least agree that that is a "purist" approach to the issue.  But was hoping for a contrary view to avoid the following:

A consequence then is that any EU company needs to put in place "model clauses" with all non-EU companies with whom it deals (except those in "white listed" adequate countries).

I accept that regulators would take a "pragmatic" view of this, but was hoping that there was a clear way out of that conclusion ... but I can't see it.

Best

Renzo

Renzo Marchini
Special Counsel
Dechert LLP
+44 20 7184 7563 Direct

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Claire E Miller
Sent: 04 April 2016 15:25
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: [data-protection] email address as personal data

An employee of an EU company sends an email (on behalf of the employer) to an address of an individual at a US company.


1.     Is this a transfer of "personal data" for the purposes of the eight principle?   (The content of email is not personal data.  But the email heading will contain, as usual, the email address "From: [log in to unmask]<mailto:[log in to unmask]>".)



I think it must be - it identifies the individual and tells you that they work for the organisation.


2.     If so, can the EU company rely on "consent" of the employee to avoid having to comply with the eighth principle?

Is the employee really consenting if they are told by their employer to email someone and it is part of their role? Is it a request or an order? Is it reasonable/acceptable for them to say no? If not, it's not really consent.


3.     If so, does it make any difference if the employee does not know that the nationality of the recipient entity (ie does not know that the company at which the recipient works is a US company)?



If the employee can consent freely to sending the email, it must make a difference whether or not they know that the recipient works for a US company, otherwise it's not informed consent - they can't consent to sending the email (and their personal data) to the US if they don't know that that's what they're doing.


Claire Miller
Information Governance Officer
Legal Services
University of Central Lancashire
________________________________

**********************************************************************
This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is authorised and regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^