Thanks, Claire. Circulating your comment below to the wider list.
In the absence of having to avoid the need to get consent, I am happy to add necessary for performance of a contract to my defence to a regulator investigation!
R
From: Claire E Miller [mailto:[log in to unmask]]
Sent: 04 April 2016 15:50
To: Marchini, Renzo <[log in to unmask]>
Subject: RE: email address as personal data
Renzo,
Could you not argue that the processing is necessary for the performance of a contract (employment contract), insofar as the contract of employment could not be performed adequately if the email was not sent
because the employee would not be following reasonable instructions required in return for their salary and the employment relationship would break down? A very tenuous argument, admittedly, but the situation you describe below can’t be the intended outcome,
even if it’s only arrived at when sticking to the strict letter of the law.
Regards,
Claire
Claire Miller
Information Governance Officer
Legal Services
University of Central Lancashire
From: Marchini, Renzo [mailto:[log in to unmask]]
Sent: 04 April 2016 15:32
To: Claire E Miller <[log in to unmask]>;
[log in to unmask]
Subject: RE: email address as personal data
Thank you, Claire.
I agree with your answers. Or at least agree that that is a “purist” approach to the issue. But was hoping for a contrary view to avoid the following:
A consequence then is that any EU company needs to put in place “model clauses” with
all non-EU companies with whom it deals (except those in “white listed” adequate countries).
I accept that regulators would take a “pragmatic” view of this, but was hoping that there was a clear way out of that conclusion ... but I can’t see it.
Best
Renzo
Renzo Marchini
Special Counsel
Dechert LLP
+44 20 7184 7563 Direct
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]]
On Behalf Of Claire E Miller
Sent: 04 April 2016 15:25
To: [log in to unmask]
Subject: Re: [data-protection] email address as personal data
An employee of an EU company sends an email (on behalf of the employer) to an address of an individual at a US company.
1.
Is this a transfer of “personal data” for the purposes of the eight principle? (The content of email is not personal data. But the email heading will contain, as
usual, the email address “From: [log in to unmask]”.)
I think it must be – it identifies the individual and tells you that they work for the organisation.
2.
If so, can the EU company rely on “consent” of the employee to avoid having to comply with the eighth principle?
Is the employee really consenting if they are told by their employer to email someone and it is part of their role? Is it a request or an order?
Is it reasonable/acceptable for them to say no? If not, it’s not really consent.
3.
If so, does it make any difference if the employee does not know that the nationality of the recipient entity (ie does not know that the company at which the recipient
works is a US company)?
If the employee
can consent freely to sending the email, it must make a difference whether or not they know that the recipient works for a US company, otherwise it’s not informed consent – they can’t consent to sending the email (and their personal data) to the US if
they don’t know that that’s what they’re doing.
Claire Miller
Information Governance Officer
Legal Services
University of Central Lancashire