Doubts about ODPR or GDPR

The scenario you are describing can be analysed from an IT Security perspective, and through a privacy-compliance perspective. From an IT Security perspective, the company might ask each employee to use a specific combination of username/password to make sure that it has a better control on company’s assets. There are modern technologies that allow recovery of lost passwords or account elevation, but certain companies might chose this approach. So from an IT Security perspective, if a company employs certain controls related to how these usernames/passwords can be used (in order to avoid impersonation of users), the scenario might be OK. From a privacy-compliance perspective, article 25 GDPR - Data protection by design and by default –mentions that: “the controller shall […] implement appropriate technical and organizational measures […] which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” and that “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”, so in order to be GDPR-compliant, the company should deploy a thorough IT Security Policy describing all the controls implemented to protect the private lives of employees, an Access Control Policy to establish who can access what resource and when, a BYOD (Bring Your Own Device) Policy if employees use their own devices, and a Mobile Device and Teleworking Policy if the employees work from home. These policies should be amended with the necessary controls to make sure that impersonation of users is avoided. You can find templates for these documents in our EU GDPR Premium Documentation Toolkit.

Also, in Article 5 GDPR - Principles relating to the processing of personal data – the third principle, at para 1. c is called the principle of minimization: the personal data must be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed. The second principle which is called purpose limitation, at para 1. b states that personal data must be collected for specified, explicit, and legitimate purposes. In this case, the purpose would require one of the legal grounds for processing personal data, as mentioned in Article 6 GDPR - Lawfulness of processing. Consent wouldn’t work because it wouldn’t be freely given, according to European Data Protection Board’s Guidelines 05/2020 on consent under Regulation 2016/679. If the company would like to use Legitimate Interest for this processing, the legitimate interest must pass a balancing test between the company’s interests and the interests or fundamental rights and freedoms of the employees which require protection of personal data. So my recommendation would be to perform a Data Protection Impact Assessment for this processing. Part of our EU GDPR Premium Documentation Toolkit, we have a Data Protection Impact Assessment methodology that can be used.

 Please consult these links as well:

• Article 5 GDPR – Principles: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 6 GDPR - Lawfulness of processing: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
• Article 25 GDPR - Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• Article 35 GDPR - Data protection impact assessment: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/