On Thursday, 12 October 2023, as part of the ARC2 project, GDPR consultant at Horvath Wolf d.o.o. Vlatka Vuković held a free for micro, small and medium-sized enterprises and craftsmen.

All data controllers and data processors, regardless of activity, process personal data of their employees and associates. The processing of workers’ data begins with the publication of a vacancy notice or the collection of open requests from interested candidates, and continues after the termination of the employment relationship. Throughout this time, it is necessary to ensure the lawfulness of the processing and to adequately protect the data, as well as the privacy of workers.

This online workshop covers the obligations of employers under the General Data Protection Regulation in all the most important processes of processing personal data in an employment relationship with a multitude of practical examples and an overview of the case law and decisions of supervisory authorities. Thus, participants had the opportunity to hear about the appropriate legal bases for the processing of workers’ data, including consent in employment relationships, i.e. that for most data processing at the workplace, the consent of the worker cannot and should not be a legal basis due to the nature of the relationship between the employer and the employee.

Vlatka Vuković shared her rich and useful practical experience with the participants of the workshop, providing advice to the controllers/processors and expertly responding to numerous questions from the workshop participants. Inspired by the enormous (maximum) interest in this workshop, we decided to develop guidelines on the topic of personal data processing in employment relationships.

All educational materials, guidelines, footage of the workshop will be part of Olivia web tool on which we work diligently and that will be soon online.

About the processing of data in the employment relationship, the supervision of workers and their rights, as well as many other useful information can be found in the presentation used at the workshop at the link: https://arc-rec-project.eu/wp-content/uploads/2023/10/ARC2-GDPR-U-HR.pdf

The post ARC2 workshop for SMEs online workshop “Processing and protection of personal data in employment relationships” appeared first on Arc Rec Project.

Using the “http” network protocol, which is not encrypted and not secure, to access the “online services” of a website does not give adequate protection to the data of customers registered in the reserved area.

The use of a non-encrypted protocol violates important principles established by the European GDPR Regulation, such as that of “integrity and confidentiality” of the data processed. The data controller must implement technical and organizational measures suitable to guarantee a level of security appropriate to the risk (e.g. encryption of personal data) and adopt adequate systems to protect personal data right from the design phase (privacy by design), subsequently carrying out periodic reviews of the safety measures in place.

It is also good to know that these obligations also apply to systems pre-existing on the date of entry into force of the GDPR (25^th May 2018).

More information available at:

The post Online services, the use of secure protocols is required appeared first on Arc Rec Project.

Given their nature, biometric data is particularly sensitive and warrants specific protection due to its potential risks to fundamental rights and freedoms if mishandled.

In general, the processing of special data is prohibited. However, the General Data Protection Regulation (GDPR) allows for exceptions outlined in Article 9.

It is important to note that photographs do not fall into the category of special data unless they are processed through technical devices specifically designed for the unique identification of individuals.

The post VERY SPECIAL PERSONAL DATA/2 appeared first on Arc Rec Project.

Genetic data, along with biometric data, health data, and identifying data regarding ethnic origin, opinions, and beliefs of a person, and trade union membership, constitute “special categories of data” (previously defined as sensitive data under the GDPR).

The GDPR prohibits the processing of special categories of data without the explicit consent of the data subject, for one or more specified purposes.

Find out more: https://arc-rec-project.eu/wp-content/uploads/2021/01/ARC-GUIDANCE-Data-Protection-Basics-1.pdf

The post SPECIAL CATEGORIES OF PERSONAL DATA/1 appeared first on Arc Rec Project.

1. INTRODUCTION

The gender concept describes the roles and responsibilities of women and men in society’s cultural, political, and economic life. Gender equality implies that the interests, needs and priorities of both women and men are taken into consideration, thereby recognising the diversity of different groups of women and men.^[1]

Gender equality is amongst the core values of the European Union, and the promotion of equality between men and women is one of its main tasks. The EU Gender Equality Strategy for 2020-2025 is based on the following principles:

1. being free from violence and stereotypes;
2. thriving in a gender-equal economy which includes fighting gender gaps in the labour market, achieving equal participation across different sectors of the economy, addressing the gender pay and pension gap and closing the gender care gap;
3. leading equally throughout society which includes achieving gender balance in decision-making and politics;
4. gender mainstreaming and an intersectional perspective in EU policies;
5. funding actions to make progress in gender equality in the EU;
6. addressing gender equality and women’s empowerment across the world.

The final aim of the Awareness Raising Campaign for SMEs II Project (from now on referred to as ARC II project) is to enable small and medium-sized enterprises (from now on referred to as SMEs) to acquire an in-depth understanding of the GDPR, consequently gaining better skills for effective application of the regulation and to make considerable progress in reaching a higher level of protection for the data subject. One of the risks recognised by the ARCII Consortium is gender inequalities and multiple discriminatory effects occurring during the project implementation. Gender inequalities are seen as one of the main risks by the ARC II Consortium.

ARC II considers the EU Gender Equality Strategy 2020-2025. Therefore, the ARC II Consortium[2] adopts the Equality Plan for the period 2022-2023 during the implementation of the activities of the project to continuously promote gender equality among the Consortium members, organisations, and SMEs.

Based on the fundamental principles of equality and non-discrimination, the project will assure equal access to all participants irrespective of their nationality, race, caste, creed, gender, etc. The participation of boys and girls, men, and women, as well as vulnerable groups and socially excluded members of society will be ensured.

The ARC II project aims to regulate the application and monitoring of the Equality Plan implementation, including raising awareness among the employees and management concerning gender equality and combating gender stereotypes and discrimination. The goal of the Equality Plan is to fight any gender inequalities and discrimination within the project implementation.

During the project implementation of ARC II, beneficiaries should consider gender perspectives and promote gender mainstreaming project activities.

The Equality Plan will highlight three main priorities:

1. Promoting equal opportunities to men and women and including vulnerable groups (e.g., people with disabilities).
2. Women’s participation and leadership within project activities.
3. Supporting gender equality through women’s equal participation and balanced representation.

4. Promoting women’s economic empowerment.
5. To promote and encourage participation of vulnerable groups within project activities.

The Equality Plan is open to all Consortium members and SME employees, and to the SMEs to whom the project activities are intended. Its objective is to enable the amendment of measures and activities and adhere to new findings during its implementation.

1. NEEDS ANALYSIS

The Needs analysis can be either referred to new research at the beginning or to ongoing research that applies to previous projects that have already indicated the need to undertake certain activities. We will carry out a needs analysis during the project.

Equality Plan will be developed in cooperation with the Ombudsman for Gender Equality and the Ombudsman for Persons with Disabilities.

Consortium members will carry out a needs analysis within a certain number of SMEs and will concretely address the issues of a gender perspective and the non-discrimination of vulnerable groups. The Consortium will conduct a Needs analysis on gender-sensitive aspects, together with target identification. For this purpose, a survey among SMEs will be conducted at the beginning of the implementation of the project.

A Needs analysis will focus on assessing the issues, such as individual resistance or organisational weaknesses. A Needs analysis will provide the necessary data and information to combine a gender perspective into the project activities.

Needs analysis in terms of gender equality will be conducted to identify and address gender inequalities and to make sure that project deliverables are meaningful in terms of gender and that they respond to the different needs of women and men. Needs analysis in terms of the inclusion of vulnerable groups will be conducted to make sure project deliverables are meaningful in terms of the non-discrimination of vulnerable groups.

• PLANNING PHASE – EQUALITY IMPLEMENTATION PLAN

After the analysis, activities and measures to remedy the identified problems will be decided, resources and responsibilities will be attributed, and timelines will be agreed upon.

The Consortium will adopt specific measures and carry out initiatives addressing women’s needs as emerging from the needs analysis to enable them to participate in and benefit equally from project deliverables.

Below is the list of objectives and activities for the implementation of the Equality Plan that is planned to be undertaken in order to fulfil the set objectives. The list is based on previous projects that have already indicated the need to follow particular activities. If necessary, the list will be redefined after a new Needs analysis to adhere to new findings during its implementation.

1. OBJECTIVE – To raise awareness about gender equality, gender-related challenges and the inclusion of vulnerable and socially excluded groups.

COOPERATION WITH THE OFFICE OF GENDER EQUALITY OMBUDSMAN AND WITH THE OFFICE OF OMBUDSMAN FOR PERSONS WITH DISABILITIES

During the initial stages of the project implementation, the Consortium members will contact the Office of Gender Equality Ombudsman and the Office of Ombudsman for Persons with Disabilities in their countries to get feedback on proposed activities for ensuring the adequate promotion of the importance of the equality of men and women and inclusion of vulnerable groups and socially excluded groups. This action will ensure that possible issues regarding the implementation of project activities are recognised at an early stage.

INITIAL TRAINING SESSION

The Consortium will organise an initial training session for the team responsible for implementing the Equality Plan at the beginning of the work and for other targeted audiences directly involved. Continuous awareness-raising and capacity-building activities will maximise chances for the successful implementation of the Equality Plan.

INVOLVING RELEVANT AND INTERESTED STAKEHOLDERS

The Consortium will contact relevant stakeholders who are not part of the implementation team to motivate the staff involved, strengthen the potential of the Equality Plan and maximise the impact of the Equality Plan’s measures.

The Consortium will continuously keep in touch with the stakeholders to gain insights about the measures implemented and to get feedback on the improvement measures to be carried out. The Consortium will make sure that subcontractors are aware of the principles of gender mainstreaming and non-discrimination mainstreaming.

The Consortium members will also involve their communications department in this activity to ensure the use of gender-neutral and generally inclusive language in internal and external communications and to ensure the use of non-stereotypical and non-sexist images in internal and external communications during the project activities. Inclusive images will show the diversity within the Consortium members who are actively involved in project activities and the diversity within the SMEs.

The Equality Plan will be signed by the top management of the Consortium members since the visibility and support of the top management are crucial in highlighting the importance and significance of gender equality and equality and non-discrimination of vulnerable groups.

VISIBILITY OF THE EQUALITY PLAN

A formal document – the Equality Plan – will be published on the ARC II project website and on the Consortium members’ website, which the members of the top management will sign.

The Consortium will inform the organisations and SMEs about the existence of the Equality Plan. The Equality Plan will be available and easily accessible to the whole community on the ARC II project website, Consortium members’ website, and social networks (e.g., LinkedIn, Twitter, etc.). The Equality Plan will also be presented during the project activities, including the conferences that will be held in Zagreb and in Rome.

The Consortium will make sure that subcontractors are aware of the principles of gender mainstreaming and non-discrimination mainstreaming.

1. OBJECTIVE – To promote women’s participation and leadership within project activities.

COOPERATION WITH THE OFFICE OF GENDER EQUALITY OMBUDSMAN

At the beginning of the project implementation, the Consortium members will contact the Office of Gender Equality Ombudsman in their countries to get feedback on proposed activities for ensuring gender equality. This action will ensure that possible issues regarding the implementation of project activities are recognised at an early stage.

INVOLVING RELEVANT STAKEHOLDERS

The Consortium members will also, if necessary, involve their communications department in this activity to ensure the use of inclusive images with a balanced representation of females/males in images/visuals used in dissemination.

Also, invitations to participate in educations will be sent through women’s associations to promote women’s participation and leadership within project activities.

1. OBJECTIVE – Increasing gender equality through women’s equal participation and balanced representation.

ENSURING EQUAL PARTICIPATION OF WOMEN IN WORKSHOPS

When organizing workshops as part of project activities, special attention will be given to ensure the equal representation and participation of women, especially the participation of SMEs headed by successful female entrepreneurs.

Ensuring equal participation of women in workshops will be ensured through cooperation with women entrepreneurship organisations.

1. OBJECTIVE – To promote women’s economic empowerment.

COOPERATION WITH WOMEN ENTREPRENEURSHIP ORGANISATIONS

Specific measures to ensure gender mainstreaming will be undertaken, such as engaging with the Croatian, Italian and international women entrepreneurship organisations. In the world of entrepreneurship, women represent a minority. It needs huge support for their potential to be expressed, proved, and unleashed. Therefore, engagement with the women entrepreneurship organisation will ensure the participation of SMEs run by successful women business leaders.

1. OBJECTIVE – To promote and encourage participation of vulnerable groups within project activities.

COOPERATION WITH GOVERNMENT BODIES AND OTHER RELEVANT ASSOCIATIONS

In order to promote project activities and ensure the participation of persons with disabilities and minorities in project activities, cooperation will be achieved with government bodies and other relevant associations that work with people with disabilities and minorities.

ENSURING ACCESSIBILITY OF PROJECT ACTIVITIES AND PROJECT DELIVERABLES FOR PEOPLE WITH DISABILITIES

Specific measures to ensure accessibility of project activities and project deliverables for people with disabilities will be undertaken. For that purpose, whenever possible, educations will be held in spaces adapted for people with disabilities. Also, the digital tool Olivia will be developed in such a way to be suitable for people with disabilities.

1. MONITORING PROGRESS AND EVALUATION

Gender balance and the promotion of equality and inclusion of vulnerable groups will be monitored during the stages of project implementation, and suitable actions will be taken to address any imbalance that may appear. Findings from the monitoring exercises will allow for planning and to improve interventions during the Equality Plan implementation so that the results can be optimised.

^[1] https://eige.europa.eu/thesaurus/terms/1168 (accessed: 27 December 2022)

[2] The ARC II Consortium consists of project partners: Croatian Data Protection Agency, Italian Data Protection Authority – Garante Privacy, University of Florence, Faculty of Organization and Informatics of the University of Zagreb, Vrije Universiteit Brussel.

The post EQUALITY PLAN appeared first on Arc Rec Project.

The post S.O.S. DATA BREACH appeared first on Arc Rec Project.

It doesn't have to be "documented in writing" necessarily, nor is the "written form" required, although this is a suitable way to ensure the unambiguous nature and explicitness of the consent.

Furthermore, the data controller must always be able to demonstrate that the data subject has given their consent for each processing activity.

Find out more about Legal bases for processing of personal data.

The post YOU DON’T ALWAYS HAVE TO SAY YES appeared first on Arc Rec Project.

The disclosure of entire databases to other entities (transfers of entire databases to third parties) is a type of processing that carries clear risks for the data subjects (individuals). Therefore, in this case, it is essential for the company that discloses personal data to a third party to inform the data subjects and obtain their specific consent for such processing of their personal data. This consent should be separate from others, with a clear indication of the categories (e.g., financial, publishing) of the entities to which the data will be disclosed. The company that receives the data, in turn, must provide the data subjects with privacy information before processing the data (i.e. before sending commercial communications). This information should also specify the source of the data so that individuals can also contact the company which has disclosed the data to exercise their rights.

Example

A beauty salon and beauty shop collect data from their respective customers. The owner of the beauty shop asks the owner of the beauty salon to share with him its database (list of clients) for the purpose of direct marketing in order to increase sales. In its privacy notice a beauty salon informed its clients that the beauty salon could share the data with partners offering beauty products. As far as specific consent was given for the purpose of transmitting the data to other recipients for their own direct marketing, a beauty salon can send the client list to a beauty shop. No data can be sent about an individual who objected to the processing of their personal data.

The post Who are the third parties? appeared first on Arc Rec Project.

📌 Recipients may receive personal data to carry out processing on behalf of the data controller or to achieve their own specific purposes.

✔ Also, the recipients must be identified before the collection of personal data and data subjects must be informed in advance about them, as well as being mentioned in the record of processing activities.

❗ Attention ❗ If the recipient is located outside the territory of the European Union, the data controller must verify the existence of specific guarantees ensuring an adequate level of protection, before transferring the data.

The post Who are the recipients of personal data ❓ appeared first on Arc Rec Project.

The ARC2 team informed SMEs about the latest trends and examples of good, but also bad practices in the field of personal data protection. At the same time, it was also an opportunity for entrepreneurs to share the problems encountered in the application of the General Data Protection Regulation and, with the support of experts from the Croatian Personal Data Protection Agency find solutions for their compliance hurdles.

In his opening speech, Deputy Director Igor Vulje stressed that the Agency as a supervisory authority is not the primary repressive body, although the fines are always in the center of public and media attention. “We are also dedicated to our advisory role and we are very actively engaging with SMEs and other data controllers to understand their issues and help them to understand their obligations. Our goal is to help all stakeholders, to make them aware because awareness of the problem or need is the first step to finding solutions, thus eliminating problems and reducing risks. However, after five years of application of the General Data Protection Regulation, lack of information and even ignorance on how to align business processes with the data protection legal framework, can no longer be an excuse," said the Deputy Director.

This consultation is an activity within the EU project ARC2 implemented by the Agency with the aim of supporting micro, small and medium-sized enterprises in aligning business with data protection legislation.  Iva Nappholz, Legal Advisor for Projects and Support to Branch Associations from the Croatian Employers’ Association, member of the Advisory Board in project ARC2, presented the expected results and goals of the project.

Topics of the consultation were fines for breaches of the General Data Protection Regulation and the Act on the Implementation of the General Data Protection Regulation, aligning business processes with the GDPR, discussion on where organisations make the mistakes and how to fix them; technical and organisational measures for data protection and how to prepare for the Agency’s supervisory and investigative activities.

During June 2023 the Agency is planning to conduct various educational activities and invites all the SMEs to participate. More information can be found at: https://arc-rec-project.eu/dogadanja/ .

The post Consultation for Entrepreneurs “5 Years of Application of the GDPR: problems, solutions, fines and good practices” appeared first on Arc Rec Project.