Duty to loyalty to data protection
In many companies, employees have access to the data of customers, suppliers, clients and other employees. Often nobody thinks about this. One does not remember that this can follow data protection problems with far -reaching consequences, among other things.
Dealing with personal data
The farm owner is obliged to regulate the handling of this data bindingly and comprehensibly. An employee may process personal data on which he has access only on the instructions of his employer .
Incomplete or misleading rules of use
If such dealings are missing or if they are incomplete or misleading, the question arises as to how the employee has to react. The same applies if the employee believes that dealing with such data in the company is questionable or even inadmissible.
Here, too, the principle also applies: an employee is obliged to tolerate and refrain from what he is obliged to do by contract and instruction as well as due to the duty of loyalty to his employer. If an employee has doubts about the legality of a processing of personal data requested or incumbent on him, he can be entitled to refrain from executing the activity. On the other hand, the employee will hardly ever be entitled to carry out the required activity differently than the employer.
No entitlement to the "whistling" of the employer
As a rule, it is incompatible with the duty of loyalty that the employee shares such a legality with people outside the company. In particular, he is not entitled to inform third parties about supposed data protection deficits in the employer's operation. This also applies to information to the supervisory authority.
The question of whether the employee may inform the company data protection officer about supposed data protection deficits must also be answered in a differentiated manner.
In the event of an external data protection officer , one will have to deny that the employee is entitled to inform the data protection officer. The external data protection officer is third. Which information about internal matters is revealed to him is the responsibility of the owner.
However, this principle only applies to a limited extent if the employee contacts the external data protection officer as a data subject, i.e. because of the processing of personal data relating to himself. In this case, too, the employee will have to weigh up his interest in the protection of him and his obligation to loyalty to his employer. Finally, with an internal data protection officer, convincing reasons also speak for the fact that the employee has to comply with information about alleged abuses, which is specified by contract, instruction, duty to loyalty to the supervisor and operational exercise. According to this, it can be possible that the company data protection officer may be informed directly. However, this is by no means mandatory.
Tip
Employees and employers - the latter as a person responsible within the meaning of the General Data Protection Regulation - is strongly advised to clearly regulate the internal processing of personal data and to document the related regulations and instructions well.
