Data are hosted within the European Economic Area and the data protection and data security arrangements must satisfy the University’s Data Protection Officer and Chief Information Security Officer respectively.

As union representatives, you can scrutinise your employer’s DPIA (Data Protection Impact Assessment) to make sure it:

1. Provides a description of the proposed processing of the data, and the reasons why the processing is taking place.

2. Explains the legal basis for the processing.

3. Provides an assessment of how necessary the processing of the data is in relation to the reasons for the processing - employers should only be collecting the minimum amount of data needed.

4. Consults with the relevant stakeholders – this should include trade union and/or workforce representatives

5. Identifies and assesses the risks to the personal data of individuals.

6. Identifies the measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulations.

7. Details recommendations to be signed off by project managers - the outcomes should be incorporated into the project plan.

Article 18 Personal Information and Electronic Monitoring

18.01 The Employer recognizes the right of privacy of its Employees with respect to their personal information. The Employer shall not collect, use, or disclose any Employee personal information without their expressed consent except where required by law.

18.02 Any collection, use, or disclosure of an Employees personal information shall be done in accordance with the Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96.

18.03 There shall be no electronic monitoring of Employees by the Employer for any purpose without the written consent of the Employee.

18.04 An Employee may withdraw their consent under this Article at any time.

The following actions need to be considered:

- Collecting, monitoring only relevant data about employee output, in order to facilitate performance management, and with the full knowledge and consent of the employees and their representatives.

- Differentiating between useful data, that does not invade the privacy of employees, and unhelpful or sensitive data, or data that can invade the privacy of employees at work needs to be isolated and deleted.

- Promoting trust in employees in a context of management by objectives rather than surveillance software which can often be not only ineffective but also costly and counterproductive.

Collection, management and use of personal data

[The employer] can only collect personal information about employees for valid work purposes or where directed to by the law.

[The employer] will protect the privacy of employee's personal information and not disclose or use it for any purpose other than that for which it was originally collected.

All personal data of the employee should be obtained only from [the worker directly]. If the employee’s personal data can only be obtained from a third party parties, then the employee must be notified about this in advance and written consent must be obtained.

Before a Player can voluntarily agree to use a wearable technology, the Club must first provide the Player a written explanation of the technology being proposed, along with a list of the Club representatives who will have access to the information and data collected, generated, stored and/or analyzed (the “Wearable Data”). If the wearable technology includes the ability to create a login or otherwise provide direct access to the Player’s personal data, the Club shall make that data available to the Player. In the event this functionality is not available, the Club must provide a copy of the Player’s data to the Player upon his request.

The Clubs and EP may request the Players to use wearable technology during practices to track and measure information such as jumps, change of directions, accelerations and decelerations, loads, heart rates, heart rate variations, distances, speeds, heights, weights and biometric and other health and performance data related to the Players (including the audio and video recording of this information). However, the following will be taken into account:

• The use of the aforementioned wearable technology will be subject to and conditional on its voluntary acceptance by the Players, as Players have the right to refuse to use it at any time.

• The purposes of the use of these wearable devices will be clearly explained to the Players by the Medical and Performance staff of the Club and/or by EP, also in a written form.

• All data collected by the Clubs and/or EP in relation to the use of these wearable devices is private and confidential and may only be used for health, performance and tactical purposes.

• The data collected by the wearable devices will be accessible to each Player at any time at the Player’s request.

• All collected data of each Player may be used, disclosed and shared only with the staff of the Club and/or EP and with each Player.

• All data collected by the wearable devices will never be used for the purpose of the Players’ contractual negotiations.

The Bank commits that it will not turn employee data into a commodity for sale or trade, and a clause on Respect and Human Rights: The Bank is committed to respecting workers’ privacy and human rights as defined in law and in particular with regard to the UN’s Universal Declaration of Human Rights and the ILO’s 1997.

As part of the operation of [the firm], metadata is stored to support application support and quality of service analysis, but no content from communications is stored. The stored metadata is only accessible to administrators; it is deleted after 7 days.

In accordance with the legal requirements, when using IT procedures, only those personal data of employees are processed which are necessary for the operation of the procedure or for working with the procedure. This data may not be processed by the department for other purposes. Personal employee data may only be used for behaviour and/or performance control if it was collected for this purpose and the employees concerned already knew or could have known this at the time of their work with the procedure.

The collection, processing, storage, evaluation and forwarding of data in the context of occupational health management shall be subject to the principles of economical data collection and confidentiality. The co-determination rights of the staff councils must be observed and safeguarded in this context. […] Therefore, only the data necessary for analyses and evaluation within the framework of occupational health management shall be collected, stored, forwarded and evaluated. An evaluation is only carried out in anonymous form and in compliance with data protection regulations. The transfer of personal data requires the written consent of the employees concerned.