{"id":12457,"date":"2020-01-11T16:58:34","date_gmt":"2020-01-11T16:58:34","guid":{"rendered":"https:\/\/portal.crigroup.com\/crigroup_new\/?p=12457"},"modified":"2022-10-13T11:35:15","modified_gmt":"2022-10-13T11:35:15","slug":"data-privacy-compliance","status":"publish","type":"post","link":"https:\/\/crigroup.com\/ar\/data-privacy-compliance\/","title":{"rendered":"Stay On Top of Your Employee Data Privacy Compliance Anywhere in the World!"},"content":{"rendered":"
\n
\n

Data Privacy Compliance: Anywhere in the world<\/h3>\n

Data protection<\/span><\/strong>\u00a0laws protect employees from the misuse of their personal data\u00a0<\/span>–\u00a0<\/span><\/strong>employee home addresses and beyond – sensitive\u00a0<\/span>data<\/span><\/strong>. As an employer, you’ll be trusted to safeguard and protect your employees’\u00a0<\/span>data<\/span><\/strong>\u00a0against a breach, meeting\u00a0<\/span>data<\/span><\/strong>\u00a0privacy laws and regulations.\u00a0<\/span><\/p>\n

Employers need to develop policies that take a compliant but balanced approach towards their employee data privacy and security. Organizations must implement the appropriate infrastructure, management and workforce to keep data <\/span>compliant<\/span><\/strong>\u00a0throughout its lifecycle because those accused of violating data\u00a0<\/span>privacy<\/span><\/strong>\u00a0rights risk\u00a0<\/span>significant<\/span><\/strong>\u00a0hits to the company’s reputation and employees’ trust.\u00a0<\/span><\/p>\n

This article covers the most updated laws in personal\u00a0<\/span>data<\/span><\/strong>\u00a0in 61 key jurisdictions across the Americas, Asia Pacific, the Middle East, Europe and Africa:\u00a0<\/span><\/p>\n

UGANDA:\u00a0<\/span><\/strong>The 2019 Data Protection and Privacy Act, was passed into law to complement the constitutional privacy protections under Article 27 of the Constitution of the Republic of Uganda. The Act itself regulates all personal data collection, processing, use and disclosure. It applies to any person, entity or public body within or outside of Uganda who collects, processes, holds or uses personal data. The Act requires an employer to obtain informed consent before collecting or processing personal data. The Act permits the processing or storage of personal data outside Uganda – if adequate measures are in place.<\/span><\/p>\n

SOUTH AFRICA:\u00a0<\/span><\/strong>The right to privacy is protected under the 1996 Constitution of the Republic of South Africa. The common law and the Protection of Personal Information Act, 2013 (POPIA), came into effect on 1 July 2020, however is subject to a grace period until 30 June 2021. Case law recognizes that the right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so. Personal information may be processed based on one of the justifications for processing personal data under POPIA. These justifications include consent and where it is necessary for pursuing the legitimate interests of the responsible party or employer, or third party to whom it is disclosed.<\/span><\/p>\n

NIGERIA:<\/span><\/strong>\u00a0The National Information Technology Development Agency has published Data Protection Guidelines, 2019 which safeguard the rights of natural persons to data privacy<\/span><\/p>\n

MOZAMBIQUE:<\/span><\/strong> The Constitution of the Republic of Mozambique, as well as the recently enacted Electronic Transactions Law (The Law No. 3\/2017, of 9 January), prohibits access to databases or to computerised archives, files and records for obtaining information on the personal data of third parties, as well as the transfer of personal data from one computerized file to another that belongs to a distinct service or institution, except in cases provided for by law or by judicial decision. The Labor Law establishes that employers may not require an employee to supply information regarding their private life, except when particular requirements inherent to the nature of the professional activity so require. In addition, employees’ personal data obtained by an employer is subject to a duty of confidentiality. Information where the release of which would violate that employee’s privacy rights may not be given to a third party without the employee’s consent unless it is required by law.\u00a0<\/span><\/p>\n

KENYA:<\/span><\/strong> The Data Protection Act, 2019 gives effect to Article 31(c) and (d) of the Constitution on the right to privacy. The Act establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data and provides for the rights of data subjects and obligations of data controllers and processors, among others. The Act is modelled along the lines of the EU General Data Protection Regulations (GDPR). The Constitution guarantees the right to privacy. The Computer Misuse and Cyber Crimes Act, 2018 creates various offences, including the right to privacy, concerning computer systems.<\/span><\/p>\n

KUWAIT:<\/span><\/strong>\u00a0There are no clear laws in Kuwait comparable with those in the US or Europe concerning the handling and transmission of employees’ personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Kuwait law, including the protections set out in the Kuwait Penal Code and the Kuwait Constitution.<\/span><\/p>\n

ANGOLA:<\/span><\/strong>\u00a0The Data Privacy Law No. 22\/11, 17 June, governs Angolan data privacy and determines, in general terms, how to collect, use, disclose, store and give access to “personal information.” There is no specific regulation on employee data privacy.<\/span><\/p>\n

JAPAN:<\/span><\/strong>\u00a0The receipt, maintenance of and access to personal information relating to an individual is regulated by the Act of Protection of Personal Information. Broadly, upon the collection of such information, the collector must notify the person of the purpose of the use of such information and after that must take necessary and proper measures to prevent leakage, loss or damage of that information, and take other reasonable steps to control the security of the personal information. In addition, the party maintaining such information is required to adopt internal regulations designed to ensure the confidential and secure maintenance of such information as long as it is held. Disclosure of personal information to third parties (parent and affiliated companies are considered third parties) is strictly limited.<\/span><\/p>\n

INDIA:<\/span><\/strong> Employee records and employee access to data The Information Technology Act, 2000 covers data protection and violation of personal privacy. This statute safeguards against certain breaches concerning data from computer systems, prevents unauthorized use of computers and creates liability for damage suffered in the event of unauthorised access, downloading, extraction and copying of data from a computer system or network. It stipulates the penalty for breaches of confidentiality and privacy. The storage, management and handling of sensitive personal data or information belonging to persons located in India is regulated by the Sensitive Information Rules enacted under the Information Technology Act, 2000. The government of India has also released the Personal Data Protection Bill, 2019 (Data Protection Bill), which the Indian government is considering replacing the Sensitive Information Rules. Sensitive personal data or information is defined under the Sensitive Information Rules to include passwords, financial information, physical, psychological and mental health conditions, sexual orientation, medical records and history, and biometric information. Any body corporate receiving any of the above types of information due to either using the services of an individual or employing an individual must comply with the Sensitive Information Rules regarding the processing and storing of such information.<\/span><\/p>\n

MALAYSIA:<\/span><\/strong>\u00a0Governed by the Personal Data Protection Act 2010 (PDPA), employers must obtain employees’ consent (implied or express). Explicit consent is required if “sensitive personal data” is being collected. Businesses must notify their employees of the nature and purpose of the information being collected, to whom it is being disclosed, and that the employees have the right to access such data. Employee consent is also required before employee personal data is shared with third parties (external payroll service providers). As a result of the PDPA, an employee consent\/notice document is required. This document has to be bilingual \u2013 in English and Bahasa Malaysia \u2013 and is usually a separate document and referenced in the employment contract.<\/span><\/p>\n

SINGAPORE:<\/span><\/strong>\u00a0Employers are required to notify employees the reason behind the usage of their personal data in connection with the management and termination of employment and\/or obtain their consent where collecting, using or disclosing their personal data. However, under the PDPA, an employer is permitted to collect, use and disclose the employees’ personal data for purposes of managing or terminating an employment relationship without the need to seek employee’s consent, so long as the employee has been notified of the purposes of such collection, use and disclosure and\/or provides their consent before such collection, use and disclosure. Further, employers may collect, use and disclose personal data without obtaining the employees’ consent or notifying them where it is necessary for evaluative purposes, including determining the suitability or eligibility of an individual to whom the data relates for employment continuance in employment or promotion. Note that employers must seek consent for purposes that are not related to or collect personal data that is not relevant to the management or termination of an employment relationship or that are not relevant for evaluative purposes unless any other exception under the PDPA applies.<\/span><\/p>\n

THAILAND:\u00a0<\/span><\/strong>The Personal Data Protection Act BE 2562 (2019) (PDPA) was enacted on 28 May 2019 and has full effect from 27 May 2020. The PDPA is the first-ever law relating to personal data protection in Thailand. Essentially, consent is required for the collection, use and\/or disclosure of personal data. Under the PDPA, the term ‘personal data is defined as any data pertaining to a person that enables identifying that person, whether directly or indirectly, but specifically excluding data of someone deceased.<\/span><\/p>\n

MYANMAR:<\/span><\/strong>\u00a0There are no specific regulations or laws. However, according tothe Protecting the Privacy and Security of Citizens (enacted on 8 March 2017), a person is not allowed to do the following without permission of the relevant authorities:\u00a0<\/span><\/p>\n