The Data Privacy Law No. 24,766 sets limits to the type of personal data that may be collected by prohibiting the collection of sensitive personal data, such as data that is related to political or religious opinions, and regulates the collection, use, processing and transfer of personal data.
Employers are allowed to monitor employee's work devices, provided the employee is duly notified in advance, and personal information is safeguarded and not disclosed.
Australia has very stringent data privacy obligations. As a general rule, personally identifiable data can only be processed if it is required for the performance of the employment contract and constitutes an employee record. Certain acts and practices are exempt from the application of Australia's data privacy laws, but there are strict criteria which must be met for an exemption to apply. Employee records are generally exempt but this exemption will not apply to documents that come into existence prior to the employment relationship (such as pre-employment/hire documentation). At the time it collects personal information, the employer is required to provide the individual with a statement setting out the company's obligations under Australia's data privacy laws and the individual's rights. Further restrictions apply for sensitive personal data. Employee records (with the exception of tax file numbers) are not covered by the Australian notifiable data breach regime, which requires notification to the Office of the Australian Information Commissioner (OAIC) and to affected individuals of any data breach which could result in serious harm. However the OAIC advises that it is good practice for employers to notify employees affected by a data breach so that they may take protective action.
The monitoring of individuals and their data is covered by various surveillance legislation in each state/territory. Essentially, surveillance of employees is prohibited in sensitive areas such as washrooms and change rooms, unless the surveillance device is installed pursuant to a warrant or authorization. Surveillance is permitted in public areas if it conforms with relevant legislation. The monitoring of an employee's use of a work computer (emails and Internet browsing) is governed by specific laws in some states.
Employees must be generally notified of personal data processing (and in certain cases, give consent). Strict rules apply to data transfer outside the EEA. Monitoring employees usually requires an agreement with the work counsel (if any) or an individual agreement with each employee. Since May 2018 Austria has been subject to the General Data Protection Regulation which has introduced significant new obligations and onerous sanctions for employers.
There are no clear laws in Bahrain comparable with those in the US or Europe concerning the handling and transmission of employees' personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Bahrain laws, including the protections set out in the Bahrain Penal Code.
Employees generally must be notified of personal data processing (and in certain cases, give consent). Registrations with the Privacy Commission are required in certain cases. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and Internet use and use of cameras at the work place. Since May 2018, Belgium has been subject to the General Data Protection Regulation, which has introduced significant new obligations and onerous sanctions for employers.
Notification and consent are recommended. The National Congress has reviewed some bills addressing data privacy matters, and a new data protection law will become effective in August 2020.
Monitoring of corporate e-mail and Internet use is allowed, but employees should be notified that they cannot expect privacy in the use of these work tools.
Legislative requirements vary by jurisdiction. Where privacy laws apply, personal information must only be collected with consent and only used for the purposes for which it was collected. In most jurisdictions, email and Internet use may be monitored where notice has been given through clear employer policies.
The employer is obliged to maintain the privacy of the information and personal data related to its employees. The right to personal data protection has the status of constitutional right and therefore any breach can lead to litigation for impairment of fundamental rights.
The Regulations on Employment Services and Employment Management require that an employee's personal data be kept confidential and not be made public without the employee's consent.
The PRC Cyber Security Law imposes new security and data protection obligations on "network operators", puts restrictions on transfers of data outside China by "key information infrastructure operators", and introduces new restrictions on critical network and cybersecurity products.
To process personal data, data controllers must provide a privacy notice to the affected employees prior to the collection and processing of personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be pre-approved by the data subject/employee.
Employees will have the right to know, update and correct their personal data. This right may be exercised in relation to partial, inaccurate, incomplete, split, or deceptive data, and/or data that is prohibited from or not authorized for processing (such as race or ethnic origin, political orientation, religious or philosophical orientation, and enrollment to unions or social organizations, among other items considered as sensitive information).
Employees can revoke the authorization granted for the processing of their personal data and could request to remove their personal information from the employers or subcontractor's databases by filing a formal claim, save for information directly related to their employment (for example, HR core data, recruitment, performance, global compensation learning and training-related data and master data). This possibility is only applicable in the case of wrongful use of the employee's information.
Generally, employees must be notified of personal data processing (eg camera recordings) and, in certain specific cases, give their consent. Significant restrictions on monitoring employees, including email and internet use.
The Czech Republic is subject to the General Data Protection Regulation (GDPR). The local law implementing the GDPR shall be issued in 2019.
Employers must comply with the General Data Protection Regulation (GDPR) as since May 25, 2018 and the Danish Data Protection Act
Employees will have the right to detailed information about the processing of their data. All information provided must be concise, transparent, easily accessible and in plain language. Employers must provide information on the legal basis for processing and, if the data is sensitive, which of the conditions for processing special categories of personal data the employer relies on. The notice must also advise the employees of their rights under the GDPR.
Employees must usually be notified about personal data processing and give consent to this when necessary. Only necessary data may be processed. Special rules apply to data transfers outside of the EEA. Significant restrictions on monitoring email and internet use.
From May 2018, Finland will be subject to the General Data Protection Regulation which will introduce significant new obligations and onerous sanctions for employers.
The General Data Protection Regulation (GDPR) came into force on May 25, 2018. It applies to any processing of personal data within the EU. The GDPR implements new rights for data subjects, such as right to access, data erasure, data portability and consent.
Where data processors/controllers process operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data, a Data Protection Officer (DPO) must be appointed.
Data transfers outside of the EU are subject to additional requirements. Significant restriction on monitoring internet and e-mail use even when on company's IT device.
Covered by the EU-wide General Data Protection Regulation (Datenschutzgrundverordnung) entered into force in May 2018 and the complementing Federal Data Protection Act. Processing of personal data generally unlawful except as listed by the Act and the General Data Protection Regulation, a works council agreement or free and individual consent. Appointment of data protection officers required if more than 9 individuals deal with electronically saved personal data. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and Internet use.
The PD(P)O is principally concerned with 6 data protection principles (DPPs). Broadly, these require that personal data is only collected for a lawful purpose, that only personal data which is necessary and not excessive for that purpose may be collected, and that individuals are informed of certain things before data is collected or used (DPP 1); that all reasonably practicable steps need to be taken to ensure that personal data is accurate and that it should only be retained for as long as necessary to fulfill its purpose (DPP 2); that personal data must not, without the prescribed consent of the job applicant or employee, be used for a purpose other than the purpose for which it was collected (DPP 3); that all reasonably practicable steps must be taken to ensure that the personal data is secure and protected against unauthorized or accidental access, processing, erasure or other use (DPP 4); that all reasonably practicable steps must be taken to ensure that an individual can access information about the data user's policies and practices in relation to the personal data, the kind of personal data about him or her that is being held, and the purposes for which it will be used (DPP 5); and that, with some exceptions, an individual is entitled to request access to all personal data held by a data user and to correct that data if it is inaccurate (DPP 6). There are provisions in the PD(P)O restricting the transfer of personal data outside of Hong Kong, but these are not currently in force.
Employers must balance their need to obtain, use, store and disclose information for effective management and business purposes with their employees' right to privacy. The law distinguishes between ''personal data'' and ''sensitive personal data.'' Special rules apply for the transfer of personal data within and outside of the EEA. The National Authority for Data Protection and Freedom of Information is responsible for ensuring compliance and enforcing data protection.
Since May 2018, Hungary has been subject to the General Data Protection Regulation which introduced significant new obligations and onerous sanctions for employers.
Employee records and employee access to data
The Information Technology Act, 2000 covers data protection and violation of personal privacy. This statute safeguards against certain breaches in relation to data from computer systems, prevents unauthorised use of computers and creates liability for damage suffered in the event of unauthorized access, downloading, extraction and copying of data from a computer system/network. It stipulates the penalty for breaches of confidentiality and privacy.
The storage, management and handling of sensitive personal data or information belonging to persons located in India is regulated by the Sensitive Information Rules enacted under the Information Technology Act, 2000. Sensitive personal data or information is defined under the Sensitive Information Rules to include passwords, financial information, physical, psychological and mental health conditions, sexual orientation, medical records and history, biometric information.
Any body corporate receiving any of the above types of information as a result of either using the services of an individual or employing an individual must comply with the Sensitive Information Rules regarding processing and storing that information.
Law No. 11 of 2008 on Electronic Information and Transactions, which recently has been amended, restricts the electronic use of private data without the data subject's consent. Under Law No. 39/1999 on Human Rights, each individual has the right to their own privacy, and cannot be subjected to an investigation in relation to personal data without their agreement, except on the order of a court or other legitimate authority under prevailing legislation. A new draft of the Data Privacy Law has been prepared, but it is not clear when it will be introduced
Since May 2018, Ireland has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. GDPR requires employers to identify a legal basis for their processing of personal data and it is unlikely that a "catch all" consent will enable processing of employee data by an employer. Employers must ensure that they have GDPR compliant documentation and that they are able to deal with the new rules on subject access requests. There continue to be significant restrictions on monitoring employees, including email and internet use.
Employees generally must be notified of the terms of the employer's personal data processing policy, and must consent to it. Registrations in the Databases Register may be required. Special rules apply to data transfer outside Israel. Significant restrictions on monitoring email and Internet use. Monitoring personal email is restricted.
Employees generally must be notified of personal data processing (and in certain cases, give consent). Special rules apply to data transfer outside the European Economic Area (EEA). Not possible to control or monitor employees remotely with devices unless upon agreement with works council or authorization of the Labor Office, with the exception of the instruments used by the employee to carry out their work or to detect access or attendance. Since May 2018, Italy has been subject to the General Data Protection Regulation, which introduced significant new obligations and onerous sanctions for employers.
The receipt, maintenance of and access to personal information relating to an individual is regulated by the Act of Protection of Personal Information. Broadly, upon the collection of such information, the collector must notify the person of the purpose of the use of such information, and thereafter must take necessary and proper measures to prevent leakage, loss or damage of that information, and take other reasonable steps to control the security of the personal information. In addition, the party maintaining such information is required to adopt internal regulations designed to ensure the confidential and secure maintenance of such information as long as it is held. Disclosure of personal information to third parties (parent and affiliated companies are considered third parties) is strictly limited.
Kenya does not presently have data protection legislation. There are, however, two draft bills, both titled the Data Protection Bill, 2018 which were published during 2018. Both Bills are modeled along the lines of the EU General Data Protection Regulations (GDPR).
The Constitution gives citizens the absolute right to privacy, but some restrictions may be imposed contractually, especially relating to data transfer to third parties.
Kenya has also enacted the Computer Misuse and Cyber Crimes Act, 2018 which creates various offences, including the rights to privacy, in relation to computer systems.
There are no clear laws in Kuwait comparable with those in the US or Europe concerning the handling and transmission of employees' personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Kuwait law, including the protections set out in the Kuwait Penal Code and the Kuwait Constitution.
The General Data Protection Regulation (GDPR) is in force since May 25, 2018. It has been complemented by a law dated August 1, 2018.
Since then, the processing of personal data is no longer subject to a prior notification to/authorization from the National Data Protection Commission (Commission Nationale pour la Protection des Données or CNPD). However, the processing of personal data for the purpose of supervising employees in the context of employment relationships may only be carried out by the employer under certain conditions.
The employee's consent does not legitimize the processing of data.
Employees as well as the Staff Delegation/the Labor and Mines Inspectorate (Inspection du Travail et des Mines or ITM) must be notified of any personal data processing.
Data subjects have the right to lodge a complaint with the CNPD.
Collection and processing of personal data is governed by the Personal Data Protection Act 2010 (PDPA). Employers must obtain employees' consent (implied or express) before collecting and processing employees' personal data, and explicit consent is required if "sensitive personal data" is being collected. Employers must notify their employees of the nature and purpose of information being collected, to whom it is being disclosed, and that the employees have the right to access such data. Employee consent is also required before employee personal data is shared with third parties (for example, external payroll service providers).
As a result of the PDPA, an employee consent/notice document is required. This document has to be bilingual – in both English and Bahasa Malaysia – and is usually a separate document and referenced in the employment contract.
To process personal data, data controllers must provide a privacy notice to the affected employees prior to the collection and processing of such personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be pre-approved by the data subject/employee.
Employees must be notified of data processing in accordance with law No 09-08 on data protection. Employees' consent to the processing of their data is required. Employees should be given the right to have access to and modify/amend their personal data.
Employers must declare the data processing to the national committee for data protection (Commission Nationale de protection des Données Personnelles).
The Constitution of the Republic of Mozambique, as well as the recently enacted Electronic Transactions Law (The Law No. 3/2017, of January 9), prohibits the access to data bases or to computerized archives, files and records for obtaining information on the personal data of third parties, as well as the transfer of personal data from one computerized file to another that belongs to a distinct service or institution, except in cases provided for by law or by judicial decision.
The Labor Law establishes that employers may not require an employee to supply information regarding his private life, except when particular requirements inherent to the nature of the professional activity so require. Also, employees' personal data obtained by an employer is subject to a duty of confidentiality, and information the release of which would violate that employee's privacy rights may not be given to a third party without the consent of the employee, unless it is required by law.
There are not currently any specific laws or regulations in Myanmar relating to data privacy. However, per the Law Protecting the Privacy and Security of Citizens enacted on March 8, 2017, a person is not allowed to do the following without permission of the relevant authorities:
- Request or acquire any private call data, electronic communications data and information from operators or supply such information
- Open, search, seize, destroy or damage any envelope, parcel or correspondence communicated that are the personal affairs of other individuals and
- Criticize or interfere in the personal affairs and family affairs of any citizen or engage in conduct that may be detrimental to the good name, standing or dignity of an individual
Other than the above, there are currently no other laws or regulations on data privacy.
Employees generally must be notified of personal data processing (and in certain cases, give consent). Registrations with the Information Commissioner are required. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and internet use.
From May 2018, the Netherlands are subject to the General Data Protection Regulation (GDPR), which introduces significant new obligations and onerous sanctions for employers. In general, GDPR aims at empowering individuals (including temporary employees, job applicants, contractors, trainees and other workers) with regard to controlling the use of their personal data and at harmonising the data protection legislation across the EU.
The Privacy Act 1993 controls New Zealand data privacy and determines how employers collect, use, disclose, store and give access to ''personal information.''
The National Information Technology Development Agency has published Data Protection Guidelines, 2019 which safeguard the rights of natural persons to data privacy.
Notification to the employee is required. An obligation to notify the Data Inspectorate may apply. Significant restrictions on monitoring and control of employees. Special provisions apply for transmission of data outside the EEA.
There are no clear laws in Oman comparable with those in the US or Europe concerning the handling and transmission of employees' personal information. However, the Electronic Transactions Law, RD 69/2008 (''ETL'') provides for the protection of personal data and regulates the transfer of personal data outside of Oman.
The Cyber Crime Law, Royal Decree no. 12 /2011 (''Cybercrime Law'') provides that it is an offense to violate the privacy of individuals through technology, and prohibits the collection of private data.
It is advisable to seek prior written consent from employees to the processing of their personal data to the extent necessary to overcome the various privacy protections set out in the applicable civil and criminal laws.
When an employer collects and processes personal information of its employees, especially sensitive personal information, the employer must comply with applicable guidelines on the adoption of organizational, physical and technical security measures and the registration thereof with the National Privacy Commission. The data subject must have given his or her consent prior to the collection, or as soon as practicable and reasonable. An employer's collection of personal information from its own employees does not require the employee's prior written consent, provided the personal information collected and the processes applied to such information are only to the extent necessary for compliance with legal requirements prescribed for an employer-employee relationship.
An employer is obliged to respect its employees' dignity and other personal rights, including their privacy and the confidentiality of the content of employees' private correspondence. There are no specific regulations on the protection of employees' privacy at work; however, statutory rules forbid the secret monitoring of employees and there are specific rules to introduce camera monitoring. The Polish Labor Code sets forth specific rules regarding collecting and processing personal data of the candidates and the employees, and in particular, lists the type of data that can be requested by the employer. In matters not regulated by the Labor Code, general rules on data protection provided for in the Act on the Protection of Personal Data and the General Data Protection Regulation apply.
The Data Privacy Law No. 67/98 governs Portuguese data privacy and determines how employers collect, use, disclose, store and give access to "personal information."
Various restrictions, notification or authorization requirements towards the Portuguese data protection authority (CNPD). Data transfers outside of the EU are subject to additional requirements. Significant restriction on monitoring Internet and e-mail use.
Except if required for the execution of the employment contract, employees generally must give consent to personal data processing. Employees have the right to be informed about the use of their personal data.
Since May 2018, Portugal is subject to the General Data Protection Regulation, which will introduced significant new obligations and onerous sanctions for employers. A local privacy law under GDPR has not been enacted yet.
On November 2016, Qatar issued a new data protection law No. 13 of 2016 on Protection of Personal Data Privacy (Data Protection Law). Businesses must take action to protect the privacy of personal data or risk fines of up to QAR 5 million. Some of the key features of the new law are:
- Personal data is defined as data relating to an individual whose identity is determined, or able to be reasonably determined, either through the data or through linking this data with other data
- The Data Protection Law applies to personal data when it is processed electronically, or when it is accessed or collected or extracted otherwise in preparation for its electronic processing, or when it is processed in a traditional and electronic way together
- The processing of personal data will be regulated in a way which bears similarities with existing data protection regulations elsewhere in the world
- Particular protection will be provided to certain types of personal data, such as data relevant to children, to physical and mental health and to crimes referred to as sensitive personal data
- For example, parental consent will be required in connection with the online collection and processing of the personal data of children
- Businesses will need to implement suitable measures, including training, to protect personal data from loss, damage, modification, disclosure or illegal access
- Direct marketing will require the prior consent of the intended recipient and, amongst other requirements, the relevant communication must include a means by which the recipient may opt-out of future communications
This law may sit alongside the Qatar Financial Centre data protection regulations. It is also important to note that as per the Qatar Penal Code it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to overcome the various privacy protections.
Employees must be informed of personal data processing (and in certain limited cases, must give consent).
Since from May 2018, Romania has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. Under the GDPR, specific rules apply to any personal data transferred outside the European Economic Area aimed at ensuring that appropriate safeguards are provided for the transferred personal data and that enforceable data subject rights and effective legal remedies for data subjects are available.
Monitoring of employees, including email and internet use, may be performed under very specific circumstances, provided that the legal provisions which impose restrictions on interference with the protection of private life, data privacy and electronic communications are complied with.
In certain cases, employers are required to obtain the prior written consent of their employees in order to process their personal data (eg, transferring personal data to third parties including cross-border transfers).
Transfer of employee data outside of the KSA is not regulated under Saudi law. However, general Sharia principles provide for personal data protection rules which imply that employers should include provisions in employment contracts where the employee's consent is required for the employer to use or disclose the employee's data to third parties, to the extent that such disclosures may be required.
Generally, employers are required to at least notify applicants of the purposes for which their personal data is being used in connection with the management and termination of employment and/or obtain their consent where collecting, using or disclosing their personal data.
However, under the PDPA, an employer is permitted to collect, use and disclose the employees' personal data for purposes of managing or terminating an employment relationship without the need to seek employee's consent, so long as the employee has been notified of the purposes of such collection, use and disclosure and/or provides his or her consent prior to such collection, use and disclosure. Notably, employers may collect, use and disclose personal data without obtaining the employees' consent or notifying them where it is necessary for evaluative purposes, including the determination of the suitability or eligibility of an individual to whom the data relate for employment, continuance in employment or promotion.
Note that employers would need to seek consent for purposes that are not related to, or for the collection of personal data that is not relevant to the management or termination of an employment relationship or not relevant for evaluative purposes (unless any other exception under the PDPA applies).
Covered by national Data Protection laws and EU rules. Processing of personal data is generally unlawful except as listed in relevant legislation, or based on consent of the individual. Special rules apply to data transfers outside the EEA.
In general, an employer may collect personal information on an employee which relates to his or her qualifications and professional experience, and other information which is relevant to the work carried out by the employee.
From May 2018, Slovakia is subject to the General Data Protection Regulation, which introduced significant new obligations and onerous sanctions for employers.
The right to privacy is protected under the Constitution of the Republic of South Africa, 1996 and the common law. Case law recognizes that the right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so. Personal information may generally be processed with consent or where necessity dictates.
The Protection of Personal Information Act, 2013 (POPIA) has been signed into law but, save for certain sections, is not yet in force and effect. It is anticipated to come into effect shortly.
Under the PIPA, an employee is entitled to request the employer to allow access to, correct or delete his or her personal information. The PIPA requires an employer to obtain the consent of the individual employee when his or her personal information is obtained or provided to third parties.
Employees generally must be notified of personal data processing (and in certain cases, have to give consent). Registration of databases with the Spanish Data Protection Commissioner (AEPD) is required. Special rules apply to data transfers, even between companies belonging to the same group. International data transfers are subject to a stringent regime of administrative approvals and consents. Significant restrictions on monitoring email and Internet use at the workplace. Spain is subject to the General Data Protection Regulation.
The Swedish Personal Data Act applies to the processing of employees' personal data. The employer must ensure that the fundamental requirements for processing of the employees' personal data are fulfilled (eg, personal data must be correct, adequate and relevant in relation to the purposes of the processing, and may not be retained for a longer period than is necessary in light of the purposes of the processing); there must be a legal basis for the processing, such as performance of the employment agreement or consent; and the employee must receive adequate information regarding the processing. Special rules apply to data transfers outside the EEA.
Since May 2018, Sweden has been subject to the General Data Protection Regulation, which introduced significant new obligations and onerous sanctions for employers.
In general, employees should be notified of any processing of their personal data (and in certain cases, give consent). Registrations with the Federal Data Protection Commissioner are required in certain circumstances. Special rules apply to data transfers outside of Switzerland. Significant restrictions on monitoring email and Internet use.
The collection, processing, and use of employee personal information is governed by the Personal Information Protection Act. The Act has notice and consent requirements that can be applicable to the collection, processing and use of employee information. This applies to cross-border transmission of the information or any use outside of the norms of a domestic employment relationship.
Under amendments to the Employment Services Act that came into force in late 2012, the amount of personal information that an employer may request from an employee or prospective employee has been severely restricted. Prohibited or restricted personal information includes: physiological information: for example, medical tests and fingerprints; psychological information: for example, psychiatric tests and polygraph tests; and personal lifestyle information: for example, financial records, criminal records, family information and plans, and background checks.
There are currently no provisions governing data privacy under Thai law, although the Constitution offers general data privacy protection. However, the misuse of another's personal data without consent could be considered a wrongful act under Thai civil and commercial code (ie, willfully, negligently or unlawfully injuring the life, body, health, liberty, property or any right of the injured person), and Thai Criminial Code (ie, disclosure of secrets), if such misuse causes damages to the data subject.
Employees must be notified of personal data processing and their prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data. Personal data should be processed:
- In accordance with the law
- In good faith
- For definite, clear and legitimate purposes
- In a relevant and measured manner
Data controllers (individuals or legal entities that determine the purposes and means of processing personal data - eg, employers) are required to be registered with the Data Controllers Registry.
A Data Protection and Privacy Bill has not yet been passed into law. The right to privacy, however, is enshrined in the 1995 Constitution of the Republic of Uganda.
In most cases, the processing of personal data requires the consent of the respective data subject. However, employers are allowed to process an employee's basic personal data without consent to the extent required to perform the employer's statutory obligations (eg, pay salary, perform statutory reporting, etc.).
Processing of sensitive data (eg, health status data, data related to religious beliefs, political views, etc.) is prohibited, unless the individual provides explicit consent or there is a statutory ground for processing these categories of data. The processing of sensitive data requires notification to the Ukrainian Parliament Commissioner for Human Rights.
Cross-border personal data transfers require documents such as an intercompany agreement on the transfer of data, etc., in addition to the data subject's consent.
United Arab Emirates
With the exception of the Dubai International Financial Centre Free Zone, there are no clear laws in the UAE comparable with those in the US or Europe concerning the handling and transmission of employees' personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent for the processing of personal data from the employee to the extent necessary to address the privacy protections set out in UAE law, including the protections set out in the UAE Penal Code, Cyber Crimes laws and the UAE Constitution.
Since May 2018, the UK has been subject to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, which has introduced significant new obligations and onerous sanctions for employers. Under this new regime, it is extremely difficult for employers to rely on consent as a basis for processing employee data and other legitimate grounds generally need to be identified.
Certain states restrict the use of employees' social security numbers for any identifying purposes. Medical information must be maintained separately from personnel files and kept confidential. Otherwise, employers generally are entitled to monitor or search corporate emails of their employees and internet traffic accessed by their computer systems, on the premise that employees do not have an expectation of privacy in the use of their employer's computer systems or corporate emails (especially with a policy that says so). Jurisdictions vary as to an employer's ability to search or monitor personal email addresses and websites accessed from an employer's computer or premises.
There is no general legislation on data protection in Venezuela. However, employees should be notified of personal data processing, and in certain cases, they must give consent. In cases involving medical checks, the employee has the right to request the confidentiality of the results.
The Civil Code requires any person to seek the consent of an individual before collecting, storing, using or publishing their personal data. The parties to a contract are not permitted to disclose any information about the private life or personal affairs of each other that they became aware of in the course of entering into and performance of the contract.
The 2018 Law on Cyber Security covers any domestic or foreign enterprise that provides services on telecommunications networks, the internet or value-added services in Vietnam's cyberspace. The law governs the collection, exploitation, analysis, and processing of personal data, data about service users' relationships, and data generated by them in Vietnam. Under this law, any such data must be stored in Vietnam under the terms stipulated by the Government. Any such foreign enterprise must have a branch or representative office in Vietnam.