Idealex – Technological Tools in the Workplace

technological-tools-edmundo-ramos-rafael-serrano-idealex

DETAILS

FECHA: 24-11-19

PROFESIONALES EN LA NOTICIA: 

-Edmundo Ramos
-Rafael Serrano

MEDIA: Idealex

Most companies provide their employees with technological tools (“ICTs”) such as corporate email, mobile phone, and computers in order for them to fulfill their tasks. It is common for the worker to use them for personal purposes, resulting in situations of unauthorized use of work ICTs, or the incorrect handling of information owned by the employer.

Since the employer is the owner of the ICTs, he may establish limits for the proper use of them. Article 46 of the Ecuadorian Labor Code does not establish any laws regarding the treatment of information and the consequent right of the employer to access and control it. Nevertheless, the employer must respect constitutional rights granted for the protection of data, correspondence and privacy. 

The right to inviolability and secrecy protects the communications made by the worker. For this reason, the employer will not be able to access email or information contained in the company’s computer or cell phone without the worker’s consent.

Communications can also be protected by the constitutional right to personal data protection: “The right to personal data protection, which includes access to and decision on information and data of this nature, as well as their corresponding protection. The collection, archiving, processing, distribution, or transferring of this data or information will require the authorization of the holder or the mandate of the law.”

Personal data is all the data or information that makes a person identifiable. In general, corporate emails refer to names, surnames, or positions of the person to whom the email is assigned, just as the cell phone number is linked to a specific person. The definition of personal data would include both the email and the cell phone number. Therefore, since this information can be considered as personal data, the authorization of the holder is required to access and review this information. 

Finally, the right to privacy also protects the use and access to ICTs. The American Convention on Human Rights recognizes this right, which provides the following: “No one can be subjected to arbitrary or abusive interference in his private life, his family, his home or his correspondence, nor of illegal attacks on his honor or reputation.”

The Inter-American Court of Human Rights has indicated, “… The scope of privacy is characterized by being exempted and immune from abusive or arbitrary invasions or attacks by third parties or the public authority.” The right to privacy would apply to personal communications made by the worker using work ICTs.

The rules that define the use and control of technological tools must be in writing in the different legal documents of each company, in order to have the necessary support to sanction their misuse:

Employment Contract: the employer must establish in the employment contract the delivery of technological tools and the use of them. The contract shall also recognize the rights of the employer to recover the ICTs and obtain a backup of the information contained therein.

Internal Work Regulations: It is essential to incorporate in this document, rules that regulate the use of technological tools. Employers may establish sanctions in their Internal Labor Regulations for their misuse or the inclusion of employee’s data and personal information. The internal regulation must establish the ownership of the information contained in these tools, as well as the periodicity for monitoring or supervision.

Internal Policy of the Company: these documents must explain the rights and obligations that the workers have regarding the ICTs. The policies shall establish the right of the employer to access and obtain copies of all the information within these technological tools. Workers must be notified and informed to the worker.  

Delivery / Receipt certificate: At the time the technological tools are delivered, the employer must establish the limitations and conditions under which the tools are delivered. It is important to detail the physical state and the data content of the tools so that, at the time of their return, the worker is responsible for any deterioration not attributable to their normal use.

Training: The employer shall conduct training for workers regarding the importance and limitations of the use of technological tools.

In conclusion, technological tools facilitate the execution of the functions performed by the workers, but their use must be regulated in detail so that both the employer and the worker know the limits and the sheer work-related purpose that must be given to them. The adequate protection of the company’s ICTs and information that they contain will be possible only if there is clarity in the rights and obligations regarding the use of such tools.

Edmundo Ramos’s Bio:

Edmundo Ramos is a partner at CorralRosales. He has more than twenty-five years of expertise representing local and international clients in labor and social security matters. Edmundo leads the CorralRosales Labor Department and participates actively in the area of ​​Dispute Resolution in the management of labor disputes.

Rafael Serrano’s Bio:

Rafael Serrano is an associate at CorralRosales. He has more than five years of expertise in the TMT industry. He leads the Data Protection Department with an emphasis on personal data protection, electronic commerce, and emerging technologies.

If you want to read this article in Spanish, click here

EKOS – Personal data protection: legitimate means for handling data

proteccion-datos-personales-ekos

DETAILS

DATE: 16-08-19

CORRALROSALES IN THE NEWS:: 

-Rafael Serrano
-Michael Wollman

MEDIO: Ekos Magazine

With the forthcoming issuance of the Personal Data Protection Law, companies must adapt their procedures to collect and carry out the appropriate handling of the personal data of their consumers or customers.

The correct handling of personal data is one of the main tools for companies to adequately market their products; not only to protect the personal information of their customers, but also to benefit their businesses.

The main purpose of the draft Law is to regulate the exercise of the right to protection of personal data, self-determination information, and circulation of this type of data (Article 1).

The legitimacy principle (Article 9) establishes the conditions or situations in which the collection and processing 1 of personal data by companies is legitimate and lawful:

  1. Consent of the personal data owner to the sharing of his information for a specific purpose.

The consent must be free, specific, unequivocal, prior and informed. A company may share someone’s personal data when he authorizes or gives consent knowing the purpose of the use of his information.

  1. Legal obligation for the sharing of personal data.

In this case, the law orders the company to share the personal data of an individual.

Example: The Labor Code requires employers to have certain personal information of their workers such as address, marital status, number of children, and some other relevant information. In this case the will of the data owner is irrelevant since it is the law that orders the sharing of this information.

  1. Contractual relationship.

A company can use the data of an individual with whom they have a contractual relationship. The limitation to this use is related to the data necessary for compliance with contractual obligations and may not exceed the limits established in the contract.

Example: In a contract of sale of goods, the company cannot use the data of the individuals to send commercial promotions, except if there is a clause in the contract that expressly authorizes the sending of such promotions.

1 The Personal Data Protection Law project defines the handling as any operation performed on personal data; this includes collection, conservation, modification, transfer, among other actions.

  1. 4. Vital interests of the owner.

The sharing of data of a person may be carried out if through this process the vital interests of the owner are protected, such as the protection of fundamental rights.

Example: A company can share the personal data of a person if it helps to save the life of the individual, such as in a medical emergency.

  1. Order of a judicial authority or resolution of competent authority.

If through a ruling or a decision of the competent authority the delivery or processing of personal data is ordered, the company will be bound to do so without facing negative consequences.

The legitimacy of the sharing and use of personal data is not given only by the consent of his owner. Companies must analyze in each particular situation which of the above mentioned scenarios the handling of personal data applies, thus complying with the principle of legitimacy.

If you want to read the news, press here