Since the European General Data Protection Regulation came into force in 2018, at the very latest, everyone is talking about the issue of data protection. One of the responsibilities of lawyer Andrea Schröder at Mercedes-Benz is the protection of employee data. A conversation about legal principles, the necessity of deletion and the power of supposedly small data records.
Ms Schröder, you work with Group Data Protection. Does your profession influence the way you use the internet privately?
Yes, actually it does. I don't always read all the cookie and privacy notices in detail either, but I pay a little more attention to the selection of providers, for example. Where possible, I mainly use European providers, who process the data in accordance with legal requirements that I know. In addition, my browser settings work in a way that cookies are deleted in a timely manner. But I also notice the influence of my work when I'm talking with friends about the issue of data protection. I can get quite emotional at times - especially when others dismiss the importance of data processing operations with comments like: "Who's going to be interested in my data, anyway? I don't have anything to hide."
When handing over personal data, it's worth taking a closer look at the details. Quite often, an important fact is suppressed: in many cases, certainly, it is not just about the one data record. However, a tremendous amount of data is processed these days, for example when people use search engines, which can then be used to create profiles and patterns, the use of which can absolutely throw up critical questions. If, for example, my search only produces the sort of results that are likely to interest me, or that support an image that has been defined by an algorithm, this can certainly influence the shaping of opinions. This is an important issue for us as a society.
Is "data protection" really about protecting data? Or whom or what are you actually protecting?
Although the term itself might suggest otherwise, data protection is not about the "protection of data" but about the protection of the personal rights and privacy of the people whose data is being processed.
The law stipulates that, as employers, we are only allowed to process such data as is necessary for the employment relationship. It is our responsibility, here in Group Data Protection, to ensure that this processing of data is managed properly. The employees have, as it were, several roles for us as data privacy specialists: with respect to the work that people do, the employer must process data – if only so that they get paid. In this context we need to make sure that the necessary data are correctly and properly processed.
Many of our employees, however, also process data relating to their colleagues, as well as to our customers and business partners. It is therefore important that our employees are well trained and know the principles of correct data processing. And of course, to a very considerable extent, we are all also private individuals. Information in this respect is fundamentally taboo for the company. It is also our responsibility to protect this privacy.
What data about an employee are accumulated over the course of their working life?
Quite a lot! From the moment someone applies to us for a job, we as a company receive data. From this point on, employee data protection also applies. Once an applicant is appointed, their working hours are captured, performance and qualifications are documented, feedback is saved and attendance data are captured. Many colleagues post a profile image on the Social Intranet or make provision for their retirement – with all these processes, and even once people have left the company, we continue to hold the aforementioned employee data. We are here to ensure that our colleagues have no need to worry about how any of these data are processed. Because we handle their data responsibly.
What form does this data protection take, in practical terms, with almost 300,000 employees worldwide?
The examination of any data processing operation is undertaken systematically, ensuring that we can examine and evaluate all aspects as far as possible. We always check, for example, that there is a legal basis for the data processing activity. When it comes to relaying data to the tax office, for example, it is quite clear, since there is a legal requirement. Whenever there is a margin of discretion, we weigh up together with the specialist unit: What data is required and to what extent? For what purposes may they be used and for how long will the data be kept? And last but not least: Who needs access to the data?
Of course, we are also involved when new applications are introduced internally. Here it is crucial for us that they are configured in a data protection-friendly manner and that employees can understand, if they are interested, which data is used why and by whom. Information about the topic itself is also an important factor for us. An extensive range of materials is available to employees on the intranet and relevant training courses are offered.
The General Data Protection Regulation (GDPR) came into force in May 2018. Has your day-to-day work changed as a result?
The GDPR addressed many aspects that were already familiar to us from the German and European data protection requirements. The biggest difference: As a company, we now have significantly increased obligations in terms of documentation and are subject to significantly higher financial penalties in the event of any misdemeanor. Overall, awareness for data protection has increased throughout the company – and across society generally, I think. We also notice this in the amount of advice. Together with other experts, we support the specialist units to meet the increased requirements, for example when it comes to accurately describing, documenting and finding appropriate solutions that are easy to implement for the specialist units.
Let's talk about specific data protection issues: A permanent burner is the deletion of personal data. Why is it so important?
The legislator says: If data is no longer required, it must be deleted. This goes hand in hand with the principle that the employer should not process data that he does not need. This means: When we as a company no longer need the data of employees, they are deleted. Of course, there are sometimes very long retention periods, for example because early career data can still be relevant to the occupational pension. In principle, however, the following applies: The more intensively the data processing interferes with personal rights, the shorter the deletion periods.
One example is professional misconduct, which dates back a long time. Years later, this shouldn't still appear in someone's personnel file, when you might be on the move to becoming a manager. Here, the employer must also delete such entries after a certain period of time.
Data responsibility is one of the fields of action of our sustainable business strategy – what is the connection, for you personally, between data protection, data responsibility and sustainability?
Data protection is an important element of dealing responsibly with data. As already described, the focus here is on the protection of our customers and employees.
A second element is the issue of Data Compliance. The focus here is on the protection of the company. The aim here is to ward off any risks that the company might incur through the processing of data. If we process data properly, we protect those affected - employees as well as customers and suppliers - and thus the company, for example from fines. For me, both facets are part of a sustainable handling of data and together form the core of our field of action “data responsibility”.
In all this, the processing of data can, as I see it, only work on the basis of trust. From the perspective of employee data protection, we must be transparent, show the value added by our data processing activities and promote understanding. And act with integrity - that means for me more than "just" complying with laws. This is very important in order to be sustainable.
How will your work change in the future?
Data protection will certainly become even more important as digitalization progresses. Increasingly large amounts of data can be processed more and more quickly. Along with the growing opportunities offered by digitalization though, comes a growing obligation to use the data that arise responsibly. In other words, to make the processing of the data transparent and safe. We are already working closely with the various specialist units such as Information Security, Cyber Security, the Human Resources departments, vehicle development and, of course, with our colleagues in Compliance. All these developments will make our field of work even more diverse in the future.
For many, data protection is more of an annoying necessity. In your case one gets the sense that precisely the opposite applies – what do you find so fascinating about it?
It's not just me: my colleagues, too, do this job out of conviction. To say it's just a job, is not enough for us. You have to be committed to the task. The purpose of data protection is to protect the rights of individuals. And that is anything but annoying or boring! It is a super exciting, extremely topical and tremendously important subject. That's why it's worth the effort. And it's fun!
Data protection concerns everyone, because…
"…every individual is affected many times a day by the way their data are processed."
For me personally, sustainability means…
"...not just looking for short-term success, but using trust and a certain long-term vision to develop solutions that take the different perspectives into account and will still be valid tomorrow."
I've done a good job if…
"…data protection requirements are implemented because I was able to convince the company that it is the right thing to do in the interests of the employees – and not out of fear of sanctions. "