External Legal Monitoring Letter # 7
/ Topics:
In Legal Monitoring Letter # 7 you will find useful information on the following topics:
- California Employment Regulations Amendments
- Decree N 13/2023/ND-CP on Personal Data Protection of Vietnam
- New Data Protection Law of Switzerland
/ Amendments to California employment regulations 1
On 24 July 2023 the State of California Office of Administrative Law approved amendments to the California’s Employment Regulations
Regarding to Criminal History proposed by the Civil Rights Council.
The changes came into force on 1 October 2023 and should be carefully considered by the employers and background screeners as they are concerning the processing of criminal history of job applicants.
Expanded definitions:
As a starting point, it should be noted that the amendments expand the definitions of “Employer” and “Applicant”.
The definition of “Applicant” includes not only new applicants, but also existing employees who have applied for or indicated a desire to be considered for a different position withn their current employer as well as existing employees subjected to criminal history review because of a change in ownership, management, policy, or practice.
“Employer” now includes:
- A labor contractor and a client employer;
- Any direct or joint employer;
- Any entity that evaluates the applicant’s conviction history on behalf of the employer, or acts as an agent of an employer, directly or indirectly;
- Any staffing agency; and any entity that selects, obtains, or is provided workers from a pool or available list.
It should be considered whether the background screeners could fall within the scope of the definition if they evaluate applicant’s conviction history on behalf of the employer.
Process of consideration of applicant’scriminal history (key existing and new provisions):
1. No consideration of applicant’s criminal history until after a conditional employment offer is made
The employers are prohibited from inquiring into, considering, distributing, or disseminating information related to the criminal history of an applicant until after the employer has made a conditional offer of employment to the applicant. This prohibition also includes inquiring criminal history through a background check or internet search.
However, there are several cases in which the prohibition does not apply (e.g., if the position is one that the employer or an employer’s agent is required by any state, federal or local law to conduct criminal background checks for employment purposes or to restrict employment based on criminal history).
Notably, the employers shall not inquire or consider at any stage of their decision information regarding the following types of criminal checks:
- An arrest that did not result in conviction,
- A referral to or participation in a pretrial or post-trial diversion program (with some exceptions);
- A conviction that has been judicially dismissed or ordered sealed, expunged or statutorily eradicated pursuant to law;
- An arrest, detention, processing, diversion, supervision, adjudication, or court disposition that that occurred while a person was subject to theprocess and jurisdiction of juvenilecourt of law; or
- Non-felony convictions for possession of marijuana that are two or more years old.
2. Initial individualized assessment
If an employer intends to deny an applicant after a conditional offer was made to him/her based on the conviction history, the employer must first conduct an individualized assessment if the conviction history of the applicant has a direct and adverse relationship with the specific duties of the job that justify denying the applicant the position.
The individualizes assessment shall include the following factors:
The nature or gravity of the offence or conduct, including, but not limited to:
- The specific personal conduct of the applicant that resulted in the conviction;
- Whether the harm was to property or people;
- The degree and permanence of the harm;
- The context in which the offense occurred;
- Whether a disability (including past drug addiction or mental impairment) contributed to the offense or conduct
and, if so, the likelihood of harm arisingfrom similar conduct;
- Whether trauma, domestic or dating violence, sexual assault, stalking, human trafficking, duress, or other similar factors contributed to the offense or conduct; and/or
- the age of the applicant when the conduct occurred.
- The time that has passed since the offense or conduct and/or completion of the sentence;
- The nature of the job.
3. Written notification and right to respond
After the individualized assessment, if the employer decides that the applicant’s conviction history disqualifies the applicant from the conditional job offer, the employer shall notify the applicant of this decision in writing and give the applicant the right to respond and provide evidence challenging the accuracy of the conviction history report used by the employer and/or evidence of rehabilitation or mitigating circumstances.
4. Reassessment
Before making a final decision whether or not to rescind the conditional offer, the employer should consider any information submitted by the applicant.
5. Decision
If the employer decides to deny an applicant base on his/her conviction history, the employer should notify the applicant in writing.
Next steps:
The employers and background screeners should carefully assess their practices of processing criminal history of job applicants and adopts its procedures accordingly
taking into consideration what types of data shall/ shall not be inquired and processed.
A useful guide in that assessment is the timeline provided on the website of the California Civil Rights Department 2 .
There could also be found samples of the documents that shall be issued by an employer in each of the stages discussed above:
- Conditional Job Offer Letter;
- Individual Assessment Form;
- Preliminary notice to Revoke Job Offer;
- Individual Reassessment Form;
- Final Notice to Revoke Job Offer.
/ Decree N 13/2023/ND-CP on Personal Data Protection of Vietnam
On 1 July 2023 came into effect the Decree N 13/2023/ND-CP on Personal Data Protection (the “Decree”) of Vietnam. It is the first comprehensive data protection legislation and is significantly changing the data protection landscape in Vietnam.
The Decree is applicable not only to Vietnamese organizations and individuals (including the once operating overseas), but also to foreign organizations and individuals in Vietnam and foreign organizations and individuals directly participating in or related to personal data processing activities in Vietnam. In this regard, the background screeners shall carefully consider if they fall under its scope and if so to ensure their compliance with the new legislation.
To help them navigate through the Decree below are noted some of its key definitions, principles, and rights:
- Personal data – the Decree definespersonal data as any information in theform of a symbols, letters, numbers,images, sounds, or similar forms in anelectronic environment that isassociated with a particular naturalperson or helps to identify a particularnatural person.
- Categories of personal data – thereare two categories of personal data“basic personal data” and “sensitivepersonal data”. It should be noted thatsensitive personal data includesamongst others:
– Political or religious view;
– Racial or ethnic origin;
– Data on crimes and criminal acts collected and stored by law enforcement agencies;
– Customer information of credit institutions, foreign bank branches,payment intermediary service providers, and other licensed organizations, including: customer identification information according to the provisions of law, account information, deposit information, deposit assets information, transaction information, information about organizations and individuals that are guarantors at credit institutions, organizations providing payment intermediary services.
The screeners should assess if their services require collection and processing of sensitive personal data and if so, apply the measures that the Decree mentions for this category of data. For example, one of these measures is the designation of a personal data protection department or personnel in charge of protecting personal data.
- Roles – the Decree defines the roles of a“data controller” who decides the purposes and means of processing and“data processor” who process data onbehalf of the data controller through acontract/ agreement with the datacontroller. Notably, there is anotherrole – a “data controller and processor”who simultaneously decides thepurposes and means of processing anddirectly process personal data.
- Principles – the organizations processing personal data shall apply the principles of lawfulness,transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality, storage limitation, accountability.
- Consent is the primary legal basis for processing. However, it should be noted that the Decree defines several cases in which the consent of the data subjects is not required, among which are two cases which would be of interest to the screeners:
– Disclosure of a personal data in accordance with the law;
– Perform the data subject’s contractual obligations with relevant agencies, organizations, or individuals according to the provisions of the law.
- Notification – The data subjects shall be informed for the purpose of processing, type of personal data, organization/individual allowed to process the personal data, data subject’s rights and obligations. In case of processing of sensitive personal data, the data subject shall be informed that the personal data to be processed is sensitive.
- Data subject’s rights – the data subjects are provided with several rights: right to know, right to consent, right to withdraw consent, right of access, right to restrict data processing, right to object to processing, right to delete data, right to be provided with their data, right to complain, denounce and initiate lawsuit, right to claim compensation for damage, right to self-defense.
After we have discussed Decree’s main definitions and principles, we will pay attention to several obligations which may impact the screeners:
- Data Processing Impact Assessment – the data controller, data controller and processor and data processor shall prepare and maintain a Personal Data Processing Impact Assessment Record containing information listed in the Decree. It should be notified to the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security within sixty days from the date of the processing of personal data.
- Transfer Impact Assessment Dossier- As per the Decree cross-border transfer of personal data means the act of transferring personal data of Vietnamese citizens to a location outside the territory of Vietnam using cyberspace, equipment, electronic means, or other forms, or using a place outside the territory of Vietnam to process personal data of Vietnamize citizens, including:
– Organizations/individuals transferring personal data of Vietnamize citizens to organizations/businesses/department abroad for processing in accordance with the purpose agreed by the data subject;
– Processing personal data of Vietnamize citizens by automated systems located outside Vietnam by data controller, data controller or processor.
It should be noted that any transferor of personal data (data controller, data controller and processor, data processor or third party) should prepare and maintain Dossier assessing the impact of transferring personal data outside Vietnam. The Dossier should be notified to the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security within sixty days from the data of the processing of personal data.
- Data Breach Notification – In case a data breach is detected the data controller, the data controller and processor shall notify the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security no later than 72 hours from the occurrence of the violation in a prescribed notification form.
Next steps:
The new Decree is providing a comprehensive legal framework for protection of personal data and the organizations shall carefully assess whether they fall under its scope and implement appropriate practices and processes to ensure compliance with the new legislation.
/ New Swiss Data Protection Law
On 1 September 2023, the revised Swiss Federal Act on Data Protection (the “Act”) entered into force and there is no transition period. The revision is taking into consideration the technological development and aligns the legislation with the General Data Protection Regulation (“GDPR”), so that Switzerland could continue to be considered as a third country providing adequate level of personal data protection.
Below are noted key aspects of the new Act:
- Scope – In contrast to the Data Protection Act of 1992, the Act applies only to personal data of individuals and do not cover the legal entities data.
- Sensitive data – The Act expands the definition for “sensitive data” and now it also includes genetic and biometric data.
- New Principles – As the GDPR, the Act introduces the principles of “data protection by design” and “data protection by default”.
- Data subject’s rights – The Act strengthening the data subject’s rights by enhancing the right to information. In case of request for information, the data subject has the right to be provided by the data controller with a certain minimum information which is listed in the Act. The data subject could also receive his/her personal data in a commonly used electronic format using his/her right to data portability.
- Records of processing activities – The Act requires data controller and data processors to maintain records of processing activities. However, there is an exception as regards to legal entities with fewer than 250 employees which data processing does not impose the data subjects to a high risk.
- Data Protection Impact Assessment – must be performed by the data controllers in case the data processing is likely to result in a high risk to the data subjects.
- Data Security Breach Notification – When a data security breach is likely to result in a high risk to the data subject, the data controller must notify it to the Federal Data Protection and Information Commissioner (“Commissioner”) as soon as possible (the Act is not providing a specific deadline). The data security breach must also be notified to the data subject when this is necessary for his/her protection or if requested by the Commissioner.
- Representative – In contrast to the GDPR, the Act does not have the requirement for appointment of a Data Protection Officer under some circumstances. However, as per the Act controllers domiciled outside Switzerland offering goods and services in Switzerland or monitoring the behavior of data subjects in Switzerland must appoint a representative in Switzerland, if they process data regularly and on a large scale and the data subjects are imposed on high risk.
- Fines – The amount of the fines has been increased and now could reach CHF 250,000.
Conclusion:
Although there are a lot of similarities with the GDPR, the new Act has its own specifics and background screeners should carefully assess their data processing activities and adapt them as per the new requirements of the Act.
As mentioned above biometric and genetic data are now considered sensitive data and if such are collected as part of a certain service, the screeners should carefully assess the legal basis under which those types of data could be processed. Special attention should be paid to the requirements for appointment of a representative in Switzerland and maintenance of records of processing activities.
In a highly regulated environment, we believe, at iCOVER, that promoting transparency by sharing activity standards between business partners is essential to ensure best practices, better quality services, and, ultimately, the protection of individual rights.
In a highly regulated environment, we believe, at iCOVER, that promoting transparency by sharing activity standards between business partners is essential to ensure best practices, better quality services and, ultimately, the protection of individual rights. The content of this note has been prepared by iCOVER’s legal & compliance department for informational purposes only and does not constitute legal advice. This note is non-contractual, and the information provided herein is subject to change at any time without prior notice. All information in this note is provided in good faith, however, we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of any information in this note. The iCOVER Group shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from your use of this note.
We hope that you will find the below informative and useful, and we remain available for any questions you may hav
Legal & Compliance team – October 2023