GDPR

[Law Clarke]

Hi,

I have received an employee's lap top back as part of their gardening leave, and discovered files on there that they have been running their own company and using my company's commercial information to supply to their clients (competitors in the same industry). This has lead to a dismissal for gross misconduct, as it was directly against a clause in the employment contract)

The employee had left the lap top connected to their one drive, and I was able to see files they updated - no password protection was on these files, they were available with a simple click. I had no access to their one drive, just the files they saved to the computer

Has the employee breached GDPR by leaving this information on a company laptop, or have I breached GDPR by accessing the files? (or are we both wrong?)

I can't make head nor tail of the info when I looked at the ICO website

Thanks,

 

[ctrlbrk]

Has the employee breached GDPR by leaving this information on a company laptop, or have I breached GDPR by accessing the files?

I'm not a solicitor, I'll give you my take on question #2.

I don't think you were in breach of GDPR. The laptop is company's property. The employee should not have used it for personal stuff, much less so for competing against you.

 

[FreddyG]

Has the employee breached GDPR by leaving this information on a company laptop,

If this is customers' private information, possibly.

or have I breached GDPR by accessing the files? (or are we both wrong?)

Probably not.

BUT

This employee must be fired for rank stupidity! If you are stealing company information and contact lists, it would be advisable to not leave traces of your misdemeanors all over a company computer!

 

[Newchodge]

GDPR applis only to personal information.

You have not breached it by looking at available files on your company laptop. Your employee may have breached it is there is personal information on it and should be reported to ICO.

 

[DontAsk]

GDPR applis only to personal information.

You have not breached it by looking at available files on your company laptop. Your employee may have breached it is there is personal information on it and should be reported to ICO.

How does the employee breach GDPR by storing their own personal information?

 

[Newchodge]

How does the employee breach GDPR by storing their own personal information?

Obviously, they don't.

 

[DontAsk]

Obviously, they don't.

You seemed to be saying they do:

"Your employee may have breached it is there is personal information on it"

I took "is" to be a type for "as"

 

[UKSBD]

You seemed to be saying they do:

"Your employee may have breached it is there is personal information on it"

I took "is" to be a type for "as"

I read it that the bad employee has left "his" client list (which contains personal information) on the laptop, and the OP now has access to it.

Is that a correct assumption? @Law Clarke

 

[Law Clarke]

I read it that the bad employee has left "his" client list (which contains personal information) on the laptop, and the OP now has access to it.

Is that a correct assumption? @Law Clarke

They had left the laptop logged in to their one drive - I could never access their one drive, but I could see all of the documents they had updated when I opened file explorer at the home page.

So I never logged in to their one drive, no passwords were used, but all the documents were available with a simple click

 

[Paul Kelly ICHYB]

They had left the laptop logged in to their one drive

So you broke their data privacy?

 

[NickGrogan]

So you broke their data privacy?

Assuming its a company laptop, what privacy are they due?

 

[DontAsk]

Assuming its a company laptop, what privacy are they due?

That may depend on what it says in their contract about use of the laptop.

 

[Law Clarke]

So you broke their data privacy?

This is why I'm asking the question - it was an unprotected file on a computer that had been returned to the company. It wasn't hacked, and neither was the drive it was on - I have no access to that drive, but the home screen indicated which files had been updated recently, ad I was able to click on them.

 

[martin_shl]

I also have no legal background, but as a company I don't believe you can be in breach of GDPR because an employee has stored others' personal information that is unconnected to your business on their company laptop.

 

[prophet01]

@Law Clarke
Given that, usually due to ignorance, most organisations inevitably breach the GDPR in some respect I wouldn't worry too much if there's been a minor breach in this circumstance, though without more information it's difficult to assess which Article/section may have been infringed.

I've had cause over the last few years to familiarise myself quite intimately with the GDPR and, given my legal interactions with several large organisations and their so called dedicated, supposedly competent Data Protection Officers, I'm shocked at their lack of understanding of not only the detail and interpretation of the regulations, but their clear ignorance of the fundamental principles underpinning the legislation e.g. transparency and lawfulness.

Indeed only two weeks ago my solicitor issued, to a sports national governing body, a 'letter before action' I'd drafted in respect of their failure and subsequent refusal to comply with a straightforward subject access request. Easy money as they don't have a leg to stand on.