A large number of Dutch companies risk a fine for unknowingly violating the General Data Protection Regulation (AVG). Many use PDF files to share special personal data of employees and job applicants. These are unsecured files, making them unsuitable for distributing sensitive and confidential information. Furthermore, companies risk reputational damage as a result.
That's what Menno Weij, privacy expert at BDO Taks & Legal (1), warns.
At many companies, he says, it is natural to use PDF files to share results of employee and applicant assessments. Such documents are full of special personal data, such as health information. A pdf file then is not the best way to distribute such, sensitive data.
"A pdf is not a secure file and can often be copied and distributed unchecked, infinitely, inside or outside the organization. This poses a significant privacy risk. It is an issue that is often overlooked but can have major consequences," Weij said.
Nowhere in the AVG does it say that it is prohibited to use a pdf to share the results of an assessment. However, European privacy law does require that "appropriate and specific measures" be taken to process and protect special personal data. The interpretation of this is left to the data controller by the AVG.
"With respect to assessment results, this means that it is very difficult, if not impossible, to guarantee that an individual's data will be removed if that individual requests it, simply because an organization cannot keep track of where all the data has gone," Weij said.
The privacy expert warns that using PDF files to share personal data can have serious consequences for companies. First, companies risk being fined by the Autoriteit Persoonsgegevens for not taking sufficient technical and organizational measures to protect this information.
Another risk companies face is significant reputational damage. "Imagine what it would mean for your company if your name appeared in the newspaper with the news that your job applicants' special personal data were on the street. The financial impact of that, not to mention possible mass claims, could be significant," Weij said.
The privacy expert thinks there are better methods for sharing special personal data in a safe and responsible way. As an example, he cites HTML links. IT professionals can deactivate these URLs if an employee or job applicant withdraws their consent to process their data. Or if IT systems have been hacked.
"I would therefore advise organizations to check carefully how their assessment provider handles the data, how they share it and what they do when individuals want to withdraw their consent to store their (special) personal data," Weij concluded his talk.
https://www.transport-online.nl/site/155644/veel-bedrijven-schenden-privacy-werknemers-en-sollicitanten-door-gebruik-pdf-bestanden/
