Salary employee (software developer) held personally liable for client's data loss or exposure (GDPR) [on...
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
asked 7 hours ago
jedan anagramjedan anagram
242
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk 2 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk
If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
asked 7 hours ago
jedan anagramjedan anagram
242
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk 2 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk
If this question can be reworded to fit the rules in the help center, please edit the question.
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
6 hours ago
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
6 hours ago
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
6 hours ago
add a comment |
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
asked 7 hours ago
jedan anagramjedan anagram
242
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
software-industry contracts employees security gdpr
asked 7 hours ago
jedan anagramjedan anagram
242
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 7 hours ago
jedan anagramjedan anagram
242
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 7 hours ago
jedan anagramjedan anagram
242
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 7 hours ago
jedan anagramjedan anagram
242
asked 7 hours ago
jedan anagramjedan anagram
242
242
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk 2 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk
If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as off-topic by Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk 2 hours ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – Dan Pichelman, sf02, gnat, Michael Grubey, mxyzplk
If this question can be reworded to fit the rules in the help center, please edit the question.
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
6 hours ago
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
6 hours ago
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
6 hours ago
add a comment |
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
6 hours ago
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
6 hours ago
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
6 hours ago
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
6 hours ago
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
6 hours ago
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
6 hours ago
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
6 hours ago
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
6 hours ago
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
6 hours ago
add a comment |
2 Answers
2
active
oldest
votes
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered 6 hours ago
SopuliSopuli
1,9301513
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
5 hours ago
1
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
5 hours ago
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
5 hours ago
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered 6 hours ago
SopuliSopuli
1,9301513
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
5 hours ago
1
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
5 hours ago
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
5 hours ago
add a comment |
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered 6 hours ago
SopuliSopuli
1,9301513
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
5 hours ago
1
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
5 hours ago
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
5 hours ago
add a comment |
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered 6 hours ago
SopuliSopuli
1,9301513
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered 6 hours ago
SopuliSopuli
1,9301513
answered 6 hours ago
SopuliSopuli
1,9301513
answered 6 hours ago
SopuliSopuli
1,9301513
answered 6 hours ago
SopuliSopuli
1,9301513
1,9301513
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
5 hours ago
1
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
5 hours ago
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
5 hours ago
add a comment |
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
5 hours ago
1
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
5 hours ago
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
5 hours ago
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
5 hours ago
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
5 hours ago
1
1
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
5 hours ago
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
5 hours ago
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
5 hours ago
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
5 hours ago
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
edited 6 hours ago
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
answered 6 hours ago
gnasher729gnasher729
91.3k41162286
91.3k41162286
add a comment |
add a comment |
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
6 hours ago
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
6 hours ago
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
6 hours ago