Salary employee (software developer) held personally liable for client's data loss or exposure (GDPR)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
Apr 9 at 21:13
3
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
Apr 9 at 21:31
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
Apr 9 at 21:49
Please mark this post with „Croatia”. IANAL, but signing this doesn’t change much in terms of your legal responsibilities. They didn’t specify any new limits for the damages, so the standard employment law limits still apply. It looks like pen pushers CYA-type want to make sure that they properly informed everyone about the new regulations.
– Mateusz Stefek
Apr 10 at 4:55
add a comment |
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I'm working as full time software developer at relatively small IT company (around 15 employees) which itself is a part of larger group of small to mid sized companies. In preparation for EU's new GDPR directive we (the employees) were given a series of papers to sign. Couple of them include certain statements which I find to go too far in regards to employees's personal responsibility and liability in case of loss or exposure of confidential data.
Two documents in question are roughly translated as: Statement about safekeeping and handling of personal data and Statement about data secrecy. I'm going to highlight the parts which seam odd to me (for sake of accuracy I've tried to translate everything as literally as possible, so please bear with me).
(...)
I agree to handle the documents and information which contain personal
data with increased attention, and to also take all available
measures at my disposal to prevent unauthorized access and reading of
documents by unauthorized individuals.
If by any means personal data is lost or exposed by fault of mine (intentionally or by not paying attention*), I will be held responsible and I agree to compensate for caused damage.
I'm signing this statement at full moral, legal, yada yada yada responsibility.
* not paying attention is the literal translation of word used. They could opted for word that means "negligence", which is common legal term, but they didn't.
The second document is virtually identical, just replace the phrase "personal data" with " business (or trade) secret" which is earlier in the document defined as basically any company's data I'm working with.
So my question is: are these type of "contracts" common in software industry (sorry if "contract" is not the proper legal term)? Is this normal and I'm just being overly cautious? Perhaps the general sentiment of statements is ok, but wording is bit clumsy? Are there any employee protection laws that prohibit these kind of employee liability (talking about EU, Croatia specifically)?
My primary causes of concerns are these two phrases in combination:
- "take all available measures at my disposal": simply sounds too broad and inclusive to me. I'm junior/mid level developer, developing for ERP system, and have virtually single-handedly implemented modules which communicate sensitive data over the Internet. Given that I'm not security expert (far from it) will I be held personally liable because I failed to implement some security protocol correctly? Surely, I haven't "taken all available measures at my disposal". I ve could read documentation better, asked additional questions on SE, etc...
- "I will be held responsible and I agree to compensate for caused damage": this simply sounds ridiculous to me, reparation from lawsuits for these kind of things can bankrupt whole companies, let alone my puny bank account...
software-industry contracts employees security gdpr
software-industry contracts employees security gdpr
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
asked Apr 9 at 20:26
jedan anagramjedan anagram
544
544
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
jedan anagram is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
Apr 9 at 21:13
3
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
Apr 9 at 21:31
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
Apr 9 at 21:49
Please mark this post with „Croatia”. IANAL, but signing this doesn’t change much in terms of your legal responsibilities. They didn’t specify any new limits for the damages, so the standard employment law limits still apply. It looks like pen pushers CYA-type want to make sure that they properly informed everyone about the new regulations.
– Mateusz Stefek
Apr 10 at 4:55
add a comment |
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
Apr 9 at 21:13
3
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
Apr 9 at 21:31
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
Apr 9 at 21:49
Please mark this post with „Croatia”. IANAL, but signing this doesn’t change much in terms of your legal responsibilities. They didn’t specify any new limits for the damages, so the standard employment law limits still apply. It looks like pen pushers CYA-type want to make sure that they properly informed everyone about the new regulations.
– Mateusz Stefek
Apr 10 at 4:55
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
Apr 9 at 21:13
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
Apr 9 at 21:13
3
3
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
Apr 9 at 21:31
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
Apr 9 at 21:31
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
Apr 9 at 21:49
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
Apr 9 at 21:49
Please mark this post with „Croatia”. IANAL, but signing this doesn’t change much in terms of your legal responsibilities. They didn’t specify any new limits for the damages, so the standard employment law limits still apply. It looks like pen pushers CYA-type want to make sure that they properly informed everyone about the new regulations.
– Mateusz Stefek
Apr 10 at 4:55
Please mark this post with „Croatia”. IANAL, but signing this doesn’t change much in terms of your legal responsibilities. They didn’t specify any new limits for the damages, so the standard employment law limits still apply. It looks like pen pushers CYA-type want to make sure that they properly informed everyone about the new regulations.
– Mateusz Stefek
Apr 10 at 4:55
add a comment |
2 Answers
2
active
oldest
votes
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
1
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
Apr 9 at 22:10
4
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
Apr 9 at 22:16
5
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
Apr 9 at 22:52
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "423"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
jedan anagram is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f133630%2fsalary-employee-software-developer-held-personally-liable-for-clients-data-lo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
1
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
Apr 9 at 22:10
4
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
Apr 9 at 22:16
5
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
Apr 9 at 22:52
add a comment |
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
1
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
Apr 9 at 22:10
4
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
Apr 9 at 22:16
5
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
Apr 9 at 22:52
add a comment |
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
I'm not a lawyer, but I work as software engineer and was part of our internal discussions when we prepared for GDPR.
I would not sign this document, and I believe your company has completely misunderstood the whole idea of GDPR.
The fundamental idea is to have a strategy for storing personal data, process for who and how it can be accessed (also limiting the access as well as allowing it), a way of verifying this strategy and processes are being followed, and finally, allowing the person in question to access/delete their data.
It is not about finding a culprit when something went wrong. The culprit is always the company, and potential fines will be given to the company and not to individuals. The maximum fine IIRC is 5% of revenue, so that might be a bit too much for single employee to pay up.
If single employee accesses or loses personal data, it is still the company's fault, because there is no proper strategy and/or process for accessing the data.
If data goes missing and nobody knows who did it, it's still company's fault, because there are no proper audit trails or logs in place to verify who did what. Same thing if data gets stolen or leaked.
If the strategy/processed gets broken, it's more complex. It might be company's fault if not everything was done correctly, or the individual may have broken the law.
The whole idea is to have a control over where and how the data is stored, who can and cannot access it, and have a system to oversee that these are being followed. GDPR is not a law that regulates personnel, it's regulation for companies and, in turn, their responsibility to control their personnel.
These clauses seems like complete nonsense to me. They have nothing to do with GDPR and it's an attempt to shift the responsibility from the company to the employees. I'm fairly certain that these could be disputed and overruled in court.
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
answered Apr 9 at 21:23
SopuliSopuli
2,0831614
2,0831614
1
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
Apr 9 at 22:10
4
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
Apr 9 at 22:16
5
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
Apr 9 at 22:52
add a comment |
1
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
Apr 9 at 22:10
4
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
Apr 9 at 22:16
5
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
Apr 9 at 22:52
1
1
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
Apr 9 at 22:10
Thank you for your answer (I'll take a day or two to give other people chance to post theirs, but I'll probably accept this one).
– jedan anagram
Apr 9 at 22:10
4
4
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
Apr 9 at 22:16
These terms could be disputed and overruled in court (probably, but no idea about Croatia), but by not signing you avoid the situation.
– gnasher729
Apr 9 at 22:16
5
5
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
Apr 9 at 22:52
@gnasher729 100% agree. You should not sign. Nothing good can come out of it.
– Sopuli
Apr 9 at 22:52
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
add a comment |
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
This is clearly something that you do NOT sign.
If you did something that was illegal, or grossly negligent, and caused damage to the company, then the company could of course take you to court. A court would then have to decide if what you did was bad enough to make you pay for it, which would require very unusual circumstances. So the company doesn't lose anything they are entitled to if you don't sign.
By signing this paper, you would put yourself into a potentially desastrous position. For example, if your CEO decided to do something illegal, it might be possible for you to sabotage this (which would likely get you fired). If you don't sabotage his stupid plans, he goes ahead, and gets a million dollar fine, this contract looks to me like you would have to pay that fine. Signing this is a risk that you shouldn't do under any circumstances.
And this doesn't have anything to do with GDPR. You should NEVER sign that you can be held personally responsible for any damages you cause. Whether you have to pay for damages you cause is defined by law and can be decided in court if needed; demanding that you sign such a thing is unacceptable.
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
edited Apr 9 at 21:45
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
answered Apr 9 at 21:29
gnasher729gnasher729
92k42163288
92k42163288
add a comment |
add a comment |
jedan anagram is a new contributor. Be nice, and check out our Code of Conduct.
jedan anagram is a new contributor. Be nice, and check out our Code of Conduct.
jedan anagram is a new contributor. Be nice, and check out our Code of Conduct.
jedan anagram is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to The Workplace Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f133630%2fsalary-employee-software-developer-held-personally-liable-for-clients-data-lo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
@sf02 Well thats kinda my problem, as software developer the degree to which "I control things at work" is quite high. For 95% problems its not about "being able to do it" its about "knowing how to do it", "or how to do it correctly". If they said "take all available measures at my disposal, given my job-description, duties, skill set, training, etc." then I wouldn't have problem with.
– jedan anagram
Apr 9 at 21:13
3
@Smitty No, it's not the end of the job. It's where you say "There is no way I'm signing this. " and see what happens.
– gnasher729
Apr 9 at 21:31
@CaptainEmacs Yeah thats what I was thinking they were going for, but no document of the bunch clarifies it further. Also the group to which my company belongs already has document (which is applicable to all members of group), and it specifies rules, procedures, ramifications, etc. when dealing with number of basic security issues (such as loss of laptop with sensitive data).
– jedan anagram
Apr 9 at 21:49
Please mark this post with „Croatia”. IANAL, but signing this doesn’t change much in terms of your legal responsibilities. They didn’t specify any new limits for the damages, so the standard employment law limits still apply. It looks like pen pushers CYA-type want to make sure that they properly informed everyone about the new regulations.
– Mateusz Stefek
Apr 10 at 4:55