Legal Brain

The storage of personal data is an ongoing concern for those who manage information, as the circumstances requiring the processing of such data are never identical, not always predictable, and the terms for which processing is permitted are not always clear. Regulation 679/2016 on the protection of individuals with regard to the processing of personal data ("GDPR") establishes, among other principles, the principle of "data storage limitation" according to which personal data should be "kept for a period not exceeding the period necessary to fulfill the purposes for which they are processed."

What necessarily results from this principle of limiting data storage periods is nothing other than the right of data subjects to have their personal data erased as soon as they are no longer needed for processing for a specific purpose, without any action required on their part, without the need to address data controllers with a request to do so (a right we intend to discuss in a future article).

In other words, the removal of personal data from the records of the data controller will always occur upon expiration and in close correlation with the identified and established storage period for each category of data processing.

The answer to the question "how long should personal data or a document containing personal data be stored?" should always prompt the data controller to clearly and objectively identify  until when those data are needed.

A series of questions can help in this regard:

• What is the reason for processing this data?

• At what point has the objective I set been objectively and finally achieved?

• Beyond this point, are personal data still necessary for another purpose that requires a longer storage period, such as financial-accounting purposes, archival purposes in the public interest, historical research, or statistical purposes?

Thus, the GDPR considerations mention that "processing personal data for purposes other than those for which personal data were initially collected should be allowed only when processing is compatible with those respective purposes for which personal data were initially collected. In this case, a separate legal basis from that on which the collection of personal data was allowed is not necessary. Subsequent processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes should be considered as lawful processing operations. The legal basis provided in Union law or in national law for the processing of personal data may also constitute a legal basis for further processing. In any case, the application of the principles established by this Regulation and, in particular, informing the data subject about these other purposes and their rights, including the right to object, should be guaranteed."

Below, we propose a brief analysis of some situations involving the processing of personal data related to documents submitted by employees in support of certain requests made to employers and whose storage periods are not very clear to employers:

• Processing/storing copies of death certificates of a close relative or for the marriage of a child to grant paid leave for family events or to prove absence from work in unforeseen situations, caused by a family emergency due to illness or accident, which makes the immediate presence of the employee indispensable. Should these copies be included in the personnel files and archived for the period required by the legal provisions for them?

Considering:

• That the purpose of presenting these documents by the employee is to justify the existence of the event for which the employer grants leave, so that the employee is not considered absent to work;

• the non-impairment in any way of salary rights or contribution periods in the pension or health system;

• the legal provisions establishing the content of the employee's personnel file, namely: the documents necessary for hiring, the individual employment contract, the additional acts and other documents regarding the modification, suspension, and termination of individual employment contracts, study documents/qualification certificates, as well as any other documents certifying the legality and correctness of the completion in the register,

we consider that the inclusion of these documents in the personnel files and archiving them together is not justified.

Therefore, as soon as the information from these documents has been verified by the human resources staff of the employer and it is found that they coincide with the information provided by the employee in the request submitted to the employer regarding the granting of those days off, these documents, excluding the request itself, should be definitively deleted/destroyed from the internal records of the employer, there being, from our perspective, no other reason for the employer to proceed to keep these documents for longer periods.

However, the situation of processing personal data and documents collected by employers in the case of granting caregiver leave regulated by the Labor Code is different.

According to the provisions of the Labor Code, correlated with those of Order of the Ministry of Labor and Social Protection no. 2172/3829/2022 regarding the granting of caregiver leave (the Order), the requesting employee of this leave has the obligation to prove, both the existence of the kinship relationship with the person being cared for or cohabitation, and the existence of the serious medical problem that prompted the employee to request caregiver leave.

The documents through which these proofs are made are regulated by the Order and are, as the case may be: the identity card, the birth certificate, the marriage certificate, the document by which the person was taken into space, the certificate from the association of owners/tenants or the employee's own statement indicating that the person cared for by the employee lives in the same household with him/her for at least the period of caregiver leave, the hospital discharge ticket or, as the case may be, the medical certificate issued by the attending physician or the family doctor of the person with serious medical problems.

To establish the storage period of these documents, both the purpose for which this data was initially collected and a possible existence of a subsequent purpose that would require a longer processing of personal data, beyond the limit of the initial purpose for which they were collected, should be analyzed.

Thus, in the described situation, analyzing the legal provisions regulating these rights, we will identify both an initial purpose of processing, namely that of granting days off, but also a subsequent purpose to the first one, namely that of fulfilling the financial-accounting obligations. The latter results from the provisions of the Labor Code, which establish that employees who benefit from caregiver leave are insured, during this period, in the social health insurance system without paying contributions.

Therefore, as long as maintaining health insurance rights usually implies contributing to this system, mandatory when paying salary rights, any deviation from this provision must be proven. Therefore, in order to prove the non-payment of social security contributions of the employee for the period of caregiver leave, in the event of a possible inspection by the fiscal authorities, the processing of this personal data and implicitly of the documents containing it should be carried out for the period of prescription of the right to action in the fiscal field, namely 5 years from July 1 of the following year for which the fiscal obligation is due, a term also instituted by the provisions of Law no. 36/2023 amending the Accounting Law.

In the dynamic landscape of corporate governance, where transparency, accountability, and security are paramount, blockchain technology emerges as an outstanding solution. Revolutionizing traditional practices, blockchain offers a decentralized system that ensures immutable records, fostering trust and integrity in corporate operations.

As businesses face increasingly complex regulatory environments and heightened stakeholder expectations, harnessing the power of blockchain not only enhances governance mechanisms but also paves the way for a new era of corporate transparency and efficiency.

In this article, our objective is to provide a brief overview of the transformative capabilities of blockchain technology in corporate governance.

A reminder: what is blockchain technology?

Imagine blockchain like a big digital notebook where you can write down information, but once it's written, it can't be changed or erased. Each page of this notebook is connected to the next one, creating a chain of pages, hence the name "blockchain." This notebook is shared with lots of other people, and everyone has a copy. When someone adds new information to the notebook, everyone can see it, and because it's connected to the previous pages, they can be sure it's accurate and hasn't been tampered with. So, blockchain is like a super secure and transparent way of keeping track of information online.

How can blockchain technology be used in corporate governance?

Corporate governance succinctly encompasses the decision-making processes within corporations, including matters related to business administration, management, and future strategic planning. Blockchain technology is a promising option for listed companies characterized by a large number of shareholders. Nevertheless, its adoption can also bolster corporate governance for smaller, closely held companies featuring a more limited shareholder base.

What are the benefits of blockchain technology in corporate governance?

The main benefits of employing blockchain technology in enhancing share ownership transparency may be summarized as follows:[1]

• Cost Reduction in Voting Procedures: Blockchain simplifies shareholder identification, reducing costs and time in proxy voting. It ensures real-time distribution of voting entitlements, minimizing the risk of shareholders losing their voting rights.

• Accuracy of Ballots and Decision Legitimacy: Blockchain allows precise identification of voters, ensuring accurate voting processes and mitigating the risks of incorrect counting or overvoting. This boosts the legitimacy of corporate decisions.

• Increased Transparency in Corporate Governance: Blockchain enhances share ownership transparency by tracking ownership in real-time, reducing discrepancies between recorded and beneficial shareholders, and aiding in fraud detection and prevention.

• Streamlined Proxy Voting Architecture: Blockchain simplifies proxy voting, empowering shareholders to control their shares directly, making the process faster and more efficient, and enabling effective monitoring of proxy assignments and votes.

• Enhanced Shareholder Democracy: Blockchain reduces barriers to participation in company decision-making, leading to stronger shareholder control over boards of directors, improved corporate governance, reduced agency problems, and increased market liquidity and capital efficiency.
  

What are the legal implications of using blockchain technology in corporate governance?

The legal implications of using blockchain technology in corporate governance can vary depending on the jurisdiction but would be expected to cover at least:

• regulatory compliance such as the need to abide by corporate governance mandatory legal provisions, legislation concerning securities and legislation concerning personal data privacy and protection;

• digital identity namely the applicability of legal provisions concerning both identification of signatories, as well as the binding nature of signatures;

• liability and accountability or, in other words, responsibility for faults in using the technology.

In every scenario, considering the advantages offered by this technology, it is highly probable that blockchain will see increasingly widespread adoption in corporate governance. Exploring the legal ramifications of its utilization will likely necessitate a comprehensive series of articles merely to scratch the surface. Stay tuned for more.

[1] Based on the research included under this source: Panisi, Federico and Buckley, Ross P. and Arner, Douglas W., Blockchain and Public Companies: A Revolution in Share Ownership Transparency, Proxy-Voting and Corporate Governance? (May 1, 2019). 2 Stanford Journal of Blockchain Law & Policy 2019, University of Hong Kong Faculty of Law Research Paper No. 2019/039, UNSW Law Research Paper No. 19-100, Available at SSRN: https://ssrn.com/abstract=3389045 

ChatGPT 4 users have found that AI can generate images based on given instructions. The instructions can be very detailed or, on the contrary, general. The result of the AI's imagination are vivid colour images, very expressive and illustrative of the idea suggested by the human user.

The question is: can these images be used commercially?

The Terms of Use (Terms) of OpenAI (the developer of ChatGPT) for the European Economic Area (EEA), Switzerland, and UK (updated as at 15 February 2024) state as follows: “Your Content. You may provide input to the Services (“Input”), and receive output from the Services based on the Input (“Output”). Input and Output are collectively “Content”. You are responsible for Content, including ensuring that it does not violate any applicable law or these Terms. You represent and warrant that you have all rights, licences, and permissions needed to provide Input to our Services. Ownership of Content. As between you and OpenAI, and to the extent permitted by applicable law, you (a) retain your ownership rights in Input and (b) own the Output. We hereby assign to you all our right, title, and interest, if any, in and to Output.”

Our interpretation is that the concept of "Content" includes both the description of the image provided by the user and the image generated by ChatGPT based on the instructions received. Given OpenAI's clear and unequivocal agreement to assign all rights to the Content to the user, we believe that the images generated by ChatGPT according to the instructions should be allowed to be used for commercial purposes (even sold) without violating any legal or contractual provisions. Images created by ChatGPT do not need to be expressly attributed to AI, but if the user wishes to indicate authorship, then the OpenAI Terms contain recommended wording to be used for this purpose. Note that, according to the recently adopted EU AI Act (to be discussed in a future post), users of an AI system that generate or manipulate images, audio or video content that substantially resemble existing persons, objects, places or other entities or events and that would give a person the false impression that they are authentic or true (" deepfake"), must make it known that said content has been artificially generated or manipulated.

Note: Image created with DALL·E 3 The image above was created with ChatGPT 4 at our request to draw itself while working on images requested by users.