# WorkOnClock Legal and Privacy Requirements (MVP Baseline) This checklist is a practical baseline for screenshot + employee monitoring features before launch in target markets. It is not legal advice; counsel review is required before production rollout in each jurisdiction. ## 1) Data Protection Governance - Maintain a record of processing activities for time tracking, screenshot capture, and admin access. - Define lawful basis per market (for example: legitimate interest / contract / consent where required). - Complete a DPIA/PIA before enabling screenshots at scale. - Appoint ownership: product owner, privacy contact, and security lead. ## 2) Transparency and Notice - Provide clear employee-facing notice before tracking starts: - what is collected (activity events, screenshots, timestamps, device metadata), - why it is collected (time accounting, security, productivity operations), - who can access it (role-based admins), - retention periods and deletion policy, - employee rights and support contact. - Display in-product notice on first run and after major policy changes. - Keep auditable proof that notices were delivered. ## 3) Consent and Local Labor Requirements - Determine per-market whether explicit consent is required or discouraged as employment-law basis. - Validate works council / union consultation requirements where applicable. - Ensure contracts and handbooks include monitoring clauses where required. - Block rollout in markets where required labor approvals are not completed. ## 4) Data Minimization and Privacy Controls - Default screenshot interval to conservative setting (for example, every 10 minutes). - Capture only work session windows; pause during idle or manual break. - Support policy toggles: - screenshot enabled/disabled by team, - blur/mask sensitive regions (phase roadmap), - exclude specific apps/sites where legally required. - Avoid collecting keystrokes or full content metadata unless separately approved. ## 5) Security Controls - Encrypt data in transit (TLS) and at rest (database + object storage). - Use short-lived access tokens and role-based authorization for screenshot access. - Store screenshots in private buckets only; no public object links. - Log all sensitive actions (view/download/delete screenshot, policy changes). - Implement secure local buffering with retry + encrypted temporary storage. ## 6) Retention, Deletion, and Rights Handling - Define retention schedules by data type and market. - Implement automated lifecycle deletion for screenshots. - Provide workflows for DSAR/subject rights requests: - access/export, - correction (for metadata), - deletion where legally applicable. - Support legal hold exceptions and document them. ## 7) Cross-Border Transfers - Document where data is stored and processed. - Put transfer mechanisms in place when required (for example SCCs and equivalent safeguards). - Keep vendor/subprocessor list and contractual controls current. ## 8) Auditability and Incident Response - Maintain immutable audit logs for admin and policy actions. - Set alerts for unusual screenshot access or bulk export activity. - Prepare incident response runbook for privacy/security events. - Test restore and breach-notification procedures regularly. ## 9) MVP Launch Gate (Must Pass) - [ ] Privacy notice finalized and reviewed. - [ ] Market-by-market legal basis and labor constraints documented. - [ ] DPIA/PIA completed and approved. - [ ] RBAC, audit logs, and retention jobs validated. - [ ] DSR workflow tested. - [ ] Security controls verified (transport, storage, access). - [ ] Counsel sign-off captured for target launch markets.