Logo
Print this page
14-12-2018

GDPR & Employee Personal Data

Author/s

  • Stefanos Tsimikalis, Attorney at Law
    Partner at TSIMIKALIS KALONAROU Law Firm

The General Data Protection Regulation (GDPR), the most significant legislative initiative in the area of personal data in Europe, came into force on May 25th 2018. The GDPR imposes significant new burdens on organisations and in particular on employers across Europe, including a substantial amount of additional reporting requirements under the threat of increased fines and penalties. The GDPR’s main goal is to increase the level of protection afforded to employees and in particular to safeguard their human dignity, legitimate interests and fundamental rights.

Why is the GDPR important for employers?

In the context of any employer-employee relationship, the processing of personal data is inevitable. Human Resources departments collect, store and process a large amount of employee personal data (such as names, birth-dates, bank accounts, Social Security Codes, CVs, referral letters etc.), both for internal purposes and in order to comply with the applicable employment/social security legislation. In many instances, HR departments also process special (sensitive) personal data (such as health data, data in relation to diversity in the workplace, etc.), which are subject to a higher degree of scrutiny.

Is the processing of employee personal data regulated uniformly within the EU?

Although, the goal of the GDPR is to provide for a uniform approach to the processing of personal data within the EU, there are permitted derogations. This means that in relation to specific topics, the national legislator may deviade from the GDPR’s provisions.

In particular the GDPR provides (Article 88 GDPR) that Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context. This derogation covers in particular, the purposes of recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis.

It is expected that the Greek legislator will make use of this derogation by introducing special provisions in relation to the processing of personal data in the employment context by the expected national implementing law.

What are the main principles that an employer has to follow when processing employee personal data?

The processing of personal data in the context of the employment relationship should always, be lawful, fair and conducted in a transparent manner. The GDPR requires that the employer provides employees with information about the processing of their personal data in a concise, transparent and intelligible manner, easily accessible, by using clear and plain language. This information should be distinct from any other agreement(s) (e.g. employment contract) between the parties.

What is the legal basis for processing employee personal data?

The processing of personal data for the performance of the employment contract or processing personal data in the stage preceding the hire, in order to take steps at the request of the candidate prior to entering into a contract (Article 6, par. 1 (b) of the GDPR) will usually be a valid and sufficient legal basis.

Moreover, employers may be able to demonstrate that the processing of employee personal data is necessary in order for them to comply with an obligation set by law (e.g. employment or social security legislation) (Article 6, par. 1 (c) of the GDPR).

Finally, under certain circumstances employers may be able to demonstrate that the processing is necessary for the purposes of the legitimate interests they are pursuing (e.g. operating a CCTV system for safety and security reasons) (Article 6, par. 1 (f ) of the GDPR).

Is it possible to rely on consent for the processing of employee personal data?

It is common practice for employment contracts to include a general consent provision which usually stipulates that employees, consent to the use and processing of their personal data in the context of the employment relationship (e.g. the sharing of information with partners for payroll, insurance and health related purposes etc.). However, considering the imbalance of power between employees and employers, it is unlikely that employee consent will be freely given since employees will not have a genuine choice over how their data is used and it would therefore not be a valid basis for the processing of their personal data under the GDPR.

Although not entirely impossible, the situations in which employees will indeed have a genuine choice (and will also be able to withdraw consent) in relation to some of the data processed about them, will in all likelihood be extremely rare.

Another noteworthy point is, that employees have the right to freely withdraw their consent at any time.

Is the processing of employee sensitive personal data permitted?

Employers should take special care, since the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data, health data or data concerning a natural person’s sex life or sexual orientation is prohibited.

  • The GDPR sets specific exceptions (ten in total) under which such processing is permissible (Article 9 par. 2 GDPR). In the context of the employment relationship such processing will be permitted where:
  • An employee has given explicit consent for one or more specified purposes
  • The processing is necessary for the carrying out of obligations of the employer, stemming from employment, social security and social protection law
  • The processing is necessary to protect the vital interests of an employee where he/she is physically or legally incapable of giving consent (e.g. in the case of an accident in the workplace)
  • The processing relates to personal data which the employee has made public (e.g. a post on social media),
  • The processing is necessary in order for the employer to establish, exercise or defend legal claims (e.g. in the context of defending against an employee lawsuit).

For what purposes may employers process personal data?

When collecting personal data, employers (and/or their HR departments) are obliged to provide the purpose for which these will be processed. As a result, any processing activity will be lawful only to the extent that it is compliant with the original purpose for which the data were collected. Should the purpose change later on, then, employers are obliged to seek further legal permission, unless the new purpose, is compatible with the original purpose.

What types of personal data are employers allowed to process?

The GDPR reinforces the data minimization principle (Article 5, par. 1 (c) GDPR), according to which employers should process only personal data which are adequate, relevant and limited to what is necessary in relation to the purposes for which these are processed. Data minimization includes, the amount of personal data collected, the extent of the processing, the period of storage and their accessibility. In practical terms, employers need to make sure that the data they collect is on the one hand enough in order to achieve the specific purpose but on the other, not more than what is actually needed.

For how long can employee personal data be retained?

In accordance with the storage limitation principle (Article 5, par. 1 (e) GDPR), personal data may not be stored longer than what is necessary for the purposes for which, they are processed. In essence, this means that once the data are no longer required for the purpose for which they were collected, HR should make sure that the data are deleted, unless other valid grounds for their retention exist. This will be the case where for instance the applicable employment/social security legislation imposes upon the employer, the obligation to maintain appropriate employee records.

A data retention policy is highly recommended as it helps demonstrate compliance.

How can transparency be achieved?

For employers, transparency is achieved by keeping the employee or candidates, informed about the processing of their personal data. This usually takes place, through a so-called Privacy Notice in the workplace (also known as Fair Processing Notice) and should be communicated to the data subject, at the latest, at the point when the personal data is collected but also every time changes are made.

What information should be provided to the employees?

  • Aside from the identity and the contact details of the employer, the Privacy Notice should set out:
  • the contact details of the data protection officer (if one exists),
  • the personal data collected,
  • the type of processing that takes place,
  • the recipients or categories of recipients of the personal data,
  • the data retention periods,
  • any transfer of data to a non-EEA country.
  • information as to the employee rights in relation to their personal data and how employees can exercise these rights.
  • the existence of automated decision-making,

Who is responsible for providing the information?

The general principle is that the employer is always responsible for providing the aforementioned information to employees. However, it is important to remember that data is not always collected directly from individuals but may be derived from other sources. The GDPR lists the information which must be given to employees where data is obtained not directly from them, but from third-party sources (e.g. head-hunters). In such a case, aside from the aforementioned information, the employer must also mention from which source the personal data originated, and if applicable, whether it came from publicly accessible sources.

When should the information be provided to employees?

If the data is collected directly from employees, then the employer must satisfy the obligation to inform employees, at the time when personal data are obtained. If the data were obtained from another source, then the information should be given within a reasonable period after obtaining the personal data, but at the latest within one month. In case personal data are to be used for communication with the employee, then such information must be given at the latest at the time of the first communication.

How should employers respond to employee data access requests?

Under the GDPR an employer must respond to a data access request submitted by an employee without undue delay and in any event within one month of receipt of the request. This period can be extended by a further two months where requests are complex or numerous.

In responding to employees, employers must provide the following information:

  • The purpose of the processing
  • The categories of personal data concerned
  • The recipients or categories of recipients
  • The data retention period or criteria used to determine the criteria
  • The employees’ rights to correction, erasure; restriction or objection to the processing
  • The right to lodge a complaint with the competent supervisory authority
  • The source of the information, if not collected directly from the data subject
  • Information on any automated processes that involve the processing of personal data
  • Where data is transferred to a third country (out of the EEA), the appropriate safeguards that are in place.

What measures should employers take in order to protect personal data?

The GDPR imposes upon employers the obligation to implement appropriate technical or organisational measures in order to safeguard the security of personal data and protect them against unauthorised or unlawful processing and against accidental loss, destruction or damage. Such measures, include, pseudonymisation (i.e. the replacement of any personal data with a pseudonym so that the data subject can no longer be identified without additional information), encryption, the availability and resilience of processing systems and services, disaster recovery mechanisms and processes etc.

How can employers ensure that employees process personal data fairly in the context of the employment relationship?

Under the accountability principle, employers, similar to any other data controller, are obliged to comply with the rules laid out by the GDPR and must also be able to demonstrate their compliance at any given time. Since, in the course of their duties, employees process personal data that are handed to their employer in the context of the latter’s operational activities, they are also obliged to process such personal data lawfully, fairly and in a transparent manner, while adhering to all the applicable processing principles.

In this context, employers may elect to introduce a staff responsibility policy which will:

  • include the key guidelines to employees,
  • regulate how they manage employer personal data and
  • introduce organisational measures that each employee should take in order to assist the employer in remaining compliant (e.g. how telecommunication systems are to be used, what the appropriate reaction to a data breach is, etc.).

What is required of employers in order to comply with the GDPR?

Complying with the GDPR’s provisions is a complex task. In the context of the accountability principle, employers must:

  • Review their current data protection policies and existing employment contracts and employee policies.
  • Ensure that they are transparent with employees in connection to the processing of their personal data
  • Review any consents they are relying on in order to justify processing of HR data and indicate an alternative legal basis for the processing instead
  • Provide data protection training to all employees These are but a few basic steps. Ensuring compliance is an on-going and continuous process.
Read 2334 times
Published in Data Protection
Tagged under

Related items

Copyright by NOMIKI BIBLIOTHIKI 2018. All rights reserved.