The General Data Protection Regulation of the European Union brings several obligations to organizations processing data in the context of employment relationships. Today, we will explain what some of these obligations are and the cases in which they need to be fulfilled.
As an employer, your organization routinely has to process personal data about employees for purposes such as recruitment, paying salaries and taxes, and much more. The fact that this processing is necessary, however, doesn't mean that employers don’t have to comply with data protection law when conducting it.
The General Data Protection Regulation of the European Union, in fact, brings several obligations to organizations processing data in the context of employment relationships. Today, we will explain what some of these obligations are and the cases in which they need to be fulfilled. This article, as always, is part of our Privacy & Data Protection special series, so make sure to follow our LinkedIn page to receive all of our updates! of our special series!
1. Determine why personal data is being processed
As we have explained before, personal data can only be processed if there is a legal basis to do so, and your organization must clearly define it. Under the GDPR, there are six possible legal bases that can be used to justify processing: consent, contract, legal obligation, vital interest, public task or legitimate interests. When it comes to employment relationships, though, only some of those bases will be considered valid:
Although obtaining consent from the employee might sound like a good way to provide the legal basis for the processing of personal data, it has considerable disadvantages.
European data protection law requires consent to be freely given, specific, informed and unambiguous. This means that if the employment contract, for example, has a provision stating that the employee agrees with the processing of his/her personal data, this is not considered a valid form of consent. As it is only one provision in a larger agreement, it is not specific enough.
Additionally, it is hard to talk about consent when there is an unequal balance of power in the employer-employee relationship. If the employee feels pressured and is afraid that he/she might lose her job, the consent is not freely given and, therefore, not valid. Only in exceptional cases, in which there will be no adverse effects for the employees whether they decide to agree with the processing or not, the employer will be able to rely on consent for processing personal data of employees.
The laws of certain EU Member States, however, require that consent is given, so don’t forget to check specific provisions from your local legislation.
The processing of personal data can be done when necessary to fulfill the employment contract between the employer and the employee. The processing of employees name and bank account details, for example, is necessary for paying salaries.
Sometimes personal information about an employee needs to be processed in order for the employer to fulfill a legal obligation it is subjected to, according to the law of each EU member state. This is the case when employers need to provide information about salaries to local tax authorities.
Employers can use legitimate interest as a basis for processing in specific situations. Migrating employee data from one server to another is considered processing, but it can be justified because it is part of a change in the organization’s structural systems. Note, however, that this basis cannot be used for interests adverse to employees’ rights and freedoms, and cannot justify the processing of special category data.
2. Provide notice to employees
According to GDPR’s transparency principle, data subjects must be informed that their personal data is being processed, and this obligation is also applicable to employers. They must provide an appropriate notice to employees about the use of their data, including:
- Why their data is being processed and the legal basis for it
- What are their rights as data subjects
- Who to contact in case of questions or requests
- Who are the recipients of their personal data and whether it will be transferred (if so, to whom)
- For how long the employer will retain the data.
Such notice can be given in different ways, such as during the on-boarding process, or through a staff handbook or code of conduct. The document must be available to employees on request, and they must be notified if it is modified.
3. Store personnel records in the correct way
Another principle brought by GDPR that needs to be carefully considered by employers is storage limitation. According to it, personal data must not be kept for longer than necessary for the achievement of the purposes it was collected for and, when it is no longer needed, it must be deleted. The retention period for each type of personal data kept should be determined and informed to data subjects.
Because of it, employers will need to analyze in depth the records kept about employees. The legitimate interest to keep this information exists, in general, when the individual is working for the organization, but not after he/she leaves the job.
There are still, however, situations in which data will need to be kept after the end of the employment relationship - related, for instance, to obligations under labour, tax and social security legislation. In these cases data must be transferred to a separate record system, with more strict requirements for access.
Coming up next, we will continue with the Part II of this article about GDPR requirements in the workplace. Stay tuned!
We know that GDPR compliance is a long journey, but it doesn’t need to be a difficult one. Our XCure Privacy Management Tool was designed to help you easily map, document and maintain the requirements of the data protection regulation in your organization, and you can try it now for free!
Contact Xcure team, if you want more information or presentation about the Privacy Management Tool.