Employee Data Processing: What is Right and Wrong Under the GDPR

Petar Todorovski

By Petar Todorovski . 12 January 2022

Data Privacy Specialist

Miklos Zoltan

Fact-Checked this

Employees’ personal data is being processed by employers. There is no way around it. However, employers’ hands are tied by the GDPR and other personal data protection laws when it comes to processing their personal data.

GDPR is quite straightforward when it comes to collecting and processing data that is not necessary to be processed, such as for marketing purposes. In that case, you need consent from the user to process their data.

When it comes to personal data that has to be processed due to serve the user and the processing is in their best interest, rules are different. Businesses can use other legal bases for that processing.

Processing of employees’ personal data is somewhere in-between. The employer can process it to meet certain legal requirements, but that comes with many constraints.

Employee Data Processing

How Does GDPR Regulate Processing Employees’ Personal Data

GDPR is not as specific about processing employees’ data as it is in other areas. It just sets out the framework under which each EU member-state can regulate these issues. As a reminder, GDPR is a regulation that is directly applicable in each member-state.

Basically, the GDPR says that:

  • Each member-state of the European Union has the freedom to choose how to regulate the processing of employees’ personal data, including sensitive data
  • They can regulate the processing through national laws and collective agreements
  • Member-states must ensure that their laws and collective contracts safeguard the data subject’s human dignity, legitimate interests, and fundamental rights
  • National laws and collective agreements should take into regard the GDPR rules around transparency of processing and international data transfers.

What Does This Mean

This means that the employer can process employees’ data for the purposes of:

  • Recruitment
  • Execution of employment contracts
  • Diversity and equality in the workplace
  • Planning and organization of work
  • Management of the company
  • Safety and health in the workplace
  • Protection of employer’s or customers’ property, or
  • Any other obligation the employer may have under the applicable laws and collective agreements.

This also includes the processing of sensitive personal data, such as health data, race, ethnic origin, sexual orientation, and others.

What the Employer Has to Do

Aside from abiding by labor laws, the employer has to abide by the GDPR as well. In terms of HR, that would mean doing the following:

Process data for proper purposes. The employee has provided their data for employment purposes. That gives you the employer the right to process the data only for employment purposes and nothing else.

Obtain consent from the employee for processing beyond employment purposes. If the employer wants to process the employee’s data for other purposes, then they need their explicit consent for the specific purposes. In the process, the employer has to make sure that the employee is well informed about it and to provide them with the opportunity to withdraw the consent, if the employee wants so.

Ensure that the data transfers are lawful. Data transfers within the EU and adequate countries are free. Transfers to third countries are not free, and those to the United States are particularly tricky.

Read more about how to transfer personal data to the US in compliance with the GDPR.

Implement security measures. The municipality of Bergen, Norway, has been fined EUR 170.000 for not implementing adequate security measures to protect the personal data of students and teachers.

Related: GDPR fines list

What did they do? Their computer system had a poor login feature that allowed unauthorized persons to access personal data.

A poor login may seem like a small issue in day-to-day operations, but every single inadequate security measure is a risk to the employer’s budget, as well as their brand image.

Maybe appoint a Data Protection Officer (DPO). Some companies have to appoint a DPO. The GDPR requires the following to appoint a DPO:

  • Government bodies
  • Companies whose primary source of income is data processing, and
  • Companies that collect and/or process sensitive personal data.

Not all companies belong to these categories, therefore not all have to appoint a DPO. For all the rest, appointing a person dedicated to data protection in the company is a good practice.

What the Employee Can Do

The employee can exercise their data subject rights. Every person to whom the GDPR applies has a set of data privacy rights they can exercise to prevent harm and protect their privacy.

Right to access. The employee can always request access to the personal data that the employer processes. At the same time, the employee can enquire about the processing purposes and learn whether the data is being processed only for employment purposes or not.

In addition, the employee can enquire about the third-party tools the employer uses for data processing. That will help them determine whether the processing is lawful, the processing purposes, whether data is being transferred abroad, and so on.

Right to objection. If the employee determines that some of the data is being processed for the wrong reasons, he or she can object to the processing. The employer will have to cease the processing for those specific purposes.

However, if the data is being processed solely for employment purposes, there is no room for objection.

Right to correction. The employee has the right to get their inaccurate data corrected. The employer must make the requested corrections.

Right to be forgotten. The employee has the right to be forgotten but under certain circumstances. He or she can request to have their personal data erased from employee’s records if both the following two conditions have been met:

  • The employee is not employed with the employer anymore, and
  • The employer doesn’t need the employee’s personal data anymore.

In all other cases, the employer can refuse to erase the employee’s personal data.

Get compensated in the case of damage due to a data breach. Sometimes companies are victims of data breaches. These breaches can cause damages to employees. When damages occur, the employee has the right to get compensated for the suffered damages.

What Happens When Employer and the Employee Are In Different Countries?

When both the employer and the employee are in the EU, everything is simple – GDPR applies to all.

Nowadays, though, very often the employer and the employee are in different countries. That also affects the applicability of the GDPR and can make things tricky for both the employer and the employee.

Here’s a simple formula to guide you:

  • Employer from the EU and employees from elsewhere, GDPR applies
  • Employer from the EU and employees from the EU elsewhere, GDPR applies
  • Employer from the EU and employees from the EU, GDPR applies
  • Employer from elsewhere and employees from elsewhere, GDPR does not apply
  • Employer from elsewhere and employees from the EU elsewhere, GDPR applies only to the relationship with the EU employees.

Determine whether the GDPR applies and, if it does, read again what the employer has to do and what the employee can do to protect their personal data properly.

The Takeaways

Whenever there is personal data involved, data protection laws apply. This does not exclude employment relationships.

GDPR is not very strict when it comes to processing data for employment purposes. It leaves some space for labor laws and collective bargain contracts to determine the categories of data that can be processed.

For all the other aspects, the employer needs to meet all the other GDPR requirements.

The international employer that employs people in many different countries has to be very careful. Labor laws have some differences in the EU countries, and every country has its own collective agreements.

This puts them in a very challenging position. They can take the safe path, though, by simply processing the minimum amount of data needed. It is one of the basic data protection principles that makes everything else more simple.

Leave a Comment