Employers are processing employees’ personal data. There is no way around it. However, employers’ hands are tied by the GDPR and other personal data protection laws when processing their data.
GDPR is quite straightforward when it comes to collecting and processing data that is unnecessary, such as for marketing purposes. In that case, you need consent from the user to process their data.
When it comes to personal data that must be processed to serve the user and the processing is in their best interest, rules are different. Businesses can use other legal bases for that processing.
Processing of employees’ data is somewhere in-between. The employer can process it to meet certain legal requirements, which come with many constraints.
As a reminder, GDPR is a regulation directly applicable in each member-state. GDPR is not as specific about processing employees’ data as it is in other areas. It sets out the framework under which each EU member-state can regulate these issues.
The GDPR says that:
This means that the employer can process employees’ data for:
This also includes processing sensitive personal data, such as health data, race, ethnic origin, sexual orientation, and others.
Aside from abiding by labor laws, the employer must also abide by the GDPR. In terms of HR, that would mean doing the following:
Process data for proper purposes. The employee has provided their data for employment purposes. That gives the employer the right to process the data only for employment purposes and nothing else.
Obtain consent from the employee for processing beyond employment purposes. If the employer wants to process the employee’s data for other purposes, they need their explicit consent for specific purposes. In the process, the employer has to make sure that the employee is well informed about it and to provide them with the opportunity to withdraw the consent if the employee wants to.
Ensure that the data transfers are lawful. Data transfers within the EU and adequate countries are free. Transfers to third countries are not free, and those to the United States are particularly tricky.
Read more about how to transfer personal data to the US in compliance with the GDPR.
Implement security measures. The municipality of Bergen, Norway, has been fined EUR 170.000 for not implementing adequate security measures to protect the personal data of students and teachers.
Check out our list of GDPR fines to get a complete overview of all the known fines issues.
What did they do? Their computer system had a poor login feature that allowed unauthorized persons to access personal data.
A poor login may seem like a small issue in day-to-day operations, but every inadequate security measure risks the employer’s budget and brand image.
Maybe appoint a Data Protection Officer (DPO). Some companies have to appoint a DPO. The GDPR requires the following to appoint a DPO:
Not all companies belong to these categories. Therefore not all have to appoint a DPO. For all the rest, appointing a person dedicated to data protection in the company is a good practice.
The employee can exercise their data subject rights. Every person to whom the GDPR applies has a set of data privacy rights they can exercise to prevent harm and protect their privacy.
Right to access. The employee can always request access to the personal data that the employer processes. At the same time, the employee can enquire about the processing purposes and learn whether the data is being processed only for employment purposes or not.
In addition, the employee can enquire about the third-party tools the employer uses for data processing. That will help them determine whether the processing is lawful, the processing purposes, whether data is being transferred abroad, and so on.
Right to objection. If the employee determines that some of the data is being processed for the wrong reasons, they can object to it. The employer will have to cease the processing for those specific purposes.
However, if the data is processed solely for employment purposes, there is no room for objection.
Right to correction. The employee has the right to get their inaccurate data corrected. The employer must make the requested corrections.
Right to be forgotten. The employee has the right to be forgotten under certain circumstances. He or she can request to have their data erased from employee’s records if both the following two conditions have been met:
In all other cases, the employer can refuse to erase the employee’s personal data.
Get compensated in the case of damage due to a data breach. Sometimes, companies are victims of data breaches. These breaches can cause damage to employees. When damages occur, the employee has the right to get compensated for the suffered damages.
When the employer and the employee are in the EU, everything is simple – GDPR applies to all.
Nowadays, though, the employer and the employee are often in different countries. That also affects the applicability of the GDPR and can make things tricky for both the employer and the employee.
Here’s a simple formula to guide you:
Determine whether the GDPR applies and, if it does, read again what the employer has to do and what the employee can do to protect their personal data properly.
Whenever there is personal data involved, data protection laws apply. This does not exclude employment relationships.
GDPR is not very strict when processing data for employment purposes. It leaves some space for labor laws and collective bargain contracts to determine the categories of data that can be processed.
The employer needs to meet all the other GDPR requirements for all the other aspects.
The international employer that employs people in many different countries has to be very careful. Labor laws differ in the EU countries, and every country has its collective agreements.
This puts them in a very challenging position. They can take the safe path by simply processing the minimum amount of data needed. It is one of the basic data protection principles that makes everything else simpler.