Employees’ personal data is being processed by employers. There is no way around it. However, employers’ hands are tied by the GDPR and other personal data protection laws when it comes to processing their personal data.
GDPR is quite straightforward when it comes to collecting and processing data that is not necessary to be processed, such as for marketing purposes. In that case, you need consent from the user to process their data.
When it comes to personal data that has to be processed due to serve the user and the processing is in their best interest, rules are different. Businesses can use other legal bases for that processing.
Processing of employees’ personal data is somewhere in-between. The employer can process it to meet certain legal requirements, but that comes with many constraints.
GDPR is not as specific about processing employees’ data as it is in other areas. It just sets out the framework under which each EU member-state can regulate these issues. As a reminder, GDPR is a regulation that is directly applicable in each member-state.
Basically, the GDPR says that:
This means that the employer can process employees’ data for the purposes of:
This also includes the processing of sensitive personal data, such as health data, race, ethnic origin, sexual orientation, and others.
Aside from abiding by labor laws, the employer has to abide by the GDPR as well. In terms of HR, that would mean doing the following:
Process data for proper purposes. The employee has provided their data for employment purposes. That gives you the employer the right to process the data only for employment purposes and nothing else.
Obtain consent from the employee for processing beyond employment purposes. If the employer wants to process the employee’s data for other purposes, then they need their explicit consent for the specific purposes. In the process, the employer has to make sure that the employee is well informed about it and to provide them with the opportunity to withdraw the consent, if the employee wants so.
Ensure that the data transfers are lawful. Data transfers within the EU and adequate countries are free. Transfers to third countries are not free, and those to the United States are particularly tricky.
Read more about how to transfer personal data to the US in compliance with the GDPR.
Implement security measures. The municipality of Bergen, Norway, has been fined EUR 170.000 for not implementing adequate security measures to protect the personal data of students and teachers.
Related: GDPR fines list
What did they do? Their computer system had a poor login feature that allowed unauthorized persons to access personal data.
A poor login may seem like a small issue in day-to-day operations, but every single inadequate security measure is a risk to the employer’s budget, as well as their brand image.
Maybe appoint a Data Protection Officer (DPO). Some companies have to appoint a DPO. The GDPR requires the following to appoint a DPO:
Not all companies belong to these categories, therefore not all have to appoint a DPO. For all the rest, appointing a person dedicated to data protection in the company is a good practice.
The employee can exercise their data subject rights. Every person to whom the GDPR applies has a set of data privacy rights they can exercise to prevent harm and protect their privacy.
Right to access. The employee can always request access to the personal data that the employer processes. At the same time, the employee can enquire about the processing purposes and learn whether the data is being processed only for employment purposes or not.
In addition, the employee can enquire about the third-party tools the employer uses for data processing. That will help them determine whether the processing is lawful, the processing purposes, whether data is being transferred abroad, and so on.
Right to objection. If the employee determines that some of the data is being processed for the wrong reasons, he or she can object to the processing. The employer will have to cease the processing for those specific purposes.
However, if the data is being processed solely for employment purposes, there is no room for objection.
Right to correction. The employee has the right to get their inaccurate data corrected. The employer must make the requested corrections.
Right to be forgotten. The employee has the right to be forgotten but under certain circumstances. He or she can request to have their personal data erased from employee’s records if both the following two conditions have been met:
In all other cases, the employer can refuse to erase the employee’s personal data.
Get compensated in the case of damage due to a data breach. Sometimes companies are victims of data breaches. These breaches can cause damages to employees. When damages occur, the employee has the right to get compensated for the suffered damages.
When both the employer and the employee are in the EU, everything is simple – GDPR applies to all.
Nowadays, though, very often the employer and the employee are in different countries. That also affects the applicability of the GDPR and can make things tricky for both the employer and the employee.
Here’s a simple formula to guide you:
Determine whether the GDPR applies and, if it does, read again what the employer has to do and what the employee can do to protect their personal data properly.
Whenever there is personal data involved, data protection laws apply. This does not exclude employment relationships.
GDPR is not very strict when it comes to processing data for employment purposes. It leaves some space for labor laws and collective bargain contracts to determine the categories of data that can be processed.
For all the other aspects, the employer needs to meet all the other GDPR requirements.
The international employer that employs people in many different countries has to be very careful. Labor laws have some differences in the EU countries, and every country has its own collective agreements.
This puts them in a very challenging position. They can take the safe path, though, by simply processing the minimum amount of data needed. It is one of the basic data protection principles that makes everything else more simple.