Employee Data Processing: What is Right and Wrong Under the GDPR

Petar Todorovski

By Petar Todorovski . 11 February 2024

Data Privacy Specialist

Miklos Zoltan

Fact-Checked this

Employers are processing employees’ personal data. There is no way around it. However, employers’ hands are tied by the GDPR and other personal data protection laws when processing their data.

GDPR is quite straightforward when it comes to collecting and processing data that is unnecessary, such as for marketing purposes. In that case, you need consent from the user to process their data.

When it comes to personal data that must be processed to serve the user and the processing is in their best interest, rules are different. Businesses can use other legal bases for that processing.

Processing of employees’ data is somewhere in-between. The employer can process it to meet certain legal requirements, which come with many constraints.

Article summary: This article explores how employers handle the personal data of employees within the framework of the GDPR and its implications.

The GDPR sets out guidelines for the processing of employees’ data by employers across EU member states, supplemented by national legislation and collective agreements to bolster data protection. Employers are permitted to process such data for employment-related purposes and are required to secure consent for any additional processing activities.

Furthermore, they are obligated to ensure the lawful transfer of data and to adopt adequate security protocols. Employees are afforded rights under GDPR, such as the right to access, object, amend, and request deletion of their data.

Employers operating internationally must also contend with varying labor laws and GDPR requirements across different jurisdictions.

Employee Data Processing

How Does GDPR Regulate Processing Employees’ Personal Data

As a reminder, GDPR is a regulation directly applicable in each member-state. GDPR is not as specific about processing employees’ data as it is in other areas. It sets out the framework under which each EU member-state can regulate these issues.

The GDPR says that:

  • Each member-state of the European Union has the freedom to choose how to regulate the processing of employees’ data, including sensitive data
  • They can regulate the processing through national laws and collective agreements
  • Member-states must ensure that their laws and collective contracts safeguard the data subject’s human dignity, legitimate interests, and fundamental rights
  • National laws and collective agreements should take into regard the GDPR rules around transparency of processing and international data transfers.

What Does This Mean

This means that the employer can process employees’ data for:

  • Recruitment
  • Execution of employment contracts
  • Diversity and equality in the workplace
  • Planning and organization of work
  • Management of the company
  • Safety and health in the workplace
  • Protection of employer’s or customers’ property, or
  • Any other obligation the employer may have under the applicable laws and collective agreements.

This also includes processing sensitive personal data, such as health data, race, ethnic origin, sexual orientation, and others.

What the Employer Has to Do

Aside from abiding by labor laws, the employer must also abide by the GDPR. In terms of HR, that would mean doing the following:

Process data for proper purposes. The employee has provided their data for employment purposes. That gives the employer the right to process the data only for employment purposes and nothing else.

Obtain consent from the employee for processing beyond employment purposes. If the employer wants to process the employee’s data for other purposes, they need their explicit consent for specific purposes. In the process, the employer has to make sure that the employee is well informed about it and to provide them with the opportunity to withdraw the consent if the employee wants to.

Ensure that the data transfers are lawful. Data transfers within the EU and adequate countries are free. Transfers to third countries are not free, and those to the United States are particularly tricky.

Read more about how to transfer personal data to the US in compliance with the GDPR.

Implement security measures. The municipality of Bergen, Norway, has been fined EUR 170.000 for not implementing adequate security measures to protect the personal data of students and teachers.

Check out our list of GDPR fines to get a complete overview of all the known fines issues.

What did they do? Their computer system had a poor login feature that allowed unauthorized persons to access personal data.

A poor login may seem like a small issue in day-to-day operations, but every inadequate security measure risks the employer’s budget and brand image.

Maybe appoint a Data Protection Officer (DPO). Some companies have to appoint a DPO. The GDPR requires the following to appoint a DPO:

  • Government bodies
  • Companies whose primary source of income is data processing, and
  • Companies that collect and/or process sensitive personal data.

Not all companies belong to these categories. Therefore not all have to appoint a DPO. For all the rest, appointing a person dedicated to data protection in the company is a good practice.

What the Employee Can Do

The employee can exercise their data subject rights. Every person to whom the GDPR applies has a set of data privacy rights they can exercise to prevent harm and protect their privacy.

Right to access. The employee can always request access to the personal data that the employer processes. At the same time, the employee can enquire about the processing purposes and learn whether the data is being processed only for employment purposes or not.

In addition, the employee can enquire about the third-party tools the employer uses for data processing. That will help them determine whether the processing is lawful, the processing purposes, whether data is being transferred abroad, and so on.

Right to objection. If the employee determines that some of the data is being processed for the wrong reasons, they can object to it. The employer will have to cease the processing for those specific purposes.

However, if the data is processed solely for employment purposes, there is no room for objection.

Right to correction. The employee has the right to get their inaccurate data corrected. The employer must make the requested corrections.

Right to be forgotten. The employee has the right to be forgotten under certain circumstances. He or she can request to have their data erased from employee’s records if both the following two conditions have been met:

  • The employee is not employed with the employer anymore, and
  • The employer doesn’t need the employee’s personal data.

In all other cases, the employer can refuse to erase the employee’s personal data.

Get compensated in the case of damage due to a data breach. Sometimes, companies are victims of data breaches. These breaches can cause damage to employees. When damages occur, the employee has the right to get compensated for the suffered damages.

What Happens When Employer and the Employee Are In Different Countries?

When the employer and the employee are in the EU, everything is simple – GDPR applies to all.

Nowadays, though, the employer and the employee are often in different countries. That also affects the applicability of the GDPR and can make things tricky for both the employer and the employee.

Here’s a simple formula to guide you:

  • Employer from the EU and employees from elsewhere, GDPR applies
  • Employer from the EU and employees from the EU elsewhere, GDPR applies
  • Employer from the EU and employees from the EU, GDPR applies
  • Employer from elsewhere and employees from elsewhere, GDPR does not apply
  • Employer from elsewhere and employees from the EU elsewhere, GDPR applies only to the relationship with the EU employees.

Determine whether the GDPR applies and, if it does, read again what the employer has to do and what the employee can do to protect their personal data properly.

The Takeaways

Whenever there is personal data involved, data protection laws apply. This does not exclude employment relationships.

GDPR is not very strict when processing data for employment purposes. It leaves some space for labor laws and collective bargain contracts to determine the categories of data that can be processed.

The employer needs to meet all the other GDPR requirements for all the other aspects.

The international employer that employs people in many different countries has to be very careful. Labor laws differ in the EU countries, and every country has its collective agreements.

This puts them in a very challenging position. They can take the safe path by simply processing the minimum amount of data needed. It is one of the basic data protection principles that makes everything else simpler.

Petar Todorovski

Data privacy expert

Legal Advisor for IT Regulation - Ministry for Information Society and Administration of Macedonia

Petar Todorovski is interested in just about anything where law and technology intersect. His work includes legal consultation for companies, drafting IT-related legislation for the Macedonian government, and designing legal tech apps for a data protection management platform.

He has experience in data protection, cybersecurity, trust services, digital transformation of public services, access to justice, and writing for the internet.

He is a big advocate of automation, user-centered design, and the use of plain language in the legal industry.

Petar takes a break from law and tech by having a Crossfit workout, enjoying the outdoors, and reading smart people’s blogs.

Petar Todorovski
  • Connect with the author:

Leave a Comment