The GDPR will come into force in May 2018 and its main goal is to give data subjects the power over their personal data. In this sense, there is a strong emphasis on personal rights, with fines for non-compliance reaching up to 20$ million or 4% of the annual turnover, whichever is higher. We discussed data subjects rights in various posts here on our blog. We’ve also dedicated a post to consent, another extremely important topic in the GDPR, with regards to processing personal data.
Employees however have a sensitive statute even within the GDPR. Why is that, you may wonder. There are various reason, starting with the fact that their data must be processed one way or another within the organization where they work. There is also the clear imbalance between employer and employee which makes it so that consent cannot be considered the basis for processing.
Processing in the Context of Employment
Article 88 is the one that directly discusses processing in the context of employment. The article has three paragraphs, the first of which is the most comprehensive:
Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
According to the GDPR consent should always be freely given, specific, informed and unambiguous. Controllers can base processing on consent, unless there is a “clear imbalance” between the data subject and the data controller. And here is precisely where the problem comes up. Between employer and employee there exists exactly such an imbalance. As a result, companies will need to move to other legal grounds for processing. Such an example is contractual necessity that can be invoked in the case of payment processing.
Key aspects when processing employee data
All in all, processing employee data is unavoidable. So, how to make sure you are GDPR compliant while doing that? Here are a few aspects to consider:
- Establish your purpose for processing the data. Consent won’t be enough, but contractual necessity could be enough. It is simple, really. Why do you want to process the data? Is it really necessary? There is no way around it? If you answered Yes-Yes-No, then go ahead than formulate you purpose, make sure it is legal and you can get to work,
- Make sure you have procedures in place that allow employees to exercise their rights. Employees should be able to access their data, to correct it, to request erasure or object to processing.
- Provide a data processing notice. Under the GDPR a notice is required when you collect the data from the employee. The notice should also include why the data is needed, how it will be used and for how long, whether it will be transferred outside of the EU and if yes – why and to whom. Of course, all employees should be made aware of their rights and the possibility to exercise them.
- The following steps are required for all processing and not just for employees. For instance, performing a DPA and having an information security program and and incident response plan are some of these steps. Always remember to include employees data when performing the DPA or when developing the plans, since they should be treated like any other data subject.
- Legitimate interest of the employer. Here we can include the need to migrate data from one management system to another. Keep in mind that the legitimate interest cannot override the rights and freedoms of the employee and it cannot be used to process special categories of data.
As an organization, you will obviously need employees. With them comes the necessity to process their personal data. Most of it will be contractual necessity, but even then you need to be careful that all processing activities are justified and needed. In short, treat your employees’ data like you would treat that of your clients.
Fines for non-compliance, for failing to respect the employees’ rights, can be significant, as I’m sure you already know. However, lets not be driven solely by the fear of fines. This is definitely not the purpose of the GDPR. This new law is not intended to enrich EU funds through massive non-compliance fines. Its main goals are transparency, accountability and putting EU citizens – both consumers and employees – first. As long as you keep that in mind, compliance should be something logical and fairly easy.
Photo credit: Foter.com