وبلاگ

Gdpr Legal Basis for Employee Data

  • Post author:
  • Post category:دسته‌بندی نشده

With respect to “processing”, this term is also broad and includes the collection, storage, recording, collection, organization, modification, retrieval, use, disclosure or other provision of personal data and employee personal data. If you collect an employee`s personal data, you are usually a subcontractor. There are a number of GDPR compliances in terms of HR data as opposed to compliance obligations for customer or supplier data, i.e. business-to-business (B2C) or business-to-business (B2B) data, which makes GDPR/HR compliance extremely difficult and difficult for employers. Here are some of them. Consent vs. legitimate interest One of the basic principles of the GDPR is that a data subject, i.e. an employee, must consent to the processing of personal data. Consent requires that the data subject be fully informed of the nature and scope of the processing, including a full understanding of how the information is processed, used and transferred to other entities. While many guidelines have been published on how companies can obtain consent from customers and suppliers, guidelines have also been issued suggesting that due to the unequal bargaining power between employers and employees, it is inherently impossible for employees to give their employer voluntary consent to allow the employer to collect, process and/or transfer their HR data. Without consent, there are only a number of other ways in which an employer can process data, and these are referred to in the GDPR as a “legitimate basis”, which in a relevant part includes: (1) the performance of an employment contract; (2) to comply with legal obligations; and (3) promote a legitimate interest of the employer. One problem with employment contract assistance is that very few employees have “employment contracts” because most employees are “voluntary” and most policies, including eligibility for treatment and other benefits, are a matter of policy. However, this indemnity would apply to contracts, including collective agreements, that contain conditions of remuneration, leave, discipline and any conditions expressly provided for in the contract.

The allocation for “legal obligations” is also quite narrow, as the legal obligation must be based on an EU law and not on a US law. Instead, an alternative legal basis may be needed, such as facilitating the legitimate interests of the business or performing a contract. Companies should at least: In the past, many organizations have relied on blanket consent clauses in employment contracts as the basis for processing employee data. The Information Commissioners` Office (ICO) has always considered this problematic because an employee who enters into an employment contract is rarely on an equal footing with the employer and therefore has no real choice, meaning that consent is not given voluntarily. Obtain the employee`s consent for processing beyond the purposes of employment. If the employer wishes to process the employee`s data for other purposes, he needs his express consent for certain purposes. In doing so, the employer must ensure that the employee is well informed about this and give the employee the opportunity to revoke consent if the employee so wishes. Employers are required to comply with their employees` SCA requests within set deadlines. Determine if the GDPR applies and, if so, review what the employer needs to do and what the employee can do to properly protect their personal data.

Another frequently invoked basis for the lawful processing of HR data is that it is in the legitimate interest of the company to do so. According to the GDPR, processing is lawful if it is “necessary to safeguard the legitimate interests of the controller or a third party, unless those interests are overridden by the interests, fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular if the data subject is a child”. This customer review is published by Dickinson Wright PLLC to inform our customers and friends about important developments in the field of data protection and cybersecurity. The content is provided for informational purposes only and does not constitute legal or professional advice. We recommend that you consult a Dickinson Wright lawyer if you have any specific questions or concerns about any of the topics discussed here. NOTE: This article is for informational purposes only and does not constitute legal or professional advice. The working group recommends that companies use the services of an experienced data protection officer when preparing to comply with data protection laws. While many US companies believe that the GDPR does not apply to them because they are not located in the EU, the GDPR applies to US or multinational companies that have employees in the EU. The GDPR applies in particular to the processing of “personal data or data subjects”. which are located in the EU”. It is not necessary for the worker to reside in the EU or be an EU citizen, but only for the worker to be in the EU.

This article provides a comprehensive guide for an organization`s HR management team that wants to comply with the GDPR. First, let`s look at some of the most important provisions of the GDPR that a human resources management team must consider when processing employees` personal data: To comply with this principle, Chapter 6 of the GDPR requires that any organization that processes personal data have a valid legal basis for this processing of personal data. Think of them as scenarios where it would be legal to process data. The GDPR offers six legal bases for processing: One of the frequently cited reasons for the lawful processing of personal HR data in the context of DPO is that it is carried out with the consent of the employee. According to the GDPR, consent must be “voluntary, specific, informed and unambiguous”. Given the power imbalance between employees and employers, it will be difficult to give their consent voluntarily, which means that it is unlikely to provide a valid basis for processing HR data. Individuals hired by the Company, whether employees, candidates, contractors or interns, must be provided with detailed, granular and accessible information describing how their personal information is used. Typically, this is included in a privacy policy that should be provided to individuals at the beginning of the relationship. Personal data must be correct and up-to-date – this is what DPD knows. Inaccurate or outdated data must be deleted or modified, and data controllers are required to take “all reasonable steps” to comply with this principle. Securiti offers the DSR Automation solution to help companies respect all rights and simplify the process of exercising these rights.

This process transforms manual work into an automated system that helps organizations quickly process requests from individuals and enables coordination between stakeholders for reviews and approvals. Another challenge for the legal bases of processing is that an organization uses multiple databases to process different data sets. For example, an organisation may process the personal data of data subjects in the EU who are employees of the organisation, as well as customers to whom it sells and markets services. The legal basis for processing employee data may differ from the legal basis for processing customer data. An organisation should ensure that it can distinguish the legal bases used for processing, that it adequately responds to the rights of data subjects and that it carries out tests of balancing legitimate interests. Finally, it should be noted that organizations cannot choose the legal basis they use to process data and may later change the legal basis if they use both consent and contract. There can only be one basis for the processing of personal data at a time. Nowadays, however, employers and employees are often located in different countries.

It also affects the applicability of the GDPR and can make it difficult for both the employer and the employee. Most employers must rely on the “legitimate interest” allowance, but to do this, the employer must first perform start-up work. In order to use the allowance for legitimate interests, employers must carry out a data protection impact assessment in which they weigh their legitimate interest against the data protection interests of employees. The most difficult thing is that this must be documented to prove that the legitimate interest of the employer outweighs the rights of the employees. The next step that employers should not overlook is that even if the employer has a basis for processing employee data, the employer must inform the employee, detailing what data the employer will collect and what the employer will do with it. Sensitive HR data requirements According to the GDPR, there are “personal data” (see above) and special categories of data, i.e. sensitive data. Sensitive data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person. The processing of sensitive data is strictly prohibited unless 1 in 10 exceptions is met, including: with explicit consent; to the extent necessary to comply with employment obligations, including compliance with a collective agreement; and to protect the vital interests of the data subject.