In recent years, data protection authorities have pointed out that the use of employee consent requires careful evaluation. They questioned the employee`s ability to give valid consent because of his or her dependence on the employer. The imbalance inherent in the employment relationship calls into question “voluntary” consent. If a company, regardless of its location, has employees based in the EU or the UK whose behavior it “monitors” (see below), it must comply with the GDPR with respect to the processing of those employees` personal data. “Monitoring” is not defined in the GDPR itself, but will likely cover the normal day-to-day tracking of employee activities that most, if not all, employers undertake towards their employees, e.B take disciplinary, performance, or other employment-related actions. Under the GDPR, there are opportunities for specific employment-related deviations. We are currently awaiting more details on what will be included in the UK`s data protection law, announced in the Queen`s Speech in June, but with questions already raised about the validity of consent under the existing CCA, employers should now prepare to change their approach to consent. Most practices have undergone the changes safely and without major violations. However, it would be wise to make sure that your employment contracts include a clause that employees sign so that they know what information is stored about them. Although the General Data Protection Regulation (“GDPR”) was adopted on 25 September. Coming into effect in May 2018, their application to U.S.
employers continues to evolve and become more complex. For U.S. employers residing in the European Union (“EU”), concerns have again arisen regarding the transfer and protection of this data and compliance with GDPR compliance requirements. This is especially important in terms of remote work arrangements, COVID-19 contact tracing, and interaction with global HR data systems. Given these developments, the following is a reminder of common issues that US employers may have regarding GDPR compliance (in terms of employment of EU citizens) and highlights new compliance considerations. When U.S. employers update their privacy and security policies, attention should be paid to GDPR compliance issues, if any. We suggest that you have this clause in your employment contracts. Since employers will almost certainly comply with two, employers will be required to conduct a DPIA. Rights notice Under the GDPR, the data subject is granted a number of rights in relation to his or her personal data, including the right to erasure, the right to portability, the right to recertification, the right to restriction of processing, the right to object, etc. While many of these rights are limited in the employment context, many require employers to take action to ensure that the rights of those affected are protected.
Therefore, employers must ensure that they have taken steps to inform workers of these rights and to grant these rights to workers. and allow them to continue to monitor the exercise of these rights with a view to future compliance. Appointment of a Data Protection Officer (DPA) The GDPR stipulates that a company must designate a data protection authority if its main activity involves regular and systematic monitoring of the data subject on a large scale or the processing of sensitive data on a large scale. The problem with HR data processing is that it is usually large amounts of sensitive data and employee monitoring. Therefore, a company that might not otherwise have to appoint a DPO for the processing of consumer or supplier data may be necessary for the processing of HR data. Compliance with national data protection requirements The GDPR allows EU countries to impose additional requirements for the processing of HR data through national laws and collective agreements, and these laws may be stricter than the GDPR. France has laws that prohibit the transfer of personal data outside of France. Germany has passed a law with additional or stricter requirements for the processing of personal data.
In addition, many union collective agreements and employee-related works council agreements cover additional or stricter requirements for the processing of employee data. This also extends to compliance with certain national labor laws that govern how and when employee information may be processed and how long certain types of HR data may be retained. Companies are more likely to face enforcement issues regarding employee personnel data, as employees and/or their unions and works councils are more likely to assert claims that exercise employees` rights under the GDPR, collective agreements, national data protection laws, and works council agreements. Most employers have to rely on the “legitimate interest” allowance, but to do this, the employer must first perform start-up work. In order to benefit from the legitimate interest allowance, employers must carry out a data protection impact assessment in which their legitimate interests are weighed against the data protection interests of employees. To make matters worse, this must be documented in order to prove that the employer`s legitimate interest outweighs the rights of employees. The next step that employers cannot overlook is that even if the employer has a basis for processing employee data, the employer must then communicate to the employee, who defines exactly what data the employer will collect and what the employer will do with it. Requirements for sensitive personal data Under the GDPR, there are “personal data” (see above) and special categories of data, i.e. sensitive data.
Sensitive data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the unique identification of a natural person, health data or data relating to the sex life or sexual orientation of a natural person. The processing of sensitive data is strictly prohibited unless 1 in 10 exceptions are respected, including: with explicit consent; to the extent necessary for the performance of professional obligations, including compliance with a collective agreement; and to protect the vital interests of the data subject. Data Protection Impact Assessment (DPIA) The GDPR obliges companies to carry out a DPIA if the data processing is likely to result in a high risk to the rights of the data subject. Recent guidelines on this subject stipulate that a DPIA must be carried out if two of the following conditions are met: 3. If consent is still required for the processing of personal data (and in some cases will still be required), you should consider including all consent provisions in a separate statement that is not inextricably linked to the employee`s acceptance of the employment. The declaration must be detailed, specific and explicit in terms of purpose and must be adapted to each company. There is no “one size fits all”. The Article 29 Working Party, an advisory committee composed of a representative of the data protection authorities of each EU Member State, the European Data Protection Supervisor and the European Commission, has proposed guidelines for consent under the GDPR. The working group focuses on the imbalance of power in the context of employment: the employee must comply with the privacy policy when processing personal data in the context of employment, including personal data relating to employees, patients, suppliers or representatives of the firm.
For example, companies need to reconsider whether standard video surveillance of employees in shared workspaces is generally allowed without the express consent of employees. The working group also points out that the imbalance of power in the employment relationship makes voluntary consent questionable and that, for most work-related data processing, the legal basis of the GDPR on which one relies “cannot and must not be the consent of the employee”. 2. Reconsider the use of clauses in employment contracts aimed at obtaining broad consent from the employee to process his data. This general agreement will not be valid. Your contracts may also include clauses relating to your employee privacy policy (without requiring employees to agree to it) and a clause that governs employees` use of personal data in the course of their employment (for example. B when processing other employees` data or customer data). . . . .