As an employer, you process and collect personal data of your employees on a daily basis and for various purposes. The data may concern employee benefits, salary, records of sick leave, maternity or paternity leave, performance evaluation, and others.
Some of that information you are obligated to collect and process under the employment law, while some of the data is processed for internal procedures and policies.
However, as an employer, you should take into account all GDPR requirements and specifics of national legislation that need to be further investigated since the Member States can impose their own rules and restrictions.
As the GDPR Article 88 specifies, there are more legislative layers applied here:
“Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment…”
Lawful basis for processing employee data
There are six lawful bases for processing personal information, and you will have to base your processing activities on one of those lawful bases for processing to be compliant.
Employers are usually relying on the first four:
When talking about consent given under the employee-employer relationship, it is very difficult to obtain compliant consent that is freely given, specific, informed, and unambiguous, especially because, given the relationship, there is an uneven distribution of power.
Can consent truly be given freely in an employee-employer relationship?
If an employee wants to deny the employer his/her consent, there is always a chance that the employee might think about the possible repercussions of that action. This can influence employees to consent to avoid unpleasant situations at work or being on bad terms with an employer.
What can you do in a situation like this?
From the employer’s point of view, the best thing to do in those situations is to avoid consent as a legal basis for processing.
If an employer is a public authority, consent is never appropriate, considering an uneven distribution of power.
If you must rely on consent, it should be used only when an employee has an undeniable free choice to give consent and can revoke it without repercussions to his position.
“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.
Also, if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
To conclude, the advice is to avoid consent if there is an unequal balance of power or if withdrawing consent would be problematic.
As a company, you should be thoroughly familiar with the national law and find out if there are certain situations or types of processing where you can not process employee data even under the given consent.
2. Fulfillment of the contract
As you may already know, as an employer, you need to process certain personal data to fulfill your obligations under the contract.
For example, to pay a salary or benefits, you will need to process your employees’ personal information regarding their account details and other personal info.
There is also a special category of personal data- sensitive personal data that requires additional protection granted by the GDPR since processing those types of data can involve severe and unacceptable risks to fundamental human rights and freedoms.
Special categories of data are related to employees’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning sex life, or sexual orientation.
Sensitive data can be processed if necessary to carry out employment obligations.
For example, processing health information for sickness benefits. For some types of processing of sensitive data, explicit consent will be needed.
The consent needs to be additionally documented and explained, giving information on what processing is taking place and about consent withdrawal.
3. Legitimate interest
Legitimate interest is one of the lawful bases that most companies will rely on when processing employee personal data (except for public authorities).
Legitimate interests include the processing necessary for the employer’s legitimate interests or the legitimate interests of a third party.
The exception is when those interests are overridden by fundamental rights and freedoms of the data subject that require the protection of personal data, especially if an individual is a child or a minor.
4. Compliance with the legal obligations
Data protection laws and national Member state laws will require companies to process personal data of employees to fulfill their legal obligations.
For example, tax law can require disclosing salary details to the local authorities.
Disclosing information about processing personal data of employees
When you define an appropriate lawful basis for processing personal data of your employees, you are obligated to provide information to your employees about:
- how you use employee data
- for what purposes do you use their personal data
- lawful basis for processing
- explain employee rights
- provide contact details about a person within an organization who is authorized to provide more information
- who are the recipients of the data
- for how long will you keep the data
You can explain processing in more detail in the company’s handbook or an easily accessible internal document.
Notify your employees of any changes in the data processing in such detail that the employee can understand the ramifications of the processing.
Employees’ personal data should not be retained for longer than necessary, especially if the person is no longer employed.
However, there can be a legitimate reason for keeping your ex-employee’s personal data, such as complying with national law, like employment law, health law, or tax law.