Processing personal data of employees

As an employer, you process and collect personal data of your employees on a daily bases and for various purposes. The data may concern employee benefits, salary, records of sick leave, maternity or paternity leave, performance evaluation and others.

Some of that information you are obligated to collect and process under the employment law, some of the data is processed for internal procedures and policies.

However, as an employer, you should take into account all GDPR requirements and specifics of national legislation that need to be further investigated, since the Member States can impose their own rules and restrictions.

As the GDPR Article 88 specifies, there are more legislative layers applied here:

“Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment…”

Lawful basis for processing employee data

There are 6 lawful bases for processing personal information, and for your processing to be GDPR compliant you will have to base your processing activities on one of those 6 lawful bases.

Employers are usually relying on the first four:

1. Consent

When talking about consent given under the employee-employer relationship, it is very difficult to obtain proper consent that is freely given, specific, informed and unambiguous, especially because given the relationship, there is an uneven distribution of power.

Can consent truly be given freely in an employee-employer relationship?

If an employee wants to deny the employer of his/her consent, there is always a possibility that employee might think about possible repercussions of that action. This can affect employee to give consent to avoid unpleasant situations or being in bad terms with an employer.

What can you do in a situation like this?

The best thing to do in those situations, from the employer’s point of view, is to avoid consent as a legal base for processing. If an employer is a public authority then consent is never appropriate considering the uneven distribution of power.

If you must rely on consent, then consent as a legal basis should be used only when an employee has an undeniable free choice to give consent and can revoke it with no repercussions to his position.

Recital 43 of the GDPR:

“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.

Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

To conclude, the advice is to avoid consent if there is an unequal balance of power, or if a withdrawal of consent would be problematic.

As a company, you should be thoroughly familiar with the national law and find out if there are certain situations or types of processing where you can not process employee data even under the given consent.

2. Fulfillment of the contract

As you may already know as an employer, there are certain personal data you need to process in order to fulfill your obligations under the contract.

For example, in order to pay a salary or benefits, you will need to process the personal information of your employee regarding his account details and other personal info.

As mentioned in one of our previous blogs, there is a special category of personal data. Sensitive personal data also require additional protection granted by the GDPR, since processing those types of data can involve severe and unacceptable risks for fundamental human rights and freedoms.

Special category of data regards matters related to employees’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic databiometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning an employees sex life or sexual orientation.

For example; if you are conducting video surveillance in your company or organization or you scan fingerprints of your employees for surveillance of attendance, this will be considered processing sensitive personal information.

If your activities do not fall under one of the exemptions to the prohibition of processing sensitive personal data, you will be in violation of the GDPR, which can result in serious penalties from your data protection authority. Not that long ago, the Dutch Supervisory Authority for Data Protection issued a €725,000 fine to a company collecting employees’ fingerprints.

For a better understanding of what falls into the category of special data read our blog:

Sensitive personal data - special category under the GDPR

Sensitive data can be processed if it is necessary for carrying out obligations in the employment field. For example, processing health information for sickness benefits. For some types of processing of sensitive data, specific consent will be needed.

The consent needs to be additionally documented and explained, giving information on what processing is taking place and about consent withdrawal.

3. Legitimate interest

Legitimate interest is one of the lawful bases that most companies will rely on when processing employee personal data (except for public authorities).

Legitimate interests include the processing is necessary for the purpose of employer legitimate interests or the legitimate interests of a third party.

The exception is when those interests are overridden by fundamental rights and freedoms of the data subject that require the protection of personal data, especially if an individual is a child or a minor.

4. Compliance with the legal obligations

Data protection laws and national Member state laws will require companies to process personal data of employees in order to fulfill their legal obligations.

For example, tax law can require disclosure of salary details to the local authorities.

Disclosing information about processing personal data of employees

When you choose an appropriate lawful basis for processing personal data of your employees you are obligated to provide information to your employees about:

• how you use employee data
• for what purposes do you use their personal data
• lawful basis for processing
• explain employee rights
• provide contact detail about a person within an organization who is authorized to provide more information
• who are recipients of the data
• for how long will you keep the data

You can explain processing in more detail in the company’s handbook or in an easily accessible internal document.

Notify your employees on any changes in the data processing in such details that the employee can understand the ramifications of the processing.

Personal data of employees should not be retained for longer then necessary, especially if the person is no longer employed.

However, there can be a legitimate reason for you to keep your ex-employee’s personal data, such as complying with the national law, like employment law, health law, or tax law.