As an employer, you process and collect personal data of your employees on a daily basis and for various purposes. The data may concern employee benefits, salary, records of sick leave, maternity or paternity leave, performance evaluation, and others.
Some of that information you are obligated to collect and process under the employment law, while some of the data is processed for internal procedures and policies.
However, as an employer, you should take into account all GDPR requirements and specifics of national legislation that need to be further investigated, since the Member States can impose their own rules and restrictions.
As the GDPR Article 88 specifies, there are more legislative layers applied here:
“Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment…”
Lawful basis for processing employee data
There are 6 lawful bases for processing personal information, and you will have to base your processing activities on one of those lawful bases in order for processing to be compliant.
Employers are usually relying on the first four:
When talking about consent given under the employee-employer relationship, it is very difficult to obtain compliant consent that is freely given, specific, informed, and unambiguous, especially because given the relationship, there is an uneven distribution of power.
Can consent truly be given freely in an employee-employer relationship?
If an employee wants to deny the employer of his/her consent, there is always a chance that the employee might think about the possible repercussions of that action. This can influence employees to give consent to avoid unpleasant situations at work or being on bad terms with an employer.
What can you do in a situation like this?
The best thing to do in those situations, from the employer’s point of view, is to avoid consent as a legal base for processing.
If an employer is a public authority then consent is never appropriate considering there is an obvious uneven distribution of power.
If you must rely on consent, it should be used only when an employee has an undeniable free choice to give consent and can revoke it with no repercussions to his position.
“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.
Also if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
To conclude, the advice is to avoid consent if there is an unequal balance of power, or if a withdrawal of consent would be problematic.
As a company, you should be thoroughly familiar with the national law and find out if there are certain situations or types of processing where you can not process employee data even under the given consent.
2. Fulfillment of the contract
As you may already know as an employer, there are certain personal data you need to process in order to fulfill your obligations under the contract.
For example, in order to pay a salary or benefits, you will need to process personal information of your employees regarding their account details and other personal info.
There is also a special category of personal data- sensitive personal data that require additional protection granted by the GDPR, since processing those types of data can involve severe and unacceptable risks for fundamental human rights and freedoms.
Special categories of data are related to employees’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning sex life, or sexual orientation.
Sensitive data can be processed if it is necessary for carrying out obligations in the employment field.
For example, processing health information for sickness benefits. For some types of processing of sensitive data, explicit consent will be needed.
The consent needs to be additionally documented and explained, giving information on what processing is taking place and about consent withdrawal.
3. Legitimate interest
Legitimate interest is one of the lawful bases that most companies will rely on when processing employee personal data (except for public authorities).
Legitimate interests include the processing that is necessary for the purpose of employer legitimate interests or the legitimate interests of a third party.
The exception is when those interests are overridden by fundamental rights and freedoms of the data subject that require the protection of personal data, especially if an individual is a child or a minor.
4. Compliance with the legal obligations
Data protection laws and national Member state laws will require companies to process personal data of employees in order to fulfill their legal obligations.
For example, tax law can require the disclosure of salary details to the local authorities.
Disclosing information about processing personal data of employees
When you define an appropriate lawful basis for processing personal data of your employees you are obligated to provide information to your employees about:
- how you use employee data
- for what purposes do you use their personal data
- lawful basis for processing
- explain employee rights
- provide contact detail about a person within an organization who is authorized to provide more information
- who are recipients of the data
- for how long will you keep the data
You can explain processing in more detail in the company’s handbook or in an easily accessible internal document.
Notify your employees of any changes in the data processing in such detail that the employee can understand the ramifications of the processing.
Personal data of employees should not be retained for longer than necessary, especially if the person is no longer employed.
However, there can be a legitimate reason for you to keep your ex-employee’s personal data, such as complying with the national law, like employment law, health law, or tax law.