Updated: Apr 13, 2020
GDPR has always been about for the people’s right to data security. There have been a lot of articles written about how data subjects are being protected by the regulations brought by GDPR with regards to their rights and consent about how their data is going to be processed.
Employees, too, are being looked after by the GDPR.
This is mainly because an employee’s data is expected to be monitored and processed every now and then which makes them a vulnerable data subject. Furthermore, employees have usually been put in a situation where their consent is irrelevant due to the imbalance between employers and employees leading them with no choice but to follow.
But all thanks to the GDPR, this is no longer the case! With that said, how can a company be compliant to GDPR in terms of processing the data of their employees?
In the 88th Article of GDPR, the data processing in the context of employment has been discussed in three paragraphs with the first being the most comprehensive:
MEMBER STATES MAY, BY LAW OR BY COLLECTIVE AGREEMENTS, PROVIDE FOR MORE SPECIFIC RULES TO ENSURE THE PROTECTION OF THE RIGHTS AND FREEDOMS IN RESPECT OF THE PROCESSING OF EMPLOYEES’ PERSONAL DATA IN THE EMPLOYMENT CONTEXT, IN PARTICULAR FOR THE PURPOSES OF THE RECRUITMENT, THE PERFORMANCE OF THE CONTRACT OF EMPLOYMENT, INCLUDING DISCHARGE OF OBLIGATIONS LAID DOWN BY LAW OR BY COLLECTIVE AGREEMENTS, MANAGEMENT, PLANNING AND ORGANIZATION OF WORK, EQUALITY AND DIVERSITY IN THE WORKPLACE, HEALTH AND SAFETY AT WORK, PROTECTION OF EMPLOYER’S OR CUSTOMER’S PROPERTY AND FOR THE PURPOSES OF THE EXERCISE AND ENJOYMENT, ON AN INDIVIDUAL OR COLLECTIVE BASIS, OF RIGHTS AND BENEFITS RELATED TO EMPLOYMENT, AND FOR THE PURPOSE OF THE TERMINATION OF THE EMPLOYMENT RELATIONSHIP.
GDPR, with its aim to protect data subjects at all costs, imposes that consent should be given freely and should be informative and clear to help the data subjects understand the risks and how their data is being used. This is where the problem starts to rise, many companies require their employees to give their data to be processed contractually; a necessity that can be invoked in the case of, for example, payment processing. In order to avoid non-compliance, companies should have a legal basis on their data processing. This, however, isn’t the case for most as an imbalance in the relationship between employers and employees is prevalent.
Of course, it will be impossible to not process your employees’ data as your safety and the productivity of your company might also be compromised but the question here is: How?
Employers and their Employees Data:
In order for you to remain GDPR compliant while still be able to process your employee’s data, here are some points for you to ponder on:
Identify the main reason for data processing.
Asking for consent for processing the data of subjects will not be enough but for contractual necessity, it is. You just have to ask yourself, why do you need to process the data? Is it really needed? Do I have no other alternatives? If you answered yes and no to these questions, then you can start writing the purpose and ensuring its legality.
Do it in a way where the procedures that you laid down will not suppress your employees of their rights. Keep in mind that in GDPR, employees have the right to data access, data correction, and data erasure or not give permission for data processing at all.
Never fail to announce when there is data processing.
GDPR requires companies to provide notice whenever a company would start collecting data from their employees and processed. The reason as to why this is done should also be laid down, for how long, and if this data processing will be sent outside the European Union and if it will be, then disclose the reason and the receiver of the processed data. Employees should always be informed of their rights and be given the freedom to exercise them.
Perform a Data Protection Impact Assessment (DPIA).
DPIA should be done before processing the data not just on employees but on the information of the security program. This would include calculating the risks that would occur during data processing and how these risks can be mitigated. Keep in mind that the employees should not be overlooked and their data must be included in the DPIA as this is their right.
The legitimate interest of the employer.
This will be the safeguard for when it is necessary to send data to another management system. But it should always be remembered that the legitimate interest should not step on the rights of the employees and is never grounds for processing data under a special category.
To sum up the foregoing, employees are significant in running your company. With your company having employees, it is also inevitable for you to not process their data especially when it comes to contractual necessity. But you have to make sure that in every data process that you perform, regardless if it’s a contractual necessity or not, you must be vigilant and be able to justify the data that you will be processing. Never neglect their rights and threat your employee’s data with respect in the same way that you would treat your clients.
Everyone in Europe should be protected by GDPR including the employees because the EU did not create this for their benefit but for the transparency and accountability of companies in protecting their data subjects.