GDPR and employment relations
GDPR (Regulation 679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC), which will apply from 25 May 2018 (hereinafter referred to as "GDPR"), covers all processing of personal data, including personal data of employees.
Employee personal data processing is natural in the employment relationship because the employer must be able to correctly identify the employee, evaluate them, pay the salary to a bank account, register the employment contract in Revisal, monitor the work and the use of work equipment. All these actions involve the processing of personal data. Of these types of processing, some are mandatory and necessary because they are provided by law, while others are optional, designed to increase the productivity and efficiency of the employer or for other purposes that might be considered excessive according to the GDPR provisions.
The set of obligations of the employer according to the GDPR is more complex and stricter than the previously existing obligations and refers to the processing of personal data of the employees from a triple perspective, namely: (i) recruitment, (ii) performance of the employment contract and (iii) termination of the employment contract.
What are the necessary verifications for GDPR compliance?
Two novelties are especially relevant for HR departments, as follows:
Employees must be informed on the source of personal data
In light of the changes brought on by GDPR, employees will need to be informed on the source which the employer obtained the personal data from. In principle, the data can be obtained from 3 major sources:
- directly from the employee, such as by submitting the resume or filling in the employment application or providing the necessary information for signing the employment contract;
- through the activities that the employee carries out during their employment, such as through performance evaluations;
- from third parties, including references and other background checks, former employers and recruitment agencies (of course, subject to the applicable legal requirements).
Take note of the reason for personal data processing
Once the GDPR takes effect, consent does not validate the processing of all kinds of data in any way, nor their transfer, even within the same group as long as the employee is in a relationship of subordination to the employer and the other principles are not respected, such as limitation of purpose and data minimization.
The main reasons for which employee data can be processed are:
(A) Contract performance
For the actual performance of the employment contract, the employer will only be able to process the personal data of the employee required to perform the contractual obligations. For example, the employer will be able to request the employee's identification data necessary for the conclusion of the contract, the bank details needed to pay the salary. It will be difficult to justify requesting information about family members, such as surnames, first names, family members' jobs except when, depending on the workplace, this information may be required for emergency situations.
(B) Complying with certain obligations
In some cases, the employer has legal grounds for certain types of personal data processing because there are legal obligations for employers that result from a legal provision or a public authority order. For example, communicating employees' data for health and safety or social security protection, information on the criminal record (for guards, bank employees, warehouse managers), sending it to the tax authorities, processing for purposes related to occupational medicine, assessment of the employee's work capacity.
In recent years, the processing of personal data of employees on the basis of consent has often been questioned, the main argument being that the employee is in a relationship of subordination, which can affect the free manifestation of consent. The employee may feel compelled to agree to the processing of their data requested by the employer, for fear of suffering adverse consequences at the workplace, suffering harm, including being fired. For example, a consent expressed by the employee for video monitoring or GPS monitoring could be considered invalid.
In the case of consent, a detailed analysis of the situation is necessary to ensure that all the requirements that the GDPR imposes in these cases are met:
- Consent must be given freely, be informed, specific and unambiguous;
- Consent must be presented in a manner clearly different from other aspects, in a readily understandable and easily accessible form, using simple and clear language;
- The employee must be able to withdraw their consent at any time.
If the employee withdraws their consent, the employer must promptly cease the processing of personal data, and possibly delete it if it is not associated with other processing based on another supported reason.
(D) Legitimate interest
The legitimate interest of the employer may be used as grounds for the processing of data, unless it interferes with the employee's privacy. Before using this reason, the employer will have to carefully examine the extent to which its purpose prevails over the employee's right to privacy or whether there are other ways to collect the necessary information without affecting the privacy of the employees. For example, video surveillance of employees is not legal if it is based on consent but could be justified on the basis of a legitimate interest of the employer (guarding and protecting employees and goods, making work more efficient).
Considering that, unlike the pre-GDPR situation, the processing of personal data of employees on the basis of consent will no longer be a universal and indisputable basis for processing after 25 May 2018, employers must take a series of steps in the meantime, such as:
- Mapping the personal data to determine which data is processed, the purpose of the processing, and how long it is stored. Once having done so, one should consider which of the reasons apply to each processing activity.
- Reviewing and revising all clauses of employment agreements intended to obtain the employee's general consent for processing of personal data.
- If employees' personal data is processed on the basis of consent, then they will be able to withdraw it at any time. Therefore, you will need to implement a mechanism for withdrawing consent and deleting said data.
As the first step in this process, we recommend that you conduct an audit of the "AS IS" situation in your company and identify the compliance gaps and correct them, and also implement the measures you decide to apply in preparation of GDPR compliance.
By Andreea Botez, Associate, Voicu & Filipescu