Employee Data Protection in the EU is subject to major changes, notable to multinational companies with employees in the EU.
A few days ago, after 4 years of negotiation, the European Parliament adopted the General Data Protection Regulation (“GDPR”). As it is planned to be effective in 2018, companies should be aware that they only have two years from now to prepare for compliance.
Orrick’s global Cybersecurity & Data Privacy team recently summarized the key changes in a Blog post.
From an employer’s perspective, it is notable that many provisions in the new GDPR directly or indirectly concern employee data protection. The main novelties of particular relevance for employers are the following:
- Scope of application: The GDPR also applies to a controller or processor not established in the EU when offering goods or services to EU citizens or monitoring their behavior.
- Sanctions: For breaches of data protection law, companies may face fines of up to EUR 20 m. or 4 % of their worldwide annual turnover.
- Consent of employee: Consent to the processing of personal data of the employee is still possible, however, a statement or clear affirmative action with regard to the employee’s agreement is required and the consent is revocable at any time.
- Works agreements: Although consent by means of a collective agreement remains possible, new substantial requirements must be considered by employers and works councils regarding existing and future works agreements. Worth mentioning are in particular the required precise and transparent description of data processing, the requirement to name both the rights of the affected persons as well as the obligations of those responsible for the data processing, and the mandatory illustration of possible changes in purpose of collected data.
- Accountability: Employers will be required to provide data subjects with detailed documentation on processing as well as the legal basis for processing. In certain contexts, data protection impact assessments will have to be arranged. Furthermore, employers have to keep documentation on the personal data being processed and the purposes of such processing. In addition, a new provision requires that companies must report any security breaches to the data protection authorities on their own initiative.
- Administration: The newly required evaluation process of possible implications of data protection and prior consultation will create big efforts for companies. The same is true for the new data transfer right and data deletion right of employees.
Apart from these new obligations for employers, especially regarding information and transparency towards employees, it is possible for national governments to adopt supplementary provisions in order to take into account national peculiarities. Therefore, most of German regulations as well as settled case law by German labor courts will likely continue to apply.
With respect to the many new documentation requirements on the one hand and the difficulty to maintain control over personal data on the other hand, it is strongly recommended for companies to start preparing for the new data protection regime.
For co-determined companies, it is important to note that most provisions on the processing of employee data require the consent of the works council. Consequently, time for negotiations should be taken into account when planning new processes and policies in relation to employee data.