If you have employees or are doing business with individuals in the European Union, on May 25, 2018, you will be subject to some new regulations. The General Data Protection Regulation (GDPR) sets a new, heightened standard for data collection of citizens in EU countries, and many companies inside and outside of Europe will need to ensure that their systems and processes comply with a data protection statute that will be among the strictest in the world. There are specific provisions that apply to employee data.
The GDPR applies to all companies processing and/or holding the personal data of data subjects residing in the EU, regardless of where the company is physically located. Even companies without an EU presence will be subject to the new rules whenever: (1) an EU resident’s personal data is processed in connection with good/services offered to him/her; or (2) the behavior of individuals within the EU is “monitored.” Additionally, violations of the GDPR could result in fines of up to 4 percent of a company’s annual global turnover or almost $25 million (20 million euros), whichever is greater.
Dealing with Your EU Employees’ Data
A key element of the GDPR is its heightened requirements for consent by employees for the processing of their personal data. Under the GDPR generally, consent must be freely given, specific, informed, unambiguous, and revocable. The GDPR, however, also acknowledges the limits of consent in situations where it cannot be freely given.
Article 29 of the Data Protection Working Party, an advisory body of representatives from the data protection authority of each EU Member State, outlines guidance on consent under the GDPR. These guidelines specifically acknowledge that an imbalance of power exists between an employer and an employee. Unlike consumers and customers who can provide voluntary consent for data processing, an employee will be unlikely to feel free to deny consent to data processing without fear of reprisal. For example, an employee may not feel free to refuse to fill out an assessment form or to refuse to consent to camera monitoring in the workplace when it could result in his or her termination.
Despite this imbalance of power, Article 29 acknowledges that there may be certain situations where an employee can freely consent. These exceptional circumstances can occur only when the employee is able to refuse consent with no fear of adverse consequences. As an example, Article 29 outlines a scenario where a film crew needs to film in certain office spaces. The employer requests consent from the employees sitting in that area to be filmed. If the employees who do not wish to be filmed suffer no consequences and are permitted to work in another part of the building during the filming period—that would be acceptable consent.
If consent in the employment context can be used only in exceptional circumstances, employers must find another legal basis to process their employees’ data. These additional legal bases include processing employee data when: (1) required for the performance of an employment contract, (2) required by law, or (3) furthering an employer’s legitimate interest. Furthering an employer’s legitimate interest requires the employer to perform a privacy impact assessment – balancing its legitimate interest with the employee’s privacy rights and documenting that the legitimate interest outweighs the employee’s privacy rights.
If you are going to be subject to the GDPR, you should review your employee documents (such as employment contracts or any permissions for data processing) to ensure they do not depend on the employee’s consent. For current employees, you may wish to provide new data processing notices outlining the additional legal bases for data processing. For new hires, you may wish to provide updated employment contracts and other documentation that outline the additional legal basis for data processing identified above. Employers should remain alert that under the GDPR consent alone may be insufficient for data processing in the employer/employee context.