Collection of data generally begins before any employment relationship is established and will continue throughout and possibly even post termination. While there are circumstances which justify the collection of data for particular purposes, the subject is becoming increasingly regulated. For now, HR departments may rely on the Data Protection Act however, that is all set to change within the next year or so with the advent of the EU General Data Protection Regulation 2016/679 (‘GDPR’) which has already entered into force and will apply across Europe as of 25 May 2018.
Under the GDPR, the employer will be duty bound to protect its employee’s data from misuse and the employee’s rights will be further strengthened and guaranteed specifically with respect to the giving of free consent and the transfer of personal data across borders. Apart from this, the GDPR dramatically increases fines which have rocketed to the higher of €20,000,000 or 4% of the worldwide annual turnover – a far cry from the maximum €23,300 which may be imposed today. With that and the possibility of having a ban on the processing or suspension on data transfers, not to mention reputational damage and criminal sanctions, compliance is a must.
The main objective of the GDPR is to harmonise data protection laws throughout the EU however Member States may impose specific rules regarding the processing of personal data for the purpose of recruitment, performance of the employment contract, health and safety, etc. The GDPR’s reach also extends beyond the company to any HR service provider that may be processing data on your behalf which, to date, would be regulated under the Data Protection Act.
The most relevant change for HR Departments is with respect to the consent given by employees for the processing of their personal data. Most companies in Malta and around the EU rely on the data owner’s simple consent to process personal data. The current approach in any case, has a flaw - when an employee is asked to give their consent at the time of signing the employment contract, the employer is in a stronger position and this, in turn, places the validity of such consent into question because the employee is deemed to have little say in the matter.
The GDPR will now require consent to be given freely and unambiguously and refusing to do so cannot result in any detrimental effect on the employee. It would seem that a minimum amount of information would have to be determined because it would be impossible to enter into an employment relationship without gathering any personal information on the employee. However, in doing so, it will not be enough to have a generic declaration covering all forms of consent; rather, it will have to be specific. In the event that consent is withdrawn, the legal grounds for the processing of personal data will then be subject to the legitimate interest of the employer to do so.
Subjecting the processing of data to the employer’s legitimate interest to do so will limit the broadness and type of data that may be processed as well as having to provide justification at every level. From an administrative point of view, HR departments must now ensure that the manner in which they operate meets all the requirements of the GDPR. This means that with or without consent, measures need to be put in place for the safe handling and processing of the necessary data.
The GDPR will increase employee rights and employers will need to provide detailed information with respect to how the company is processing employee data and the reasons for doing so. Employees will also need to be given access to their data and the possibility to have any inaccuracies rectified. Moreover, employees will now have the right to be forgotten where data is no longer necessary for the purposes for which it was originally collected or where the employee has withdrawn his/her consent.
Other obligations being put on employers include that of being able to demonstrate compliance with the GDPR upon request. There may be circumstances where employers may need to appoint a data protection officer to carry out privacy impact assessments, consultations with data protection authorities as well as record keeping. In addition, companies will be under an obligation to notify authorities about data breaches within 72 hours (unless a longer amount of time is justified and subject to exceptions). The affected employees will also have to be notified if the breach is likely to result in a high risk to their rights and freedoms.