EU GDPR (General Data Protection Regulation) rules have been in force since May 25, 2018, yet many employers are still struggling to effectively implement and comply with these new rules.

Despite the recent French data privacy law of June 20, 2018 and the implementation decree of August 1, 2018, many questions remain unanswered. Employers should be particularly cautious when implementing the GDPR rules.

Below is a summary of some of the main HR considerations linked to (i) the implementation of a data privacy policy, (ii) data privacy requests from employees, and (iii) HR data privacy breaches.

Rolling out a HR data privacy policy

Once companies have created their data privacy policy taking into account the GDPR requirements and in particular the “5Ws” “Who/Where/What/When/Why”, the next question is how to implement this policy to ensure that the policy is fully effective. Indeed, one of the key GDPR requirements is the transparency obligation. It is therefore essential to clearly inform employees of how their personal data is collected and processed by the employer.

To avoid overwhelming employees with a detailed data privacy policy, the CNIL (French data protection authorities) recommends a "two-step" approach where employees can be provided with (i) easy to read general information via a basic information note and (ii) a more detailed policy.

Although French law has not provided specific details on how a data privacy policy should be rolled out, the main HR options are the following:

  • Including the data privacy policy as an appendix to the employment agreement or simply referring to the policy in the employment agreement;
  • Communicating the data privacy policy by registered letter, email or by hand in exchange for a signed receipt;
  • Including the data privacy policy in Internal Regulations or simply referring to the main employee obligations in Internal Regulations.

Employers should remember to inform and consult with employee representatives on the above as the case may be.

Employers should also not rely on a blanket "consent" is not sufficient as a legal basis of the data processing given the subordination situation in an employment relationship.

Finally, the data privacy policy must be rolled out in French.

Responding to data privacy requests from employees

Employees (this includes candidates, current employees and past employees) have, among other rights, a very broad right to access their personal data.

This right of access allows employees to access and request copies, modifications or deletion of all personal data concerning them.

Employers should be capable of responding "as soon as possible" and no later than 1 month after a request from an employee. This timeframe can be extended to 2 months "in case of complex or numerous requests" subject to the employee being informed of this extended timeframe within 1 month of the request.

In order to respond in a timely manner to employees' requests to access their personal data it is essential that a clear process be put in place so that employees can easily contact the appropriate person capable of responding to the request.

Employers can refuse to respond to such requests when they are clearly unjustified or excessive or when data has already been deleted.

Dealing with a HR data privacy breach

In addition to the requirement to inform the data privacy authorities within 72 hours in case of a data privacy breach (where the breach may entail a risk for employees), the employer must also inform the employees "without delay" when the breach entails a "high risk" for employees or when the data privacy authorities order the company to inform its employees.

Companies should therefore also implement very clear processes to act quickly in case of a breach.

To assist clients to comply with the GDPR provisions applicable to data breaches, Baker McKenzie has launched a mobile “Data Breach 72” application. It is a multilingual App, with its first version in French and English. In a few clicks, “Data Breach 72”: (i) makes it possible to identify the existence of a data breach, within the scope of application of the GDPR, (ii) helps to establish whether it is necessary to notify the (CNIL) within 72 hours and, in this case, (iii) prepares an initial draft notification. Find out more here.