EU GDPR (General Data Protection Regulation) rules have been in force since May 25, 2018, yet many employers are still struggling to effectively implement and comply with these new rules.
Despite the recent French data privacy law of June 20, 2018 and the implementation decree of August 1, 2018, many questions remain unanswered. Employers should be particularly cautious when implementing the GDPR rules.
Employers should remember to inform and consult with employee representatives on the above as the case may be.
Employers should also not rely on a blanket "consent" is not sufficient as a legal basis of the data processing given the subordination situation in an employment relationship.
Responding to data privacy requests from employees
Employees (this includes candidates, current employees and past employees) have, among other rights, a very broad right to access their personal data.
This right of access allows employees to access and request copies, modifications or deletion of all personal data concerning them.
Employers should be capable of responding "as soon as possible" and no later than 1 month after a request from an employee. This timeframe can be extended to 2 months "in case of complex or numerous requests" subject to the employee being informed of this extended timeframe within 1 month of the request.
In order to respond in a timely manner to employees' requests to access their personal data it is essential that a clear process be put in place so that employees can easily contact the appropriate person capable of responding to the request.
Employers can refuse to respond to such requests when they are clearly unjustified or excessive or when data has already been deleted.
Dealing with a HR data privacy breach
In addition to the requirement to inform the data privacy authorities within 72 hours in case of a data privacy breach (where the breach may entail a risk for employees), the employer must also inform the employees "without delay" when the breach entails a "high risk" for employees or when the data privacy authorities order the company to inform its employees.
Companies should therefore also implement very clear processes to act quickly in case of a breach.
To assist clients to comply with the GDPR provisions applicable to data breaches, Baker McKenzie has launched a mobile “Data Breach 72” application. It is a multilingual App, with its first version in French and English. In a few clicks, “Data Breach 72”: (i) makes it possible to identify the existence of a data breach, within the scope of application of the GDPR, (ii) helps to establish whether it is necessary to notify the (CNIL) within 72 hours and, in this case, (iii) prepares an initial draft notification. Find out more here.