Employers, especially Human Resources departments, process the personal data of their employees for a number of different reasons, including recruiting, keeping personal files, and paying salaries and premiums. In addition to employment law, the processing of employees’ personal data in the employment context will be subject to the Law no. 6698 on the Protection of Personal Data (the “Law”).
After an overview of the legal grounds for processing employee data, we will address certain employee data issues frequently encountered in practice.
Legal grounds for processing employee data
Under Article 5 of the Law, personal data, including employee data, may only be processed on the basis of one of the following legal grounds:
- the data subject has given explicit consent to the processing of his/her personal data,
- the processing is expressly permitted by law,
- the processing is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of consenting,
- the processing is necessary for, and directly related to, the execution or performance of a contract to which the data subject is a party,
- the processing is mandatory for a data controller to perform his/her legal obligations,
- the personal data has been made available to the public by the data subject himself/herself,
- the processing is necessary for the establishment, usage or protection of a right, or
- the processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not outweighed.
In the context of an employment relationship, the processing of employee data will usually be necessary for the performance of the employment contract, because employers are required to process employee data in order to fulfil their obligations under that contract; e.g., processing their employees’ bank account details to pay salaries. Another common legal ground is the need to comply with a legal obligation, where employment law directly requires employers to process employee data. This is the case for keeping personnel files, or making declarations to the social security institutions and paying the related premiums.
If none of the above legal grounds exists, data protection law in principle allows for the processing of personal data on the basis of an individual’s consent, which must be specific, informed and freely given. It is, however, unlikely that consent obtained from employees could qualify as freely given, since employees may be in fear of losing their job or suffer other adverse consequences if they refuse consent. Therefore, explicit consent should not generally be used as a legal basis for processing employee data, given the nature of the employer-employee relationship.
Relying on a legitimate interest as a legal ground for processing is possible if and when the employer can demonstrate such legitimate interest and the processing complies with the principles of proportionality. The legitimate interest exemption should only be treated as a last resort, meaning that employers should only rely on this exemption when the other legal grounds for processing do not apply. In addition, this exemption requires a balancing test between the legitimate interest of the employer and the fundamental rights and freedom of the employees, which should not be disproportionately affected. This may imply that the employer should adopt appropriate measures to protect its employees’ rights.
Issues frequently encountered with employee data
Data processing in the recruitment process
In the recruitment process, it is essential for the employer to be able to assess the qualifications of a candidate and whether he or she will be a good fit for the offered position, before deciding to enter into an employment contract. Therefore, while the data is initially submitted by the candidate on a consent basis, the legitimate interest of the employer and, if the candidate is eventually hired, the execution of a contract, can constitute legal grounds for the processing of the candidate’s personal data throughout the recruitment process. The data should not however be processed or stored beyond what is necessary, in particular if the candidate is not recruited at the end of the process. In addition, a separate assessment is required for the transfer of such data to third parties, including group companies. In this respect, the Data Protection Board has ruled that (i) the transfer of personal data within group companies must be considered as a transfer to third parties, therefore the conditions set out in the law for a lawful data transfer should be met, and (ii) without the explicit consent of the job applicants, the transfer of personal data within group companies by means of a jointly used database jointly violates the Law.
Use of information technology
New technologies enable employers to carry out monitoring activities through different devices, such as desktops, vehicles, mobile phones and wearables used by their employees.
To ensure transparency and fulfill the obligation to provided mandatory information to data subjects, employers have to inform their employees of the existence of any monitoring activity. In this context, in addition to the information obligation, it is important to determine the employees’ expectation on how their activities will be monitored at work or at home.
The legal ground for the data processing performed as part of monitoring activities will often be the legitimate interest of the employer. Indeed, the employer has a legitimate interest in protecting its business from significant threats, such as preventing the disclosure of confidential information to competitors. The use of this legal ground however requires a balancing test taking into account employee fundamental rights and freedoms, as well as the implementation of appropriate organizational measures. Prior to the deployment of any monitoring activities, employers should consider whether the intended monitoring is proportionate to the threats and concerns they are trying to address, and whether other less intrusive means can be implemented to monitor employees while protecting their privacy.