The protection of personal data concerning employees is regulated by, among others, the GDPR.
The GDPR lays down certain conditions that have to be met when an employer wants to collect or process personal data. The processing of data is only allowed for legitimate purposes, like the good execution of the employment contract, internal communication or the processing of data in connection with recruitment practices. The processing of data is also allowed with the voluntary authorisation of the employee. The employer will have to keep a register of processing operations, which will include the following information on personal data: the purpose of processing the data; what data is being processed and the person to whom it belongs; who receives the data, including those outside the European Union; how long the employer keeps the data; and how the employer protects the data. The employer must, in certain cases, also appoint a data protection officer, who will supervise compliance with the GDPR. There are also means for the employees to control the processed data and, if necessary, ask the correction of incorrect data.
Biological tests, medical examinations or other reasons for gathering medical information (orally) regarding the state of health or that of an employee or a job candidate (or of their family) may only be performed for reasons relating to the actual state of health of an employee with regard to the specific requirements of the job. Predictive genetic examinations and AIDS/HIV tests are prohibited. It is forbidden to gather data that could indicate racial or ethnic origin, political opinions, religious or philosophical convictions, membership of trade unions, or information concerning the sex life of citizens in general. The same applies to employees. The processing of sensitive personal data is allowed if it is necessary for specific reasons, such as public interest, legal claims, labour law and social security.