As per 25 May 2018 the General Data Protection Regulation shall enter into force. The GDPR, in short, governs the processing of personal data of individuals within the European Union and also applies to the employment relation between an employer and its employees. Over the recent period we have identified several recurring questions in relation to the processing of employee data by employers, which employers may be unaware of but should familiarize themselves with. First, the employee’s consent in principle does not provide a legal ground for data processing. Secondly, third party service providers, e.g. pay roll administrators, are considered data processors and must therefore comply with certain obligations under the GDPR. Also, for such third party service providers employers must enter into data processing agreements. Thirdly, employers should be aware that data transfers to other group companies, e.g. parent companies, require a separate legal ground. If the transfer is outside of the EEA, additional requirements apply. Finally, we would like to draw your attention to the works council in this respect. In preparation of complying with all the requirements under the GDPR, employers in the Netherlands must take into account the works council’s right to consent to any implementation, amendment or withdrawal of policies regarding the processing of employee data by the employer. Employers should therefore be aware that policies in that respect, such as an employee privacy policy, an acceptable use policy, and a retention policy, must not only comply with the GDPR’s requirements but must also be consented to by the works council, prior to their implementation. Basically, all policies that concern the processing of employee data are subject to the works council’s consent.