The General Data Protection Regulation (GDPR) places direct data processing obligations on employers at an EU-wide level. Under the GDPR, an employer can only process the personal data of employees under certain conditions. In all scenarios, such processing should be fair and transparent for a specified purpose and limited to the data necessary to fulfil that designated purpose. It must also be founded on one of the following six grounds, according to the Data Protection Commission:
- The consent of the employee concerned;
- A contractual obligation between the employer and the employee;
- To satisfy a legal obligation of the employer;
- To protect the vital interests of the employee;
- To carry out a task that is in the public interest; and
- In pursuance of the legitimate interests of the employer.
If an employer is relying on the legitimate interest clause to pursue the data of an employee, it must be satisfied that it does not affect the fundamental rights and freedoms of the employee concerned. If the employee’s rights override the interests of the employer, then the employer cannot process their data.
Access and portability under GDPR
Employees have the right to request access to their personal data, free of charge and in an accessible format, from their employer. If an employer receives such a request then they have to:
- Tell the employee concerned if they are processing their personal data;
- Inform the employee about the processing; and
- Provide a copy of the employee’s personal data that is being processed without undue delay and, in any event, no longer than one month.
With regard to the details surrounding the processing of employee data, such information would include the purposes of the processing, the categories of the personal data concerned and the recipients of the employee’s data.
When the processing is based on consent, or a contract of employment, the employee can ask for the personal data to be returned to them or transmitted to another employer. This is known as the right to data portability. Employers should be mindful that the right of access and the right to data portability are distinct rights and closely related. Employers should take due care to ensure that there is no confusion about which right is being exercised by their employees.
Accountability obligation under GDPR
Accountability is a common principle for employers with the principle requiring that employers put in place appropriate technical and organisational measures to ensure compliance with GDPR and, furthermore, be in a position to demonstrate a capacity to prove procedural and operational effectiveness, when requested.
In order to demonstrate compliance, employers should be able to demonstrate the following proofs:
- Adequate documentation on what personal data of their employees is being processed;
- How, and to what purposes, and for how long, the data of their employees will be held;
- An ability to demonstrate documented processes and procedures to tackle any data protection issues that arise; and
- The presence of a Data Protection Officer, if required under GDPR, who is adequately integrated into the planning and operations of the employer.
Establishing an inventory will enable employers to amend incorrect data or track third-party disclosures, which is something they are required to do under GDPR. In order to demonstrate compliance with the relevant data protection principles, employers should consider the following six questions:
- What data of employees are they holding and why are they holding it?
- How did they obtain this employee data?
- Why was the data originally gathered?
- How long does the employer intend to retain the data?
- How has the employer ensured security of employee data is maintained?
- Does the employer ever share employee data and, if so, what safeguards are in place?
Lawful processing under GDPR
In order to process the personal data of employees, an employer must have a lawful basis to do so. The lawful grounds for employers to process personal data are set out in Article 6 of the GDPR, which include:
- The consent of the employee;
- Performance of a contract (contract of employment or contract for services);
- Compliance with a legal obligation;
- Protection of the vital interests of the employee;
- Necessity for the performance of a task in the public interest; or
- Legitimate interests of the employer.
Transparency under GDPR
Employers that process employee personal data must provide those employees with information regarding the type of processing that is taking place and who is carrying it out.
This information must clearly state:
- Who the employer is;
- Why the employer is processing the employee data;
- On what legal basis the employer is relying when legitimising the processing;
- Whether or not the employee data will be transferred to another entity outside of the employer organisation;
- How long the employee data will be stored;
- The existence of the employee’s rights under GDPR, including the right to access, correction, erasure, restriction, objection and portability.
If an employer is relying on a legitimate interest as the legal basis for processing employee data, they must be in a position to clearly explain to the employee what that legitimate interest is. An employer must also clearly explain to its employees if and why it is transferring data outside of the European Union. If an employer is relying on consent as a legal basis for data processing, the employee must be aware as to how consent can be withdrawn. If there is a legal obligation to provide employee data, that must be explained to the employee. If an employer is processing by means of an automated decision-making mechanism, the employer must provide information about the logic underpinning the automated process and any consequences arising out of pertinent decisions derived, according to the Data Protection Commission. Employers should also be aware that an employee has the right to object to automated processing under GDPR.
Design and default under GDPR
The GDPR provides two critical concepts for employers which can help in their data project planning, namely Data Protection by Design and Data Protection by Default, principles that are enshrined under Article 25 of GDPR.
Data Protection by Design means that data privacy features and data privacy-enhancing technologies are embedded directly into the design of projects, which should be done at the earliest stage possible. Data Protection by Default means that the user service settings must be automatically data protection-friendly and only the data which is necessary for each specific purpose of the processing should be gathered.
Risk-based approach under GDPR
When an employer collects, stores or uses the personal data of their employees, the employees whose data the employer is processing may be exposed to risk. Employers which process the personal data of their employees should take steps to ensure that the data is handled legally, securely, efficiently and effectively to ensure compliance under GDPR. When carrying out a risk profile for the personal data that an employer has or processes relating to its employees, the employer should be mindful of the complexity and scale of the data processing being undertaken, the sensitivity of the data being processed and the protection required for the data that is being processed. The more complex or sensitive the data of employees being processed, the greater the expectation that certain safeguards have been put in place by the employer to ensure compliance under GDPR.
Recital 75 of GDPR outlines some of the tangible harms that an employer needs to consider when processing the data of employees including:
- The potential risk of discrimination;
- The potential for theft or fraud;
- The potential financial loss that would incur as a result of a breach;
- The opportunity for reputational damage in response to a breach;
- The opportunity for the personal data of employees to lose their confidentiality; and/or
- Any other significant economic or social risks.
Breach notification under GDPR
The GDPR introduced a requirement for employers to report the personal data breaches of employees to the relevant supervisory authority where the breach presents a risk to the affected employees within 72 hours of becoming aware of the breach.
When a breach could result in a high risk to the affected employee, the employer must inform that employee without undue delay.
Data Protection Officers
Under GDPR certain employers are required to appoint a designated Data Protection Officer (DPR). Employers are also required to publish details of their DPR and provide these details to their national regulatory authority.
An employer will be required to appoint a DPR where either of the following four conditions are met:
- Data processing is carried out by a public authority or body;
- The core activities of the employer consist of processing operations which require regular and systematic monitoring of employees or data subjects on a large scale; and
- The core activities of the employer consist of processing on a large scale of special categories of special data or personal data relating to criminal convictions and offences.
The GDPR is not a seismic change from the previously implemented data protection laws, but does represent a uniform codification of those regulations. So long as employers remain mindful that they must process personal data lawfully, fairly and in a transparent manner, they will have a solid platform for building a compliant data processing and retention infrastructure.