This post is also available in: Español
The EU General Data Protection Regulation 2016/679 of April 27 (“GDPR”), which applies directly since May 25, 2018 with no need for transposition, means that all companies operating in the European Union must follow new policies, processes, and practices in management of the personal data of their customers, users, suppliers, and employees.
Below we outline the new standards for companies regarding employees’ personal data. Certainly, it represents a major paradigm change that, together with the significant sanctions –fines may reach €20 million or 4% of the gross revenue of the business group to which the company belongs– will make this matter indispensable for Human resources departments.
- Purposes of personal data collection
The data that companies can collect and process from now on as part of the employment relation are limited to those that are adequate, relevant, and necessary for the fulfilment and performance of the employment contract.
In the field of employment, data processing will be legitimate when it is required for the performance of the employment contract (e.g., presence monitoring system), or else because it is necessary for fulfilment of a legal obligation applicable to the company (e.g., payroll). However, consent will be required when there is no other legal basis for processing. There is small room for that within an employment relationship, e.g. in those cases in which data collection is due to organizational issues or secondary services, such as recording the employees’ image for commercial purposes or taking out health insurance. Moreover, the necessary guarantees must be provided to ensure that the employees’ consent is free, specific, informed and unequivocal.
- Qualified information for employees
The information to provide about data processing is more extensive than that established in the current Spanish regulation. Some of the main new developments are the obligation to inform about the purposes of data processing, the legal basis for the processing, the data controller’s contact information, and the period during which the personal data will be kept. This information must be provided when the employees’ personal data is obtained (either in the case of new hires or in the case of current employees), they must also be informed about the points required by the GDPR.
- New employees’ rights
In addition to the traditional rights of access, rectification, cancellation, and objection (known to date as the “ARCO” rights), new rights are recognized, such as the right “to be forgotten”, whose execution by the employees is limited during the employment relationship, although it could become relevant once finished. The new Regulation also introduces the right to object to profiling or profile segmentation, which prevents companies from making decisions based solely on automated processing. This new right becomes very significant with the introduction of artificial intelligence systems or highly automated processes in organizations.
- Information for employees’ representatives
Considering the powers of surveillance and control provided by the Workers Statute, each specific case must be examined to assess to what extent the company must inform the employees’ legal representatives. Considering the latest AEPD decisions (imposing sanctions on companies for excessive disclosure of personal data to the committee negotiating a collective procedure), the company must find a balance between good faith in negotiations and the requirements for legal data transfer imposed by the new Regulation.
- Data Protection Officer (DPO)
The companies affected by the GDPR must appoint a DPO (either internally or by outsourcing the position to a third party) under certain conditions. DPOs must act independently and have the resources required for performing their duties and for maintaining their specialized knowledge. Although the GDPR does not attribute DPOs the condition of legal representative of the employees or equate their rights and guarantees to those of the latter legal figure, DPOs cannot be dismissed or penalized for these activities in reprisal for the performance of their duties.
- Impact assessments and security breaches
The obligation is established for companies to conduct previous impact assessment for any data processing that involves a significant risk to employees’ rights, which would include, for example, any technological presence monitoring.
Moreover, when the company suffers a security breach that places the personal data that it processes at risk, it must notify the AEPD and the affected employees with no unjustified delay, and if possible within 72 hours after becoming aware of the breach.
- Codes of conduct
This is the right time to review internal policies or codes of conduct about the use of technological tools implemented by companies, not only to apply the new data protection regulation, but also to adapt their contents to the European Court of Human Rights judgment issued in the case Barbulescu II v. Romania (see blog post here), as well as to the impact of new technologies on workplace.
- Video surveillance
The procedure for the installation and use of video surveillance cameras in the company must also be reviewed in light of the European Court of Human Rights judgment in the case López Ribalda and others v. Spain (see blog post here), establishing that, in order to install fixed cameras, employees must be previously and clearly informed about their purpose, under the provisions of the data protection regulations. Moreover, the current text of the Draft Organic Act on Data Protection –currently in parliamentary process of approval- includes a specific article on video surveillance.
- International data transfer outside the EU
Transfer of personal data to countries that do not guarantee the same level of protection as that established in the GDPR must meet a number of requirements. In the case of companies located in the US, it must be verified whether they adhere to the Privacy Shield. If so, personal data can be transferred to those companies with no need to meet additional requirements.
- Update of contracts with suppliers
Finally, any agreements entered with those suppliers or contractors that have access to the company’s personal data (e.g., in the field of employment, those that provide payroll management or recruitment services) must be updated to adapt them to the new GDPR requirements.
This post is also available in: Español