The GDPR is an EU Regulation, that will apply unilaterally across the EU. However, it does contain a good number of provisions that explicitly requires EU member states to expand further into national legislation or provide the possibility to derogate in particular circumstances.
Each EU country can implement its own rules on the processing of employment data.
There are conditions for processing employee data for standard work related purposes. Also, there are strict rules on documentation of any consent given by an employee unless a template is the best solution due to the particular circumstances in which the data is processed.
GDPR provides a framework for the specific purpose of internal investigations The processing of employee data for internal research purposes can be justified if the employer has documented evidence that the employee has committed an offence. The investigation has to be reasonable in scope and necessary for further exposure of the details. Any conflicting legitimate interests of the employees must not overweight the need for an inquiry.
The employer-employee relationship is interpreted as an example for consent.
The GDPR contains statutory guidance on what constitutes a ‘freely given’ consent to data processing in the context of the employer-employee relationship. The GDPR states that the consent is not ‘given freely’ if there is an apparent inequality in the relationship between a data controller and data subject, the consent is not a valid basis for processing the personal data.
The consent, on the other hand, will be considered ‘freely given’ if there is a financial benefit for the employee or similar interests both to the employee-employer from the processing of their data.
There will be many examples of the above that can be used as benchmarks to illustrate the scope of the ‘consent’ for employment data processing activities, that is ‘freely given’ after the law is in effect from May 2018.
Restrictions on the rights of data subjects
Under the GDPR, individuals will have defined rights over their data, including qualified rights to access data the organisations hold about them, as well as adequate rights to require correction or erasure of such data and the right to be forgotten. There are however exemptions when these rights apply.
Appointment of data protection officers (DPOs)
In spite of the GDPR rules an area that companies whose “core activities” consist of data processing must look into at the benefits and advantages that a data protection officer (DPO) addresses to comply with the role and responsibilities.
This type of businesses requires regular and systematic monitoring of data subjects on a massive scale. These businesses are also IT and data intensive and permanently process personal data.
Other companies where data controllers are obliged to perform a data protection impact assessment or where commercial processing of personal data, anonymised transfers or similar a DPO is perhaps a must regardless of GDPR or the number of employees.
In the next newsletter, we continue with issues e.g. Processing data for research and statistical purposes, new criminal sanctions, Data transfer – providing for challenges to EU ‘adequacy decisions.‘ and the EU-US Privacy Shield.