Data protection in an employment context
If you have employees, your use of their personal data is also governed by the GDPR, besides any national provisions that apply to your employer-employee relationship.
This means that you cannot just record or monitor your employees or obtain information about them from public sources or third parties, if this does not happen in compliance with the GDPR.
A particularity with employees is furthermore that it is very difficult to rely on their “consent” to process their information, because you as an employer are in a hierarchical position towards your employees. Consequently, most consents that they would give you, would not be “free” consents and therefore cannot be considered as a valid consent for you to process their personal data.
The other way around, you must ensure that your employees and staff:
deal safely with ICT and personal data,
understand the importance of data protection.
These policies inform and teach your employees about the importance of data protection and the points of attention they need to apply when using your ICT infrastructure and/or handling personal data and about how their own personal data is processed.
Furthermore, you also have an obligation to make sure your employees are aware of the importance of privacy and data protection, by raising awareness about this subject, for example by organizing trainings and information campaigns.
National law always applies
When dealing with employees you should always consider that employment law is mainly governed by national law. Therefore, you will have to apply the principles of the GDPR in combination with the applicable national law provisions.
Rules and policies
Essentially, the rights and obligations will be governed by the following policies:
ICT Policy, in which you describe how the employees must use and are allowed your ICT infrastructure (including the devices and software) and how they can be monitored while using these.
Data Policy, in which you describe how your employees should handle personal data
Camera Surveillance Policy.
These documents do not have to be separate documents and can all be part of one or more broader documents.
For these documents to be binding, it is most likely required under your national employment law that your work rules and/or employment contracts are amended accordingly.
You should avoid relying on your employees’ consent to process their personal data.
Your employees are supposed to be your subordinates, are in a weaker bargaining position than you as their employer and are therefore considered not to be able to refuse their consent. Most consents provided by an employee will therefore not be considered as “free” consents and will therefore be void.
The only situation in which you, as an employer, can rely on your employees’ consent, is when the consent relates to a clearly minor and unimportant matter, under which the employee cannot fear in any way that refusing their consent may be held against them later on.
As an employer, it is your duty to ensure and prove (because of your accountability obligation) that you have duly raised awareness among your employees about the importance of data protection and privacy.
Therefore, you should not only organize trainings and information campaigns, but also make sure that you can prove that these happened.
You must also inform job applicants about how and why you will process their personal data.
Note that you:
cannot retain information about applicants eternally (data minimisation and storage limitation), generally a maximum retention period of 2 years appears to be acceptable, except if specific circumstance justify a longer retention period or if you obtain consent to retain this personal data for a longer period,
that you can only request information from them that is relevant for the job (data minimisation) and allowed by law. If you want to obtain sensitive information of your applicants, such as an extract of their criminal record, you will in many EU countries only be allowed to do so if you have a legal obligation or entitlement to request this information,
Legal bases to process your employees’ personal data
In general, you will process your employees’ personal data based on the following legal grounds:
Contractual obligation: if you need to process their personal data to be able to perform your obligations. For example, you need to know their name and address to be able to enter an employment contract with them.
Legal obligation: if you are required by law to process specific information. For example, in many countries you may be required by law to process the employee’s social security number and information about their family, for example to communicate with the social security service.
Legitimate interest: if you have a legitimate interest to process some personal data of your employee of job candidate, that overrides the interest of your employee/candidate not to have its personal data processed. This applies, for example, when you access public information about applicants.
Consent: if you need to rely on consent to be allowed to process personal data of your employee. As described above, it should be avoided as much as possible to process personal data of an employee or of a job applicant based on their consent.
How can you ensure that your employees process personal data, and make use of your ICT environment, in a secure way?
In this blog post on the SMOOTH website, you can find several practical tips and guidelines on how you can organize your ICT environment in a secure way.
Time for action!
Verify if you comply with the requirements above and implement the described policies.
Make sure to also verify national legislation.