Contact details, CVS, photographs and videos from corporate events only constitute a fragment of the data handled by HR specialists on a daily basis. HR departments process a large volume of personal data concerning both existing and previous employees as well as job applicants. However, the new General Data Protection Regulation (GDPR) requires setting new rules and verifying whether consents to personal data processing comply with the GDPR. If not, penalties may apply.
The practice indicates that consents are often useless or lack sufficient information (an employee did not receive appropriate information on personal data processing as required by the GDPR).
From May 2018, the General Data Protection Regulation will take effect. Companies and organisations thus have to prepare for new rules regarding personal data processing.
What is the key? The legal basis of storing such data:
- Statutory duties – the duty to process personal data is stipulated by the Labour Code, other legal regulations as regards health, pension and sickness insurance etc.;
- Performance of employment contracts (or agreements to work outside the scope of regular employment); and
- Legitimate interest – such as a CCVT system monitoring production (and thus also employees) because of personal protection.
The possibility of using the employee’s consent to personal data processing, which has been often used by HR departments so far, will be limited to a great extent due to the new regulation. It will be possible to obtain the consent in situations in which another legal basis will not apply, ie in the absence of a specific legal duty or where the employment contract does not define any obligations in this respect etc. What situations does this particularly involve? For example, when the employer wishes to publish photographs of its employees on the company’s intranet, it should have a consent from its employees to do so.
Step by Step: Employer’s Duties
1. In the area of HR, employers should map all of their personal data processing procedures to determine which employee data are actually needed beyond the scope required by law or employment contracts.
2. For this purpose, it would be advisable to maintain records on processing activities specifying the name and contact information of the company, reason for data processing, description of the categories of data subjects and personal data, categories of data recipients, possible transfer of data to another organisation or country, deadline for such data erasure as well as a description of safety measures during processing.
3. It will be necessary to set an internal personal data protection system in line with the GDPR requirements.
4. Furthermore, the existing consents in the area of HR will have to be reviewed and revised according to the GDPR requirements; this especially involves completing the scope of and purpose for personal data processing.
5. If the employer intends to use new technology for data processing, or where the processing will pose a significant risk to employees, it will be necessary to assess the effect of individual instances of processing on personal data protection before the commencement of new processing, ie to assess and address the relating risks.
What is important? Do not forget that according to the GDPR, each consent should be freely given, specific, informed and unambiguous. Employees are rarely in a position towards their employers to give their consent freely, reject or withdraw it, which arises from the employer’s superiority to employees.