By Marta Kapko GDPR compliance, meaning, rights

Data Protection in the Workplace: Employer Guidance

Failure to comply can result in a significant fine imposed by the Supervisory Authority. For example, in 2020, the Data Protection Authority of Hamburg imposed a 35.3 million euro fine on H&M for violation of Articles 5 and 6 of the GDPR. In particular, specific details about the lives of some employees of H&M (illnesses, medical diagnoses, religious beliefs, and family problems) were comprehensively recorded and stored as information on a network drive. This fact became known when the H&M servers encountered a technical error, and the data on the network drive became accessible to all employees for a few hours.

Find out the essential steps that employers should take for GDPR compliance in our article.

Personal data & employment relations

According to the Irish Data Protection Commission (DPC) Guidance, employee emails, Outlook calendars, and job descriptions are not personal data (but they could be under specific circumstances).

Name in a work email address

If the email address is, for example, JohnSmith@abc.ie, it is likely to be considered personal data since it sets out the full name of the individual and enables the identification of the individual.

Employee emails

It is unlikely that the content of an email written by an individual in their professional or work capacity would be considered personal data. However, if a subject access request is made, employers have an obligation to examine the content of their commercial or business emails to determine if the information in the email, even if it is signed off by an employee, qualifies as the employee’s personal data.

Outlook Calendar and Job Description

The job description and outlook calendar are not considered personal data in accordance with the definition outlined in Article 4(1) of the GDPR.

Employer’s obligations concerning employee’s data under the GDPR

Since employers act as controllers of the data of their employees, they shall be able to demonstrate compliance with data protection principles set in Article 5 of the GDPR, in particular, lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

Lawfulness, fairness, and transparency

Employers are obligated to provide individuals with clear and transparent information regarding the purposes for processing their personal data and the legal bases on which they rely. To demonstrate transparency in the workplace, an employer can implement an easily accessible HR self-service system that enables employees to view the data held by the employer and understand how it is used.

Notice for the employee

Furthermore, the employer shall provide notice to employees about the processing of their data. Employers have the option to fulfil this requirement by including the necessary information in an employee handbook or a dedicated notification document provided to all new employees. The notification must be kept up to date, and employees should be notified when new purposes for data processing are added.

According to the Regulation, the notice must provide sufficient detail to enable employees to understand the following:

the purposes for the processing,
the legal basis,
what the legitimate interests are,
when that ground is relied upon,
the recipients of their data,
where the data will be transferred to,
and for how long their employer will retain their data.

Purpose limitation

Personal data should only be collected for specified, explicit, and legitimate purposes.

It should not be further processed in a manner that is incompatible with those original purposes.

For example, if an employer collects an employee’s private email address solely for the purpose of communicating specific HR matters before the employee’s employment begins, the employer cannot later use that email address for a different purpose or share it with another organisation without a lawful basis. This is because such subsequent processing would likely be incompatible with the original purpose for which the email address was collected.

Data minimisation

Indeed, employers are required to assess the necessity of processing personal data. The processing should be adequate, relevant, and limited to what is essential for the intended purposes. Any processing that goes beyond what is necessary may lack a valid legal basis.

Accuracy

The accuracy principle requires employers to take measures to ensure that the personal data they collect and process about their employees is accurate and kept up-to-date.

Storage limitation

Employers should only keep personal data in a form that permits the identification of a data subject for as long as is necessary for the purposes of the processing. Time limits should be established for the erasure of personal data to ensure data is not kept for longer than necessary, and those time limits should be subject to periodic review.

Generally, while an individual is employed, the employer has a legitimate reason to retain the employee’s data. However, once an employee has left their job, the legitimate reasons for retaining their data are likely to diminish.

Different local laws require employers to retain employee data. These include obligations under company law, employment law, health and safety law, etc.

Integrity and confidentiality

Employers should ensure they implement and process personal data using “appropriate security.” Article 5(1)(f) of the GDPR gives examples of these security measures as “including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Legal basis for processing

For processing personal data to be considered lawful, it must be based on the relevant legal bases for each specific purpose.

Consent

Contract

Legal Obligation

Vital Interests

A task carried out in the public interest

Legitimate interest

Art. 6 (1) (a) of GDPR

Art. 6 (1) (b) of GDPR

Art. 6 (1) (c) of GDPR

Art. 6 (1)(d) of GDPR

Art. 6 (1) (e) of GDPR

Art. 6 (1) (f) of GDPR

*A measure of last resort

The processing of salary information and bank account details so that wages can be paid.

There needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract.

The employer is usually required under national law to provide details on salaries to the local tax authorities.

Situations involving threats to the life or health of the data subject or another person.

Processing employee data related to occupational health and safety regulations or ensuring compliance with legal requirements imposed by public authorities.

For example, when an employer carries out a structural systems change to migrate employee data from an old payroll system to a new one.

Consent as a legal basis

It is recommended to use consent as a legal basis for processing only in exceptional cases.

Why?

Consent must be a freely given, specific, informed, and unambiguous indication of the employee’s wishes signifying the agreement to be valid. Recital 43 of the GDPR specifically states that consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and controller.

Article 29 Working Party Guidelines on consent states that it is problematic for employers to process the personal data of current or future employees on the basis of consent as it is unlikely to be freely given. Employees may indeed feel pressured to provide consent for the use of their personal data due to concerns that refusing consent could negatively impact their employment.

Therefore, when consent is not free, it is not valid.

Processing special categories of employee data

In addition, if an employer is processing special categories of data such as health data (for example, medical certificates or occupational health reports), the employer must ensure that it complies with one of the exceptions specified in Article 9 of the GDPR.

Furthermore, in a number of jurisdictions, the extent to which sensitive employee data can be processed depends on the accompanying employment or labour law. For example, the Labour Code in Poland sets out the data that an employer is entitled to ask for from an employee or job candidate.

Technical and organisational measures

In accordance with Article 24 (1), the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.

National law

As a controller, the employer must consider the national employment law. It is essential, in particular, in the engagement with works councils.

Works councils can play a role in determining the processing of employees’ personal data, as they are responsible for safeguarding employee rights, including data protection and privacy rights. Failing to involve the works council in such decisions, especially in certain countries, can render the data processing unlawful. In such cases, the works council may have the right to seek an injunction, and the employer may face financial penalties. As an example, under the German Works Council Act, a works council has the authority to object to the use of employee monitoring devices, which involves processing personal data.

Read more about employer monitoring and data protection in our previous article.

Conclusion

Therefore, the employer as a data controller shall act in compliance with data protection rules and follow the aforementioned recommendations:

Ensure compliance with data protection principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality).
Take into account the national employment law (in particular, requirements to engage with works councils).
Use consent as a legal basis for processing only in exceptional cases (it is unlikely to be freely given).
Pay special attention to national law requirements for processing sensitive employee data (there may be requirements to seek the authorisation of the DPA to process sensitive data on employees).
Provide notice to employees about the processing of their data.
Comply with retention periods provided in national law.

Legal IT Group would be delighted to assist you in setting up the personal data processing of your employees with the requirements of the GDPR.