A year has passed since the General Data Protection Regulation (GDPR) entered into force on 25 May 2018. The main purpose of the regulation is, in the age of pervasive smartphones, social media and online banking, to give individuals more control over what data about them is processed.
The GDPR also applies to employment relations where the employer processes personal data of employees.
A reminder – what is personal data?
Personal data relates to an identified or identifiable natural person who can be identified, directly or indirectly, by reference to their physical, psychological, physiological, economic, cultural or social traits, relations and affiliation. Personal data is all data that can be directly or indirectly linked to the individual. Pursuant to the GDPR, personal data is categorised as general and special category data. General category data includes the individual’s name, personal code (ID code) or date of birth, place of residence, the person’s image, including security camera recordings etc.
Special categories of personal data is information about race or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health records or data about the individual’s sex life or sexual orientation.
Processing of personal data in employment relations
To process personal data, the employer must define the purpose of processing – specify why and on what lawful basis the personal data is processed.
There are two lawful bases for processing an employee’s personal data – performance of a contract and employers’ compliance with legal obligations. As the data controller the employer must ensure that the personal data is processed in compliance with the GDPR and other applicable legislation.
Personal data processing in recruitment
To what extent may a job applicant’s personal data be processed in the recruitment process? Do the applicants need to give their consent for a background check? Can social media be used to gather information about an applicant? These are some of the many questions that arise in regard to processing of personal data in the recruitment process.
An employer may process personal data that the applicant has submitted to the employer in the recruitment process – their CV and related documents (such as recommendations from a former employer, documents certifying education etc.).
Prerequisites for a background check
Does an employer have the right to use social media to collect information on applicants or employees? They must make sure to use only appropriate channels and information disclosed by the applicant themselves. If a person has published information about themselves on a public website or a blog and the information comes up in a simple internet search, a separate consent doesn’t need to be asked. Checking an employee’s Facebook profile is also allowed as long as only the publicly available data is viewed. Prior consent from an employee or an applicant is needed if the employer contacts their friend or current employer to get references and/or feedback.
It would be wise for an employer to include the company’s privacy notice in a job ad. The privacy notice needs to state how the company processes personal data in the recruitment process, what the purpose of processing is, what the legal basis for processing is and the terms of data retention. It is recommended to keep CVs collected in the recruitment process for one year after the end of the recruitment, as based on the Equal Treatment Act, job seekers can claim discrimination and may challenge decisions to turn them down for a position. Thus, employers have a legitimate interest to retain data until the end of dispute period.
Consent as a lawful base of processing employees personal
The consent is only one of the lawful bases set forth in the GDPR for enabling processing of personal data. Consent as a lawful basis in employment can be used as an exception not a rule as an employer has the power in employment relationship and employee’s consent wouldn’t freely given nor retractable. As said above, the lawful basis for processing personal data in an employment relationship is performance of contract or the employer’s legal obligation.
By its nature, consent must as easily retractable as given at any time, so an employer asking an employee’s is consent to sign their employment contract is entirely incorrect. For the purposes of concluding an employment contract, the employer processes the employee’s personal data for performance of a contract, which means that there is already a lawful basis for processing and it would be misleading to ask for additional consent.
If asked for consent, the employee has the right to withdraw their consent at any time – when in fact even if they do “withdraw” consent, the employer still is obliged by law to process the personal data. As an example, consider a situation where the employee withdraws consent upon termination of employment relationship and asks the employer to delete their personal data. The employer has a legal obligation to retain the employment contract for 10 years and the actual lawful basis for processing in this case is in fact fulfilling legal obligation and is not dependent on consent.
Consent in employment relationships can be used to regulate issues pertaining to internal procedure, such as publication of employee’s picture on the website, posting their date of birth on the intranet, processing a child’s personal data for arranging Christmas gifts etc.
To retain job applicants CVs collected in recruitment, for example to notify them of potential vacancies, applicants must give their consent.
The employer must operate in a legally correct manner
To sum up, it is important for employers to make sure they are up to date with personal data protection rules to ensure the proper processing of personal data in the company and avoid any costly legal problems.
The employer is the controller of the employee’s personal data and as such the employer is obliged to notify the employee of the purpose of processing, the lawful bases of processing and the retention periods of personal data. To achieve this, we advise reviewing the company’s internal procedures, where the above-mentioned principles and purposes of processing should be detailed. Furthemore, any changes in internal procedure need to be introduced to employees. The internal rules of work also need to include when the employer has the right to check the content of employees work email accounts or how access to devices and systems is organised. It is also very important to train employees to process personal data securely and ensure that they know what types of employee personal data the employer processes.