VETTER E learning course (EN)

Legal basis (legitimate reason) for processing personal data

Organizations need a legal basis (a legitimate reason) to process an employee’s personal data. Legitimate reasons include:

·        The employee has given their consent to the processing

·        Processing is necessary to fulfil parts of an employee’s contract

·        Processing is necessary in order to take steps at the request of the employee before entering into a contract. (For example, on matters of pay in an employment context)

·        Complying with a legal obligation (For example, a statutory requirement to keep employee records)

·        Processing is necessary to comply with the employee’s vital interests. (For example, where an individual’s medical history is disclosed to the hospital treating them after a serious road accident)

·        For the purposes of the legitimate interests of the organisation.

Consent

Consent is a legitimate reason for processing employee data and you should get consent, if none of the other legal grounds above apply. You need to be aware of your obligations when requesting consent from employees. The GDPR states that consent must be ‘freely given, specific, informed and unambiguous’. This means that the data subject must be aware that they are consenting to have their data processed and should not be forced into giving consent.

Before an employee gives consent to have their data processed, the employer must show that they told employees why their personal data is being collected, and how it will be used and handled. Silence, pre-ticked boxes or inactivity cannot be taken as consent. A data subject can withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.

GDPR training and communication with employees and prospective employees

Employers must inform employees about:

·        What personal data you will be collecting (or if it will be collected by a third party)

·        How the data will be processed

·        Why the data will be processed

GDPR requires that certain information must be supplied to job candidates, before their personal data is collected and processed. This information must be clear and accessible and may be a privacy notice on the website and a letter to the candidate. Employee training on data protection policies takes place once the candidate is an employee.

Data Subject Access Requests (DSARs)

Employers must have procedures in place to respond to personal data access requests from employees within 1 month. This can be extended by a further 2 months if requests are complex or numerous.

Security obligations

Data must be protected by ‘appropriate technical and organisational measures’. Data must be kept secure, for example, by using anonymisation, encryption, anti-virus security measures, or by backing up data. Employers must test these security measures and be able to show that they have complied with GDPR security obligations.

Record-keeping and the right to correct

Organisations should only keep data for as long as it takes to complete the task it was collected for, or as required by law. Employers should have a retention policy in place and be able to justify why data was retained.

Employees have the right to know what data an employer has on file about them and they also have the right to correct this data. What happens to employee data when a contract of employment is terminated should be documented in the HR policies.

Sharing and transferring personal data

Organisations using third parties, such as recruitment agencies or payroll providers to process employee data will be responsible for ensuring the third party is GDPR compliant and they must have appropriate agreements in place. You must also comply with GDPR obligations about transferring data outside of the EU.

Data protection officer

Under GDPR some organisations must appoint a Data Protection Officer[1], for example, public authorities and bodies, government departments, organisations involved in large-scale data processing, and organisations that process sensitive or special category data.

Report breaches

Employers must report data breaches to the Data Protection Commission (DPC) within 72 hours of becoming aware of a breach. If they do not notify the DPC within 72 hours, they must provide a justification for the delay. Breaches that may harm a data subject, for example, identity theft, must also be reported to the person concerned.

Penalties

It is important to comply with the legislation and put adequate policies and procedures in place. Organizations can be inspected and could face significant penalties if their practices are in breach of GDPR.