Because of the sensitive nature of employee personal data, the variety of data, the varying methods of collection, the number of different HR processes involved and the potential number of recipients (processors, other controllers, third parties), it is especially important to focus specifically on any unique requirements for the handling of employees’ personal data.
Data protection compliance must form an integral part of employment practices, from recruitment all the way through to retirement. Identify the person(s) within the organisation responsible for ensuring that employment policies and procedures comply with the GDPR and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice.
Determine the purposes for processing as well as their legal bases. If special categories (sensitive) of personal data are collected ensure that a special condition / legal basis is satisfied. Eliminate the collection of personal data that is irrelevant or excessive to the employment relationship.
Assess what personal data about employees is in existence and who is responsible for it. Ensure that departments and individual line managers who process information about employees understand their own responsibility for data protection compliance and if necessary amend their working practices in the light of this. Ensure that all employees are aware how they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer’s policies and procedures. Make serious breaches of data protection rules a disciplinary matter.
The recruitment and selection process generally involve an employer in collecting and using information about employees and prospective employees. Much of this information is personal in nature and can affect an employee’s privacy. This process could involve external service providers. They too must comply with your organisation’s policy and rules.
Running an organisation necessarily involves keeping records about employees. Such records will contain information that is personal in nature and can affect an employee’s privacy. Maintaining the protection and quality of this information is vital.
Monitoring at Work
Monitoring is a recognised component of the employment relationship. Many employers carry out monitoring to safeguard employees, as well as to protect their own interests or those of their clients. However, where monitoring goes beyond one individual simply watching another and involves the manual recording or any automated processing of personal data, it must be done in a way that is both lawful and fair to employees.
Employees’ Health Data
Special categories of personal data requirements come into play whenever an employer needs to process information about employees’ health. These requirements do not prevent the processing of such information but limit the circumstances in which it can take place. It’s important to know when you can (or cannot) disclose employees’ health information and also to whom it may be disclosed.
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018