Personal data and employment according to the GDPR
Many of the routine activities performed in the field of labor relations include the processing of the personal data of employees. The processing of the personal data of employees takes place before the beginning of the employment – in the employment phase and continues for the duration of the employment, and may continue after its termination. Current innovations in human resources management, business organization, and information technology have intensified and expanded the collection of personal data for the needs of the workplace.
Any collection, use and storage of employee information may be covered by personal data protection legislation. It is not uncommon for an employer to monitor employees’ emails, their Internet access, or to collect employee data via video surveillance. The general rules for personal data processing also apply to the processing of personal data within the employment relations.
In the terms of personal data processing, employees are considered as personal data subjects, and employers as controllers of employees’ personal data. Employees have the right to be informed about the type of personal data that are subject to processing, for the purposes of processing, as well as for the entities to which the data are regularly submitted, the purpose and the legal basis for such operations. Employees’ representatives may gain access to their personal data only to the extent that is sufficient to enable them to represent the interests of employees, or in the event that such information is required for the performance or supervision of the performance of the obligations set out in the collective agreements.
Personal data collected for employment purposes should be obtained directly from each employee. The personal data collected for recruitment must be limited to the information needed to assess the suitability of candidates and their career potential. Critical data regarding the performance or potential of individual employees must be based on fair and honest assessments and must not be offensive in the way it is worded.
Sensitive personal data collected for employment purposes can only be processed in special cases and in accordance with the additional protection legal mechanisms. Employers may ask employees or job applicants about their health or may perform a medical examination only if it is necessary and in proportion to the job at which they will be working.
The data must be collected for specific, clear and legitimate purposes and not be further processed for purposes that are not compatible with the previous ones. Personal data must be relevant and not excessive. Employment records must be accurate and up-to-date. The employer must take appropriate technical and organisational measures in the workplace, which will guarantee that the personal data of the employees will be safe.
Employees have the right to access, correct or delete personal data in precisely defined legal cases. The employer may access the electronic communication in the workplace only on the basis of security or other special legitimate reasons, after the employees have been previously informed by the employer about such a possibility.
The processing of personal data for the needs of employment in many cases should rely on other legitimate grounds other than the consent of the employee, because employees
are almost never able to freely give, refuse or withdraw consent. Given the power imbalance, employees can give free consent only in exceptional cases, i.e. when they will not face any consequences of accepting or rejecting such personal data processing.
If you need legal help regarding employee data processing, click here to find out more.
