EU GDPR requires special, restricted handling of employee HR data

Processing human resources (HR) data poses one of the biggest challenges for organizations striving to meet the requirements of the European Union’s General Data Protection Regulation (GDPR) by May 25, 2018, the mandatory deadline. HR is considered a high-risk business function with a high likelihood of data subject complaints, regulatory enforcement actions, and potential fines for non-compliance.

From a monetary perspective, the GDPR imposes two levels of administrative fines for GDPR violations, depending on the severity:

  • First level –fines of nearly $12 million (10 million euros) or 2% of the company’s worldwide annual revenue, whichever is greater
  • Second level –fines of nearly $24 million (20 million euros) or 4% of worldwide annual revenue, whichever is greater.

Employees considered “vulnerable subjects” under the GDPR

While the GDPR provides a uniform regulatory framework across all EU jurisdictions, HR data must be treated under special conditions, differentiating it from most consumer and business-to-business (B2B) data.

HR data can contain sensitive information about employees, such as ethnic origin, medical details, and criminal history. Employers must comply with special restrictions and protections, as the GDPR places conditions on processing sensitive information. In addition, Article 37 of the GDPR mandates that employers designate a data protection officer (DPO) when the organization’s core activities include regular monitoring of data subjects on a large scale.

Employers may also have to observe country-specific data protection requirements

According to Article 88 of the GDPR,  EU member states can set more restrictions or special conditions for processing HR data.  The GDPR has already set a minimum standard, but Member States are permitted to set those standards higher. Germany has already done so with its GDPR-compliant national data protection law, which calls for more stringent requirements regarding employee monitoring and the processing of employee data.

Employers must also comply with country-specific labor laws

Each EU country has its own labor laws, with their own controls on how organizations process and retain employee data. Employers will have to contend with these labor laws, plus country-specific data protection laws and collective agreements.

For many employers, fulfilling local labor board obligations will take priority over implementing GDPR-compliant HR data programs. However, labor unions and works councils will weigh-in on the negotiation and formalization of GDPR-compliant HR data processes. Consequently, they will advocate for employee rights under the GPDR.

Organizations must be prepared for work council claims  on behalf of disgruntled or former employees, especially where unsuitable data processing caused an adverse employment decision. Companies with employees who are represented by labor boards or work councils should complete GDPR compliance programs well in advance of May 25, 2018.

Employers cannot rely on employee consent to process HR data

The Article 29 Working Party (WP 29), an advisory body comprised of EU regulators from each member state, has advised that employees are unable to provide consent on their own behalf for the collection, processing, and transfer of HR data. This guidance, which differs from consent guidelines for consumers and customers, cites the unequal bargaining power held between employers and employees. A lawful basis must be established in order for employers to collect and process employee information, such as to:

  • Fulfill the employment contract
  • Comply with legal requirements
  • Advance a legitimate interest of the employer

For legitimate interests to be valid, an employer must conduct a data protection impact assessment (DPIA) that weighs its interest against the privacy rights of the employee, and demonstrate that its interests outweigh any possible harm to employees’ privacy rights. From then on, employers must explicitly specify the legitimate interest in employee privacy notices.

The GDPR places special restrictions and protections on employee monitoring

Due to the nature of the workplace, employers monitor employee activities more than they monitor consumers. A company may track and restrict an employee’s computer activities; monitor their social media activities; and/or track employees’ locations through mobile and GPS tracking devices. It is common for a workplace to be secured through video surveillance systems that routinely capture and record employee likenesses. Therefore, WP 29 has issued specific requirements and safeguards for employee monitoring.

Employers must conduct HR DPIAs

In order to protect vulnerable employees,  Article 35 of the GDPR mandates that  companies conduct a DPIA whereas any of the following  factors exist:

  • A type of processing – in particular using new technologies, that compromises the rights and freedoms of natural persons
  • Systematically evaluating natural persons’ personal aspects that is based on automated processing
  • Profiling based on automated processing, on which decisions are based that have significant legal impact on the natural person
  • Processing data on a large scale that is categorized in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10
  • Systematic monitoring of a publicly accessible area on a large scale

Ensure your organization is prepared to meet EU GDPR obligations

Any US company that processes the personal data of EU residents must comply with the GDPR’s HR data requirements. Any US parent company or agency that monitors the behavior of EU residents, including the work performance of EU employees, must comply with the GDPR . If you are in need of direction to achieve compliance, IT Governance – the leading international GDPR training provider – offers classroom and online US training courses.

Certified EU GDPR Foundation and Practitioner Combination Course
Over the course of five days, you will gain an in-depth understanding of the Regulation and learn how to ensure your organization meets the GDPR’s requirements. Our information security expert will explain the tools and methods for implementing then managing an effective compliance framework. If your organization is in need of a DPO, you will acquire knowledge on how to fill the role depending on the size and scope of your implementation.

Certified EU GDPR Foundation Distance Learning Training Course and Exam

An ideal way to learn at your own pace about the Regulation and its legal implications for organizations, the Foundation course will prepare you for the GDPR. The qualification you receive upon completion is a prerequisite for the GDPR Practitioner course.