IAPP CIPT – Lawful Processing of HR Data, Contracts & Recruiting Part 2

5. Legitimate interests

Hi guys. Let’s discuss about legitimate interest. Another frequently relied on basis for lawful processing of HR data is that it is in the legitimate interest of the business to do so. Under the GDPR processing will be lawful where it is necessary for the purposes of the legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subjects which require protection of personal data in particular, where the data subject is a child. Well, until recently the equivalent provision in the DPD was heavily relied on by employers to justify data processing.

But recent case law from the Core Justice of the European Union has made it clear that you cannot simply argue that you have satisfied the legitimate interest test because it is in your economic interest to process the data. So, for example, there may be a legitimate interest in monitoring employees. But in order to help ensure that the employer’s interests are not outweighed by the rights of the employees, there must be full transparency about what monitoring takes place and for what purposes, together with appropriate safeguards well necessary for a performance of a contract or to comply with a legal obligation. And let’s debate about that.

Processing will also be lawful where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps of the data subject’s request prior to entering into a contract. And this includes employment contracts and also, for example, where it is necessary in order to comply with a legal obligation. These grounds are helpful to employers, but they should remember that the purpose limitation and data minimization principles will apply and may have a bearing on how much data may be collected and what it can be used for.

Will all Member States approach employment data in the same way? Well, although the GDPR provides for a more uniform approach to ensuring data protection compliance across Europe, there are of course permitted derogations. One such example is Article 88 of the GDPR, which allows for Member States by operation of law or collective agreements to provide more specific rules to safeguards the processing of employees personal data within the employment context. The article further sets out that this may be in relation to data processed for a variety of purposes in the employment cycle, from recruitment to health and safety at work.

The extent to which Member States choose to exercise these delegated powers to reflect their current practices or to strengthen protection around employee personal data remains to be seen. So what does this mean? In practice? Employee consent to the processing of their personal data is unlikely to be held to be valid under the GDPR. Employers should begin looking now at the grounds on which they have processed HR data to date and consider whether these need to change under GDPR.

The most likely ground for lawful processing of HR data will be that it is in the legitimate interest of the employer to do so. In order to ensure that the rights of employees are not unfairly compromised, there must be full and transparent disclosure of what data processing is taking place and for what purposes. While identifying an alternative lawful ground for processing is unlikely to be difficult in the employment context, the Purpose Limitation and Data Minimization principle may restrict the range of employee data which can be collected and what that data can be used for. Employee will need to give thought to each separate category of employee data and which they process for sure and record the grounds for lawful processing upon which they rely in each and every case.

6. Pseudonymisation

Hi guys. Let’s discuss about cell dynamization, where GDPR introduces a new concept of cellonimization, meaning the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without additional information. Seldom nimus and cellanus data will still be treated as personal data, but may potentially be subject to fewer restrictions on processing if the risk of harm is low.

It requires that the key necessary to identify data subjects from the coded data is kept separately and is subject to technical and organizational security measures to prevent inadvertent ray identification of individuals or personal data within the data set. Currently, the practice around the varied across European Union states, which is unhelpful for multinational employers. European Union wide guidelines to add detail to the GDPR provision are expected, which should help employers navigate this area, and employers should keep these practices under review. So what should employers be doing? Well, these changes are wide ranging and have implications for the structure and processes of a business.

The new regime is complex and HR teams are advised to undertake careful review and planning ahead of implementation. So they should first review current data protection policies and practices, including existing employment contracts, stuff handbooks and employee policies. Ensure there is full transparency over the nature of HR data processing in terms of the data used, the purposes for which it is used, and where it is processed.

Second, where consent has been relied on to justify processing of HR data, consider an alternative and make sure this is recorded. Third, consider the geographical span of the business. Note Also, certain European Union member states have indicated that they are considering putting in place more stringent requirements than those set out under the GDPR, although this does not currently include the UK. Then, assess business needs and identify employees who will require early training on the new reforms with a view to rolling out revised data protection training for all employees nearer to the date of implementation. And finally, appoint someone within the organization to oversee compliance. As with the reform.

7. Cross Border HR Data Transfers under GDPR

Hi, guys. In terms of crossborder transfers, the general principles under the GDPR looks much the same as under the Data Protection Directive or DPD. The whole legislation data can be transferred under a Commission adequacy decision, like the one used to give effect to the European Union U. S. Privacy Shield. The GDPR contains details of how this should be reached or with model clauses or binding corporate rules, which are BCRs for intragroup transfers. The good news for employers wanting to transfer employee data crossborder is that their current arrangements may continue to be valid under the GDPR, although in terms of the UK Brexit may have an impact.

The GDPR explicitly acknowledges as valid the current requirements for BCRs for controllers and processors, which is helpful for data transfers involving those member states that do not as yet recognize BCRs. Under the GDPR, model clauses may be used without such prior approval. Further, employers are likely to be able to use a new regime of transfers based upon certifications, provided that binding and enforceable commitments are made by the controller or processors to apply the appropriate safeguards.

In addition, under the GDPR, there will still be limited possibilities to transfer data where it is necessary for the performance of a contract or with the consent of the data subject, although this is likely to be difficult to achieve in an HR context. As discussed in the previous lessons, the GDPR makes it clear that it is not lawful to transfer personal data out of European Union in response to a legal requirement from a third country. It also imposes significant penalties for breaches, including non compliance transfers.

All of this will be relevant where employers wish to transfer employee data abroad. Perhaps in order to keep employee data in a central global HR function or in the context business expansion and acquisitions, employers will need to think ahead on all these points. Those providing information as part of Tube tiup transfer business sales or funding round, for example, will need to consider whether they have sufficient grounds to make the necessary transfers.

8. Changes to employee data management under GDPR

Hi guys. Let’s discuss about changes to employee data management under GDPR. Well as the implementation of general data protection or GDPR approaches, businesses need to consider what this might mean in terms of cultural, structural and practical changes that may be needed in order to meet the new requirements, particularly in in relation to employee data likely to be the biggest risk area for many employers. Many of the concepts under this new GDPR, while new for the UK and some European Union member states, are not so new for others.

Germany, for example, has been at the cutting edge of data protection developments and the number of the requirements under the GDPR either reflect current German practice and thinking or are not far removed from them. Increased employee rights under the GDPR, employees as data subjects will have greater rights. The good news for UK employers is that many of these rights are similar to those under the current UK Data Protection Act from 1999. The bad news is that as a general rule, the GDPR expands the rights under the DPA, introduces a funeral rights and deposes significant penalties for breaches.

In summary, under the GDPR, employees as data subjects have the following rights the rights to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used. The right of access similar to those rights under the DPA and encompassing the ever popular subject access requests the rights to rectification of data that is inaccurate or incomplete. Again similar to the DPA, the rights to be forgotten under certain circumstances and the rights to block or suppress processing of personal data similar to the DPA. And in the end, the new Rights to Data Portability, which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances. Accountability and Privacy by design and let’s discuss about that.

Accountability is arguably a continental concept at its core, and not necessarily a concept that the UK or newer member states are that familiar with. The new accountability principle requires businesses to demonstrate that they comply with the data protection principles and states explicitly that it is their responsibility to do so. In practice, this means that employers will have to put in place appropriate measures to ensure that they demonstrate the compliance, and this may include internal data protection policies such as, for example, staff training, internal audits of processing activities, and reviews of internal HR policies that maintain relevant documentation on processing activities.

Then, where required, appoint a Data Protection Officer or DPO that implement measures that meet principles of data protection by design and data protection by default, such as data Minimization field anonymization transparency allowing individuals to monitor, processing and creating and improving security features on an ongoing basis. And the last one use data protection impact assessments where appropriate, as well as the obligation to provide comprehensive, clear and transparent privacy policies if the employer has more than 250 employees. It must maintain additional internal records of its processing activities. This is likely to place further costs and administrative burdens on employers. At the heart of the GDPR is a change in focus from high risk matters to more routine ones, effectively on anything that impacts a data subject.

• Category: Uncategorized