IAPP CIPT – Lawful Processing of HR Data, Contracts & Recruiting

1. Where do privacy and HR meet?

Hi guys. Let’s discuss about HR and privacy. Maintaining the balance between the protection of the privacy of the workers and the prerogatives of the employer can be tricky in several circumstances, such as in the case of body searches on workers, camera surveillance, geolocation interrogation of workers, curse hotline, the use of Internet, email and social networks, et cetera.

There are many laws that apply to this matter. It starts with Article Eight of the European Convention on Human Rights, which lays down rules concerning the protection of private and family life, the home and correspondence case law. Based on this article, stipulates employees have the right to privacy even in the workplace. Changes related to processing of HR related data The Commission wanted to create harmonization, but also look out for additional local rules in the HR context.

The main objective of the GDPR is to harmonize data protection laws throughout the European Union, where a group of companies is established in several European Union member states, the rules applicable to the processing of HR related personal data will now be the same. This is an important improvement for big multinationals, which are quite often struggling to comply with the 28 local flavors of European data protection law. There is, however, an important caveat to be made with regard to personal data in the employment context. The GDPR expressly authorizes individual member states to implement more specific rules in respect of the processing of HR related personal data.

This carve out means that specific rules regarding the processing of personal data for the purpose of recruitment, the performance of the employment contract, diversity, health and safety, et cetera, may still be adopted on a national level for HR professionals. It will therefore remain important to continue to follow national law developments in the field of privacy in the workplace. In addition to the more genetic or generic GDPR, the GDPR will not only apply to employers processing the personal data of their employees, but also to HR service providers that process such data on behalf of the employer. And these are called data processors.

This is an important change compared to the current legal framework where HR service providers, for example, social secretariats or providers of HR resources information systems, they have a contractual obligation in force of the employer, but are not directly accountable for complying with the data protection regulations.

The GDPR will also affect non-European Union affiliates of a multinational if all HR data is stored in a central system accessible to affiliates worldwide. While the mechanism for cross border transfers of personal data has not been materially changed compared to the existing rules, it will become more important for companies to have a good understanding of the different HR data flows within and outside of the group in view of implementing the required mechanisms to legitimize these cross border data transfers.

Especially since the European Court of justice ruled that the European US. Safe harbor can no longer be relied on for intragroup cross border transfers, binding corporate rules, or BCR will become a more important and attractive means of achieving compliance under the GDPR. BCRs are now expressly mentioned in the GDPR as a lawful means of transferring personal data to group companies outside the European Union, and the process for getting them approved has been further streamlined.

2. More difficult to rely on Consent

Hi, guys. So what about consent? This is a highly relevant topic in the context of Hirrelated data processing. Today, a lot of companies process personal data of employees on the basis of their consent. Over recent years, this approach has been increasingly criticized. Well, people questioned the validity of consent given by an employee on the basis that the letter did not really have a choice due to the hierarchical relationship and the imbalance resulting therefrom. Well, the GDPR wants to reinforce the value of consent given by a data subject. It therefore requires that consent be given unambiguously.

This means the consent must be given freely, specifically and on an informed basis. For the consent to be given freely, the refusal to give the consent should not be detrimental to the data subject. Moreover, when the consent is given through a declaration that also regulates other matters, the consent to the processing of data has to be clearly distinguishable from other matters to be valid.

So this means, again, that employers will need to carefully reassess the legal ground on the basis of which they process HR related data where they rely on consent. They will need to check whether they meet all the requirements imposed by the GDPR and bear in mind that free consent implies that it may be revoked at any time. In most cases, companies will need to move to one of the other legal grounds to continue to process HR related personal data.

This could be the contractual necessity example for the processing of employee payment data a legal obligation, for example, for the processing of employee data in relation to Social Security or the legitimate interest of the employer, for example, in the context of employee monitoring, however, the latter legal grounds all have their restrictions and must be narrowly construed. It may well be that a company will have to stop processing the data or limit the range of data process where it cannot rely on any of the legal grounds for processing laid down in the GDPR. The GDPR significantly enhances the rights of data subjects.

So, first, with regard to the rights to information, employers will need to provide more detailed information as to the how and why of the processing of HR related personal data. This long list of information to be provided aims at giving more transparency to the processing of data and by doing so, enhancing security.

Secondly, employees have a right of access to their data and the right to have inaccurate data rectified. These existing rights have been modified in order to bring more clarity, but they are not extended that much. Finally, under the new so called rights to be forgotten, employees will be entitled to require the employer to erase personal data about them in certain circumstances. This may be the case where the data no longer necessary for the purpose for which they were originally collected or where the employee has withdrawn his or her consent.

3. Data Protection Principles from HR perspective

Hi, guys. Let’s talk about data protection principles. From HR perspective. Under the GDPR, personal Data must be processed in accordance with certain principles. While these are broadly similar to those under the Data Protection Directive DPD, the wording has changed, and they all center around the concept of accountability. For HR teams, traditional justification for lawful processing of employee data may have to be revisited, together with the way in which the data is collected, used and retained. The GDPR requires that the data controller provide the data subject with information about his or her Personal Data processing in a concise, transparent and intelligible manner which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language. For employers, transparency is achieved by keeping the employee or prospective employee informed, and this should be done before data is collected and where any subsequent changes are made. It is important to remember that data is not always collected directly from individuals, but may be derived from other data sets observed by tracking or inferred using algorithms.

The GDPR has a mandatory list of the information which must be given to individuals, where data is obtained directly from them, but also where it is obtained indirectly. Giving an employee or a candidate a genuine choice about data processing in order to rely on consent is going to be an issue for employers in achieving lawful processing. And you can see now that processing Personal Data is only permissible if and to the extent that is compliant with the original purpose for which data was collected. Processing for another purpose letter requires further legal permission or consent.

The only exception to this requirement is where the other purpose is compatible with the original purpose. Indications for this will be any link with the original purpose, the context in which the Personal Data has been collected, the nature of the Personal Data, the possible consequences of the intended further processing for data subjects, or the existence of appropriate safeguards. Data controllers must ensure that only Personal Data which is necessary for each specific purpose is processed in terms of the amount of Personal Data collected, the extent of the processing, the period of storage and accessibility. Under GDPR, data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

This links back to the purpose limitation. Employers need to make sure that they collect enough data to achieve their purpose, but not more data than needed. Well, Personal Data must be accurate and kept up to date, and this will be familiar from the DPD the old legislation inaccurate or outdated data should be deleted or amended, and data controllers are required to take every reasonable step to comply with this principle. Once you no longer need Personal Data for the purpose for which it was collected, you should delete it unless you have other grounds for retaining it. This means there should be a regular review process in place and methodical cleansing of HR databases under the GDPR. And like the DPD, personal data must be protected against unauthorized access using appropriate organizational and technical measures.

This goes to the hurt of protecting the privacy of individuals. Data controllers and processors need to assess risk, implement appropriate security for the data concerned and crucially, check on a regular basis that it is up to date and working effectively. There are strict breach reporting provisions in the GDPR. High profile data breaches can cause significant embarrassment and expense for businesses. The final principle under the GDPR states that data controllers must be able to demonstrate compliance with the other principles. This is a short sentence with major implications. One of the notable changes under the GDPR compared with the DPD is the increased compliance burden and much of which is parked by the accountability principle.

It is not enough to comply, so you have to be seen to be complying. The range of processes that employers have to put in place to demonstrate compliance will vary depending on the complexity of the processing, but may include, one, assessing current practice and developing a data privacy governance structure, which may include appointing a DPO two, creating a personal data inventory three, implementing appropriate privacy notices four, obtaining appropriate consent five, using appropriate organizational and technical measures to ensure compliance with the data data protection principles. That’s really important. Six, using privacy impact assessment and seven, in the last one, creating a breach reporting mechanism.

4. Consent_no_longer_an_option_for_HR

Hi guys. So is consent no longer an option for HR data? This is one of the questions you may ask. One of the commonly relied on grounds for lawful processing of HR personal data under the DPD is that it is done with employee consent. Under the GDPR, consent must be freely given, specific, informed and unambiguous. Given the imbalance of power between employees and employers, it will be difficult for consent to be freely given, which means it is unlikely to provide a valid basis for processing HR data. The GDPR explicitly states that account must be taken of whether the entering into of the contract is made conditional on the consent to the data processing.

Where it is not necessary to performance of a contract, well, the business people react and say that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual. For example, if you are a public authority or an employer processing employee data.

While it is possible to envision situations in which an employee does have a genuine choice and is able to withdraw consent concerning some of the data processed about them, these are likely to be extremely limited and employers should be very carefully about relying on consent in order to legitimize the processing of HR data. A term in a standard employment contract will certainly be insufficient and will no longer provide a fallback justification for processing HR data. Employers should also note that where consent is used as the basis for lawful processing, the data subject has the right to have their data erased under the new rights to be forgotten unless there are other legal grounds to justify processing. Other circumstances in which an employee can request deletion of data include where it is no longer necessary for the purpose for which it was collected.

Employers should therefore look to other grounds for lawful processing in order to justify the processing of HR data, such as legitimate interest, and we will discuss about that in the following lesson. This is something that ICO from UK is trying to draft and introduce. For the UK market business is located or with offices in other member states. We need to keep an eye out for local developments. For example, Germany is currently discussing a general written form requirement for employee consent, which would further raise the bar for national operations and would certainly make multinational concepts even more challenging, but in doing so seems to take a more positive view of the possibility of valid consent in an employer employee relationship.

In terms of special and formerly called sensitive personal data, any consent to processing has to be explicit. This is not a defined term in the GDPR, although the IQOS guidance suggests this means in words. But in the context of HR data, valid explicit consent is going to be very difficult to obtain, and employers will most likely need to rely on the derogation under GDPR article 92, which relates to the processing of special data in an employment context. Next.

• Category: Uncategorized