The countdown is ticking: From May 25, 2018, the new General Data Protection Regulation (GDPR) will apply.
This means that companies will face considerable legal changes that will affect the processing of employee data in the HR area in particular and require adaptation of contracts and company guidelines/procedures to the mandatory provisions of the GDPR.
With the following three-part article, we would like to provide you with an overview of the mandatory provisions applicable to personnel work from 25 May 2018 in view of the forthcoming not insignificant legal changes and point out practical solutions for the implementation of any organizational steps not yet taken with regard to data protection compliance.
Background
As of May 25, 2018, employers must comply with the provisions of the EU General Data Protection Regulation (GDPR) and sec. 26 of the new Federal Data Protection Act when processing employee data as data controllers.
It should first be noted that the basic principles of data protection set out in Art. 5 GDPR, such as transparency, purpose limitation and data minimization, must of course also be observed in connection with the entering into, performance and termination of employment relationships.
Violations of this provision may be punished by fines of up to 20 million euros or up to 4% of the total annual worldwide turnover of the preceding financial year of a company, whichever is highest amount (cf. Section 83 (5) GDPR). The GDPR stipulates that sanctions for violations of the GDPR must be proportionate but also dissuasive.
In our opinion, it cannot be ruled out that random investigations may be carried out by the responsible data protection authorities at companies in order to check compliance with data protection law, particularly in connection with employee data. On the other hand, it is more likely that a whistleblower will provide the relevant information – anonymously if necessary – to the responsible data protection authority for them to act upon. This can be an employee who has an ongoing legal dispute with the employer or an action by a works councils and/or trade union triggered by an internal dispute.
In the following articles, we would like to answer a few questions that are typically asked to limit the complexity in connection with the processing of employee data and to point out any remaining need for action.
1. What exactly is the legal basis for the processing of employee data?
As of May 25, 2018, the processing of personal employee data will essentially be regulated by the GDPR as a regulation under European law, which is directly applicable in the EU member states without the need for a further transposition act by the respective national legislators, and by sec. 26 of Federal Data Protection Act newly regulated. As a rule of thumb, the regulations in the GDPR are initially the more specific standards, which are, however, specified by national regulations (cf. Art. 88 para. 1 GDPR in conjunction with sec. 26 of the new Federal Data Protection Act).
2. Which employee data can I even process as an employer?
Sec. 26 para. 8 of the new Federal Data Protection Act. determines who is to be regarded as an employee within the meaning of the new data protection law. Additionally Art. 88 (1) of the GDPR in conjunction with sec. 26 para. 1 of the Federal Data Protection Act defines for which purposes personal data of employees may be processed at all. Accordingly, personal data of employees may be processed for the purposes of the employment relationship if this is necessary for the decision on whether an employment relationship will be established (e.g. application documents), or after the establishment of the employment relationship for its execution or termination (e.g. name, address, bank details etc.) of the employees, or to fulfill obligations resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement). The concept of necessity plays an important role here. A case-related weighing of interests must be carried out in order to ensure that legitimate processing of employee data has actually been carried out. The development of a simple matrix for certain job descriptions can make the work in the HR Department much easier.
3. Can we process employee data (e.g. transfer of employee data to non-European countries) on the basis of the employee’s consent?
Yes, this is principally possible. In the meantime, it is also generally accepted that an employee can also give voluntary and thus effective consent. This has often been doubted in the context of a subordination relationship, such as an employment relationship. This reservation was ultimately also reflected in sec. 26 (2) of the new Federal Data Protection Act, according to which in the case of an
assessment of the voluntary nature of a consent, the dependence of the person employed in the employment relationship and the circumstances under which the consent was granted must always be taken into account. It is also stated that voluntariness may exist in particular if a legal or economic advantage is achieved for the person employed or if the employer and the person employed pursue similar interests. In the employment relationship, consent must continue to be given in writing unless another form (e.g. text form) is appropriate due to special circumstances. However, the declaration of consent must have a certain content, which is ultimately determined in accordance with Art. 7 (3) of the GDPR. Therefore, extreme caution is required when drafting declarations of consent. For each individual data processing operation of employee data, it should be carefully examined whether a declaration of consent by the employees can really constitute a suitable legal basis for the data processing in the respective case or whether another alternative or additional route should be sought. Please also note that higher hurdles must be overcome with regard to sensitive data of employees/employees pursuant to sec. 26 Para. 3 of the new Federal Data Protection Act.
(Proceed to Part 2)