[powr-countdown-timer id=5137ae2d_1491490870751]
There are organisations that despite all of the coverage that GDPR is getting still do not understand that GDPR applies to them. Unless you are a one-man band at the very least your organisation will be processing the personal data of your employees. The personal data of your employees is afforded the same protection under GDPR as the personal data of any other data subject. In processing the personal data of your employees you need to ensure that you are processing it in accordance with the principles of data protection (Article 5). I could fill pages on the application of the principles relating to the processing of personal data as it relates to employees but my brief is to be brief so we need to consider the issue that crops up the most in this area – the legal basis for processing personal data of employees.
For some reason, typically historically, a lot of organisations use consent as the legal grounds for processing personal data. The employment contract includes a clause permitting the processing of the personal data of an employee in any way the organisation sees fit – sorted! Not so quick – one of the ingredients of consent is that consent must be freely given. Due to the imbalance of power in the relationship between an employee and an employer this test is very difficult to satisfy. Therefore, an organisation really needs to be looking at alternative grounds (see Article 6) for lawfully processing the personal data of its employees. Realistically processing on the grounds that it is necessary for the performance of the contract between the employer and the employee and/or for the purposes of the legitimate interests of the employer are probably the most relevant.
If your organisation looks to rely on the legitimate interests ground then remember that you have to balance the legitimate interest of your organisation against the fundamental rights and freedoms of the data subject. It is all about proportionality. All employees have a right to privacy and you need to be balancing that right against the requirements of the organisation. The Article 29 Working Party (this is where the supervisory authorities of the EU come together and issue an opinion on an area of data protection legislation) has just issued an opinion on data processing in the workplace. I would suggest it is a must read for HR managers– you might be surprised by how the Article 29 Working Party views something that is accepted as the norm in your organisation! The document is very readable. So my advice – go get a coffee and get reading!
If you require assistance in relation to getting your organisation GDPR ready contact gdpr@ward.ie.
-
Insights