GDPR: New HR obligations? Adapted tools at your disposal.
A few weeks before the entry into force of the General Data Protection Regulation (GDPR), everyone is focusing on the actions to be taken to comply with the new rules applicable as of next 25 May. The management of human resources involves the processing of a great deal of personal data. Special attention must therefore be paid to the conformity of the processing of workers’personal data.
The GDPR is an opportunity to define a clear, transparent and secure policy for the processing of personal data that could only be beneficial to your reputation as an employer. Compliance with the regulation will allow you to avoid many inconveniences in individual or collective negotiations. In addition, the penalties are high in the event of a breach.
The regulation is built around the following idea: the data controller must be able to ensure that the data is processed only for the legitimate purpose that has been announced, only to the extent necessary for that purpose, with accuracy and security (purpose principles – lawfulness – transparency – integrity – minimilisation – accuracy).
All companies and organizations that collect, process or store personal data of citizens of the European Union must comply with the GDPR.
The purpose of the GDPR is:
- to protect individuals against the abusive processing of their personal data and, consequently, to protect their privacy;
- while allowing the free flow of data in the European Union.
To do this, the GDPR:
- has provided for uniform application throughout the European Union;
- has strengthened the control/rights of the persons concerned;
- has strengthened the transparency and information on the processing that has been put in place;
- has strengthened penalties and fines up to 4% of total global annual turnover.
Consequences for Human Resources
Human resources management involves the collection and processing of a great deal of data that must be mapped into an internal registry.
Any company or organization with more than 250 workers is required to establish a mapping of its processing of personal data by establishing a processing register. Companies employing less than 250 workers will also be subject to this obligation, particularly if its processing is not occasional. In practice, a large majority of employers will be required to establish such a processing register. The processing of personal data is likely to occur several times during the life of the employment contract:
Application and recruitment
The future employer must provide information and consent on the collection, processing and storage of personal data at the time of receipt of data (checkbox on a website, written consent, return email, etc.).
Processing of personal data occurs as soon as a candidate applies (sending a curriculum vitae, a cover letter, creation of a file of candidates, etc.). From that moment, you have the obligation – as a data controller – to inform the candidate of how you intend to use the data collected. Before considering any use of the data, you must therefore ensure that you obtain and can establish the candidate’s consent.
In addition, you will not be able to retain or store your candidates’ data indefinitely. Thus, it is not possible to keep the curriculum vitae of your candidates under the pretext that you might need it “someday.” You may retain these curriculum vitae only as long as you have informed the candidate and only for the duration originally planned (and limited to what is necessary).
When recruiting or receiving applications, you should therefore:
- inform candidates about the processing involved in their application;
- obtain prior consent to the processing of their personal data (written authorization or checkbox on the electronic platform) and conserve it;
- determine a policy for storing the data collected during recruitment.
Specific details should also be provided where there is recruitment outside the European Union, as to whether this recruitment involves individual decisions based on automated processing (chatbot) or you work with recruitment companies.
Conclusion of the employment contract
The employer must justify their legal basis and inform the workers about the processing of personal data and its purpose. Personal data is collected to enable the execution of the employment contract and an amendment to the employment contract containing this information should be submitted for the signature of each worker.
The conclusion of an employment contract requires the processing of personal data. This processing may be based on different legal bases (in particular: the need for the execution of the employment contract, a legal obligation or consent). Given the imbalance between the employer (data controller) and the worker, the validity of a consent given at the conclusion of the contract will be questionable. To what extent is this free consent? (no consent, no employment contract). Processing, in each case, will therefore ideally have to be based on another legal basis. This will most often be the need for the execution of the employment contract.
The conclusion of the employment contract is an opportunity to adequately inform workers about the personal data about them that will be processed. You will also need to inform the workers of the recipients of their data (such as subcontractors like the social secretariat). In addition, the transfer of data outside the European Union must also be subject to provision of information and in some cases, consent of the worker. Finally, special attention should be paid to the processing of “special” data (such as health-related data) which is in principle prohibited but for which derogations exist.
In order to meet these information requirements, we advise you to submit a separate amendment to the employment contract for your workers’ signature, informing the worker of the categories of data processed and the purposes pursued. This document must also be submitted for the signature of workers already in service when the GDPR comes into force.
Life of the employment contract
Transparency is essential in the processing of personal data. Some data may not be used without clear and adequate information about your processing. This can be very disabling, for example, in the context of a subsequent dispute.
As the work contract is executed, a great deal of personal data will be collected and processed: payroll data, career management information (evaluations, disciplinary sanctions, internal mobility, etc.)., data relating to the worker’s involvement in collective life (social elections), information related to the use of the company’s equipment (computer, GSM, GPS, etc.) or resulting from the security measures put in place (badge, video surveillance, etc.).
This information may only be processed by the employer if a legal basis so permits and prior information has been given to the workers. If the ability to use some of the information is not secured today, it will be difficult to use it later (for example, in the context of a dispute upon termination of the employment contract). The conclusion of an amendment to the employment contract as described above is therefore essential.
It will also be important to ensure that other regulations related to the use of certain tools (e.g. video surveillance) are respected and to adapt existing policies and work rules.
End of the employment contract
A clear and transparent exit procedure is essential to avoid data leaks at the end of the employment contract and to ensure everyone’s security. The role of the employer is therefore to determine these procedures and to not keep, beyond what is required, the data of workers who have been released.
When an employment contract ends, certain measures must be adopted to determine the fate of the data collected but also to ensure everyone’s security. It is therefore essential to define an exit procedure providing for at least:
- the fate of email boxes/email;
- the return of devices provided and the fate of the data contained therein;
- the fate of the worker’s personal file;
- the end of access to the company network, buildings, etc.;
- the shelf life of the various items collected.
Period after the end of the employment contract
Worker data should be kept long enough to comply with your legal obligations and to deal with any possible legal proceedings. An analysis of the existence of statutory retention periods and limitation periods is therefore necessary to determine the optimum shelf life of the data.
The personal data of the released workers may be kept for a period not exceeding that necessary for the purposes for which they are processed (limitation of retention).
Every employer must therefore define a retention period for the data it collects. The timing of data deletion will depend on:
- the existence of a legal basis for preservation (for example: retention periods for social documents required by law);
- the length of the limitation periods (keeping the data long enough to deal with any legal proceedings);
- the existence of specific company needs.
The shelf life may vary from one company to another and from one item of data to another. The employer must, however, be able to justify its choice of retention period.
The employer must also take care to organize its archiving properly and to securely destroy its workers’ paper records.
It is not too late to comply with the GDPR or to improve the procedures in place. Anticipate and supervise your personal data processing to ensure the safety of all.
The GDPR is not limited to the human resources of a company. This component alone already involves a great deal of processing that must be supervised.
In order to help companies manage this processing, the GDPR has created a new player in data processing, namely the Data Protection Officer. This officer must inform and advise the data controller, monitor compliance and cooperate with the supervisory authority of which he is the point of contact in the company. Such an officer may be external to the company and is required for:
- public companies and public bodies;
- companies that carry out large-scale processing of specific personal data (e.g. a hospital);
- companies whose basic activity consists of processing that by its nature, scope and/or purpose requires regular and systematic monitoring on a large scale (e.g. a recruitment company).
In order to verify the compliance of your company with the GDPR, you principally must:
- be able to map the processing of personal data;
- be able to demonstrate that this processing is done, in technical and organizational terms, in accordance with the GDPR (establishment of internal rules – regulations, contracts, etc. – and processes to demonstrate the basis of the processing, its purpose, the workers’ information, minimization, etc.);
- ensure that the sub-contractors/processors to whom you entrust the processing of your workers are themselves subject to all the technical and organizational compliance guarantees and conclude agreements with them containing the information required by the GDPR;
- establish security procedures and ensure that this security is maintained in the event that there is a transfer of data outside the European Union;
- establish procedures to respond to data breaches (within 72 hours).
Reliance can help you with these tasks – including taking on the role of Data Protection Officer in your company. Do not hesitate to visit our webpage https://reliancelaw.be/en/gdpr dedicated to the GDPR, on which you will find some standard documents. We remain at your service. Do not hesitate to contact us.
Stéphanie De Ridder