The EU General Data Protection Regulation (GDPR) from the Employer's Perspective
The GDPR will shortly introduce essential new and stricter requirements for the processing of personal data which will also affect employers.
Employers possess a magnitude of diverse information concerning their employees regulated by the GDPR, as the GDPR classifies any information relating to an identified or identifiable (natural) person as personal data.
Under the GDPR, employers may collect and keep only necessary and reasonable employee information: the personal data collected must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".
In the employment context, the necessity will be defined, among others, by the employer's ability to fulfil employer obligations (for example, the employee's social security number or bank account details will be crucial to perform many of the employer's key obligations).
WHAT WILL CHANGE AS OF 25 MAY 2018?
Although data protection laws affecting employment relations have existed for a long time and remain unchanged to a large extent, along with the GDPR, the importance and employees' knowledge of data protection laws will increase significantly.
As all processing of personal data requires a justification, this places a remarkable assessment duty on employers, and now, at the latest, employers must ensure that they indeed have a legal basis for their processing of personal data. Especially where the employer has justified its processing based on the consent of the employee, careful consideration will be needed.
For the employee's consent to be valid, it must be freely given, specific, informed and revocable. Further, according to the European data protection authorities' working group WP 29, there is an imbalance of power between the employer and the employee and, therefore, the consent of an employee is in most cases not seen as "freely given" as required under the GDPR.
For this reason, consent should only be relied upon in limited cases. Therefore, a key observation for many employers also once the GDPR has entered into force is that a plain clause in an employment contract will not be sufficient to justify all personal data processing.
DATA SUBJECTS' RIGHTS
Further, employers are also under an obligation to inform the employees of the processing of personal data. This is typically carried out by drawing up privacy notices / privacy policies. The GDPR will increase and tighten the information requirements of employers.
The privacy notices shall contain, among others, information about the employees' rights to remove, rectify and object to personal data collected. Further, employers shall also provide information about the reasons for collecting data, purposes for which the data is used, to whom the data will be disclosed, the legal basis (including possible legitimate interests) for processing of the data, systems for detecting and dealing with data breaches and consequences for the person not providing the data, only to name a few.
Such privacy notices are to be treated as public documents and are best stored where the employees will have easy access to them (for example, at company intranet sites or similar).
The GDPR introduces also new data subjects' rights, which will also apply to employees: the employee is entitled to know what information the employer has collected about him/her, as well as demand the rectification or deletion of inaccurate information and the right to demand the employer to erase all personal data concerning the employee (i.e. the right to be forgotten).
As a general rule, all information is to be deleted after it is no longer required. In Finland, the employee has the right to request for a certificate of employment even as long as 10 years after the termination of the employment, so basic information about the employment should be stored for this time.
Data processing
If the employer is using third parties to process personal data on behalf of the employer (for example, payroll services or international HR services), contracts with these third parties acting as data processors shall be concluded in writing and they shall contain the provisions stipulated in the GDPR. It is necessary to review the existing contracts with data processors against this backdrop.
Furthermore, for employers employing at least 250 employees, the GDPR introduces an obligation to maintain a record of processing activities. Also employers employing less than 250 employees may be obligated to keep a record, depending on the nature of their activities.
The required contents of the record include e.g. purposes of the processing, a description of the categories of data subjects and personal data as well as information about the disclosures and transfers of personal data. The record must be made available to the supervisory authority (Data Protection Ombudsman) on request. Keeping a record of processing activities is not a one-off exercise. Employers must also ensure that the required documentation remains accurate and up to date.
Under the GDPR, the use of automatic decision-making in e.g. recruitment processes will be subject to strict new requirements and appropriate safeguards as further stipulated in the GDPR must be implemented.
While the above is only a high-level outline of the employers' duties under the GDPR, and although many of them have already existed, at least to some extent, also before the GDPR, employers are recommended to conduct a GDPR compliance assessment of their activities. A breach of the GDPR obligations may even lead to a fine of up to 4 per cent of the employer's global turnover or a maximum of 20 million euros, whichever is higher.
Moreover, it must be borne in mind that in Finland, the current Act on the Protection of Privacy in Working Life that provides for further and more detailed obligations on employers is currently under review and an amended act is likely to enter into force soon.