Just before Christmas and after years of negotiations, EU institutions agreed on the text of the EU heirs privacy legislation: the General Data Protection Regulations (GDPR).
GDPR will replace the “patch-up quilt” of the laws of 28 different EU member states with a single, unified data protection law, which will lead to a significant increase in data protection coordination across the EU.
In addition to coordinating the EU data protection legal framework, there are three main objectives:
First, GDPR increases the rights of individuals.
Second, it strengthens the company’s obligations.
Third, GDPR has greatly increased sanctions without complying with regulations. The data protection regulator will be entitled to a fine of 20,000,000 euros, accounting for 4% of the global annual turnover. In addition, regulators may prohibit the processing or suspension of data transmission, class actions, criminal sanctions, and reputational damage, and it is clear that non-compliance with GDPR will not be an option.
For these reasons, GDPR can be said to be the most important change in the data privacy law of the past two decades.
In addition, it will affect all businesses around the world – because each organization has employees and contacts, even if they do not have individual customers.
In this article, we will outline the most significant changes that GDPR will bring from a human resources perspective. Employers process large amounts of personal data related to human resources every day. How will they be affected by GDPR and what steps should they take to comply with this new set of rules?
- Where do privacy and human resources meet in the workplace?
Maintaining a balance between worker privacy and employer privileges can be tricky in several situations, such as physical searches of workers, camera surveillance, geolocation, worker interrogation, hotlines, internet usage, email, and social networking. … there are many laws that apply to this matter.
The first is Article 8 of the European Convention on Human Rights, which sets out rules for the protection of private and family life, family and communication. Based on the case law of this article, employees have the right to privacy even in the workplace.
At the national level, Article 22 of the Belgian Constitution deals with privacy, while Article 29 deals with the confidentiality of mail. Article 314 bis of the Criminal Law deals with the eavesdropping of telecommunications. This legislation also covers the interception of emails.
The Employment Contracts Act also stipulates the rights and obligations of employers and employees, in particular Articles 16 and 17, as well as the Collective Labor Agreement (CLA) 81 on the protection of employee privacy. 81 The electronic online communication data of the private sector workplace is very important. This list is not exhaustive.
In addition, employers also process private information about their employees. In this area, there will be some major changes soon. You will find an overview below.
Handling of human resource related data: coordination, but looking for other local rules in the human resources environment
The main goal of GDPR is to coordinate data protection laws across the EU. If a group of companies is established in several EU member states, the rules applicable to processing personal data related to human resources will now be the same. This is an important improvement for large multinational companies, and it is often difficult for large multinational companies to comply with the 28 local styles of the EU Data Protection Act.
However, there is an important warning about personal data in the context of employment. The GDPR explicitly authorizes the Member States to implement more specific rules in dealing with personal data related to human resources.
This divestiture means that specific rules regarding the processing of personal data in terms of recruitment, employment contract performance, diversity, health, and safety can still be applied at the national level.
Therefore, for HR professionals, in addition to the more general GDPR, it is still important to continue to follow the development of national laws in the field of workplace privacy.
- Broader scope and global impact
GDPR applies not only to employers who process their employees’ personal data but also to HR service providers (“data processors”) who process such data on behalf of employers. This is an important change compared to the current legal framework, where HR service providers (such as the Social Secretariat, HRIS Solution Provider) are only obligated to employers but are not directly responsible for compliance with data protection regulations.
If all HR data is stored in a central system that is accessible to global affiliates, then GDPR will also affect non-EU affiliates of multinational companies. Although there has been no significant change in the cross-border transfer of personal data compared to existing rules, it is better for companies to better understand the different human resource data flows within and outside the group to legalize these cross-border data transfers. The necessary mechanism, especially since the European Court of Justice has ruled that it can no longer rely on the EU-US Safe Harbor.
For cross-border transfers within the group, binding corporate rules (BCR) will become a more important and attractive means of achieving compliance under GDPR. Now, the GDPR explicitly mentions that BCR is a legitimate means of transferring personal data to group companies outside the EU and further simplifies the process of obtaining approval.
- More difficult to rely on consent
This is a highly relevant topic in the context of data processing related to human resources. Today, many companies process employee personal data on an agreed basis. In recent years, this method has received more and more criticism.
People question the validity of employee consent because the latter cannot really make a choice because of the hierarchical relationship and the resulting imbalance. GDPR hopes to strengthen the consent value given by the data subject. Therefore, explicit consent is required.
This means that consent must be given freely, especially on an informed basis. For free consent, refusal to give consent should not be harmful to the data subject.
In addition, when consent is given by a statement that also stipulates other matters, the consent to the data processing must be clearly distinguished from other valid matters.
This means that employers need to carefully reassess the legal basis based on the processing of human resources related data. If they rely on consent, they will need to check that they meet all the requirements of the GDPR, and bear in mind that free consent means that it can be revoked at any time.
In most cases, companies need to move to one of the other legal sources (continuing) to process personal data related to human resources. This may be the necessity of the contract (for example, processing employee payment data), legal obligations (for example, dealing with employee data related to social security) or the legitimate interests of the employer (for example, in the context of employee supervision).
However, the legal basis of the latter has its limitations and must be interpreted in a narrow sense. It is likely that the company will have to stop processing data or limit the range of data processed because it cannot rely on any legal reasons specified in the GDPR.
- Respect the increased rights of your employees
GDPR significantly enhances the rights of data subjects.
First, in terms of information rights, employers need to provide more detailed information on the ways and reasons for handling personal data related to human resources. Providing this long list of information is designed to increase the transparency of data processing and thus increase security.
Second, employees have access to their data and the right to correct inaccurate data. These existing rights have been modified to be clearer, but not to expand as much.
Finally, according to the new so-called forgotten rights, employees have the right to ask employers to delete personal data about them in certain circumstances. This may be the case where the data is no longer necessary for the purpose of initially collecting them, or if the employee has withdrawn his consent.
- Responsibility – The company must be able to demonstrate compliance
GDPR has brought many new obligations to the company that should lead to a shift from paper compliance to reality and proof of compliance in this area. Therefore, the obligation to notify the data protection agency of the processing activities will be abolished.
Instead, GDPR expects the company to implement a series of measures, such as appointing a (mandatory) data protection officer, conducting (mandatory) privacy impact assessments and (mandatory) negotiations with data protection agencies before new data processing activities begin. And keep a record of all processing activities.
These new obligations will have a major impact on how the company handles projects involving personal data processing.
- Implement data violation notification procedures
Based on the accountability program, GDPR introduces a general obligation to notify data breaches. While most US companies are already familiar with this concept, it will be an important change for many EU companies, and they are not particularly looking forward to it.
If the company is exposed to data breaches, it is usually necessary to notify the data protection regulator within 72 hours. If the notification is not completed within 72 hours, there must be a reason to make this delay. If the data breach is related to human resources related data, the employer must notify the affected employee without delay, and if the violation may result in high risk for his/her rights and freedoms. To avoid notification fatigue, the GDPR contains some exceptions to this rule, such as if the data is encrypted.
It is difficult to overstate the importance of GDPR, and it is clear that it will have a major impact on all businesses.Employers need to very carefully assess their current HR-related processing activities and identify gaps with GDPR. Based on this gap analysis, they need to update existing procedures and implement the necessary mechanisms to meet new obligations. Failure to do so may result in significant fines or other enforcement measures that could seriously impede its business.
Although the GDPR will take effect in about two years, it is crucial to start preparing for the transition to the new system as soon as possible.
In fact, the scale and breadth of change will require significant time and resources to ensure that the company’s data processing policies and IT environment comply with the new rules.
In addition, Belgian Privacy Secretary Bart Tommelein said that Belgium will amend the current “Privacy Law” before the GDPR takes effect. This means that some of the obligations under the GDPR will take effect before the Belgian law comes into force. A similar approach can be taken in other EU countries.