In this second of our series of GDPR blogs, we explore how creative agencies need to be aware of GDPR in terms of the information that they hold on employees. Consent is important when it comes to consumers, but how does this, alongside people’s right to request and remove data from your records, apply in the context of your employees? Ultimately, the storing and use of data on your staff is essential to run a creative agency, so being clear on GDPR is not up for debate.
Overall, employees already have many existing rights when it comes to their data stored by their employer. The advent of GDPR expands these rights, introduces some new ones and increases the penalties for employers who fail to comply.
Employees have the following rights under data regulations:
- the right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used;
- the right of access to the data that you hold on them;
- the right to rectify data that is inaccurate or incomplete;
- the right to delete data you hold on them;
- the right to block or suppress processing of personal data, under certain circumstances;
- the right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services, again under certain circumstances.
Most of these rights have been in place since the Data Protection Directive came into force in 1995, so they should not pose a significant challenge for HR leaders, even if it is implemented slightly differently in the respective local member state laws.
These rights aside, a key challenge is the issue of consent. When it comes to EU citizens, consumer’s consent – if no other legal permission exists – is everything, and you cannot hold data on them without their consent. When an EU citizen is an employee, then consent is no longer central. A key factor is that under GDPR, and earlier data protection legislation, consent has to be freely given. The Information Commissioner in the UK, for example, has issued guidance saying that the nature of the relationship between an employer and employee raises the question of how free this consent can be given. The German legislature has even defined when consent may be freely given by an employee in its Federal Data Protection Act. According to that law, consent may be freely given if it is associated with a legal or economic advantage for the employee or if the employer and employee are pursuing the same interests. Furthermore, it’s worth keeping in mind that under GDPR consent can be withdrawn by the EU citizen at any time, again resulting in issues for employers.
In an employment situation, basing your right to hold and process data on the basis of consent is therefore pretty shaky. Many employment contracts include a clause where the employee consents for their employer to hold information on them. Contracts should therefore be reviewed as this is not a sound basis for controlling or processing data.
GDPR, as well as local member state laws, allow for other avenues to hold and process data beyond consent. However, an employer needs to be clear right from the start on which basis they intend to hold this information. Under GDPR, these reasons can include:
- legitimate interest of the employer;
- necessity for the performance of a contract;
- compliance with a legal obligation;
- protecting the vital interests of the data subject or of another natural person;
- necessity for the performance of a task carried out in the public interest.
For example, employers have a legal obligation to keep a record of sick days of employees to facilitate the payment of statutory sick pay. Another example would be the need to process employees’ bank account details so that they can be paid. This constitutes a necessity for the performance of a contract.
However, while there are a range of legal reasons to hold employee data, the primary one that will likely be used – provided there are no more specific local member state laws complicating things – is under the ‘legitimate interest of the employer’. That is, that the employer’s legitimate interest in processing an employee’s data outweighs the general privacy of the employee.
Legitimate interest has its limits though, and an assessment of proportionality would need to be undertaken by the employer. Processing needs to be legitimate, necessary, proportionate, and implemented in the least intrusive manner possible.
Finally, as with all personal data, employers should have all data held centrally in a responsible way so that it can comply fully with any data request from employees and to keep data secure from unauthorised access.
By Judith Nink, Data Protection Officer, Eyeo
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/