GDPR and employees – Protection of personal data

The protection of personal data is a fundamental right and, as such, must also be applied in the company. In fact, the relationship between RGPD (or GDPR for its acronym in English) and employees is so strict that its violation can lead to fines of 40,000 to 20 million Euros depending on the severity.

At Kuorum we protect the personal data of the workers of all our clients on a daily basis, so we know this regulation and its importance very well. And to help you comply with it, we bring you not only the most important aspects of the legislation, but also tips to apply it in your company. We hope you find it useful.

Keys of the RGPD in data protection in the workplace

To apply the provisions of the RGPD on the protection of personal data of employees, you have to be clear about what type of data you can request, why and what you will do with them.

These 3 keys will help you know what you can request and how to protect the personal data of your employees, candidates and people who have left the company.

Therefore, you need to know well?

What is considered personal data of workers?

Any information relating to an identified or identifiable natural person.

What kind of personal data of employees can a company ask for?

A company can request some personal data of its employees or others, depending on the purpose for which it requests them, that is, if that information is necessary to carry out the selection process, contract, comply with labor law, a collective agreement, some union elections…

For example, when requesting personal data to make the employment contract, as this is the basis of the right to do so, the company may request information such as:

1. Full name.
2. Date of birth and nationality.
3. DNI, NIE, or Social Security number.
4. Confirmed disability.
5. Bank account, if you make a transfer.
6. Registration of working hours, to comply with the related law.

Although everything is personal data of your workers, there are special categories such as ethnic or racial origin, political opinions, religious convictions, trade union affiliation, sexual orientation… Being data that belongs to special (or sensitive) categories, you should not unless there is any of the exceptions contained in the rule.

How can the company comply with the protection of personal data of workers?

One of the most important obligations of the company when protecting personal data of its employees, according to the RGPD, is to keep it safe, confidential and safeguard the documents in which said data is, such as resumes.

In fact, the loss of this information is a violation of the GDPR. Common mistakes are throwing away documentation with personal data without having properly destroyed the documents or saving digital copies in forgotten folders.

In addition, the company is obliged to inform the workers of the treatment it makes of their data. This notice must be written in simple and understandable language, and must be easily accessible. It will contain information such as:

  • Data that will be collected.
  • Treatment manager.
  • Legal basis and purpose of the treatment.
  • Conservation period.
  • Transfer of data to third parties.
  • Means available to exercise their management rights.

Hence, training the workforce on how to treat the personal data of workers is also another obligation to correctly exercise the company’s obligation, even assessing the need to have a data protection delegate – mandatory only for some companies. Companies like Pridatec help other companies to audit and manage their compliance with the Data Protection Law in a simple way.

What rights does the GDPR grant to employees?

According to the RGPD, workers have the right to know at all times what data is being processed, with whom the company shares it, their rights and how to exercise them. In fact, you can even request a copy of the data that the company has.

There are many programs today that securely store this data and offer workers access with a secure key. This way they can easily request any change of information due to error or incompleteness, or do it themselves.

Another right of workers is to demand that the company suppress or limit their personal data, whenever it believes that:

  • The data is no longer necessary, taking into account the reason for which the company collected it.
  • If consent was the only legitimate basis for asking for it and you want to withdraw it.
  • If you consider that it is illegal to request that information, unnecessary to make the contract, or if they have to be suppressed by law.

In these cases, the company has to block the data for 3 to 4 years. This implies that no one can see or manipulate them, except for justice, so they cannot be eliminated.

Who should treat the data of the workers according to the RGPD?

In addition to the data delegate, union delegates may also process personal data of employees without their consent, according to the RGPD. Of course, as long as it is the information strictly necessary to carry out their representation tasks, such as holding union elections.

Remember that in this case the people in charge of carrying out union work will also have to take special care to protect the data of the workers. Hence, more and more companies are turning to online voting software such as Kuorum to achieve more secure and confidential data processing in any voting process, whether it is a union election or a collective agreement vote.

We hope we have helped you to better understand the relationship between GDPR and workers, and how to protect your personal data. If you need more information about our online voting platform, contact us or request a demo.