The protection of personal data is a fundamental right and, as such, must also be applied in the company. In fact, the relationship between GDPR and employees is so strict that its violation can lead to fines of 40,000 to 20 million Euros depending on the severity.
At Kuorum we protect the personal data of the employees of all our clients on a daily basis, so we know this legislation and its importance very well. And to help you comply with it, we bring you not only the most important aspects of the legislation, but also tips to apply it in your company. We hope you find it useful.
Keys to the GDPR in data protection in the work environment
To apply the GDPR on the protection of employees' personal data, you need to be clear about what kind of data you can ask for, why and what you will do with it.
These 3 keys will help you know what you can request and how to protect the personal data of your employees, applicants and leavers.
Therefore, you need to know well?
What is considered personal data of employees?
Any information relating to an identified or identifiable natural person.
What kind of personal employee data can a company request?
A company may request some personal data of its employees or others, depending on the purpose for which they are requested, i.e. if that information is necessary to make the selection process, contract, comply with labor law, a collective bargaining agreement, union elections ....
For example, when asking for personal data to make the employment contract, as this is the basis of the right to do so, the company may ask for information such as:
Full name.
2. Date of birth and nationality.
3. DNI, NIE, or Social Security number.
4. Confirmed disability.
5. Bank account, if making transfer.
6. Workday record, to comply with related law.
Although all are personal data of your employees, there are special categories such as ethnic or racial origin, political opinions, religious convictions, union membership, sexual orientation? Being data belonging to special categories (or sensitive), you should not unless any of the exceptions contained in the rule.
How can the company comply with the protection of employees' personal data?
One of the most important obligations of the company when protecting the personal data of its employees, according to the GDPR, is to keep it secure, confidential and to safeguard the documents containing such data, such as resumes.
In fact, the loss of this information is a breach of the GDPR. It is a common mistake to throw documents containing personal data in the trash without having properly shredded the documents or to save digital copies in forgotten folders.
In addition, the company is obliged to inform employees about the processing of their data. This notice must be written in simple and understandable language, and must be easily accessible. It shall contain information such as:
- Data to be collected.
- Data Processor.
- Legal basis and purpose of processing.
- Conservation period.
- Transfer of data to third parties.
- Means available to exercise the rights of management of the same.
Hence, training the staff on how to treat the personal data of workers is also another obligation to achieve the correct exercise of the obligation of the company, even assessing the need to have a data protection officer - mandatory only for some companies. Companies like Pridatec help other companies to audit and manage their compliance with the Data Protection Law in a simple way.
What rights does the GDPR grant to employees?
According to the GDPR, employees have the right to know at all times what data is being processed, with whom the company shares it, their rights and how to exercise them. In fact, they can even ask for a copy of the data held by the company.
There are many programs today that securely store this data and offer workers access with a secure password. They can then easily request any change of information due to error or incompleteness, or do it themselves.
Another right of workers is to demand that the company delete or limit their personal data, provided that they believe that:
- The data is no longer needed, considering the reason the company collected it.
- If the consent was the only legitimate basis for requesting them and you want to withdraw it.
- If you consider that it is unlawful to ask for such information, unnecessary to make the contract, or if they have to be suppressed by law.
In these cases, the company has to block the data for 3 to 4 years. This means that no one can see or manipulate them, except for the courts, so they cannot be deleted.
Who must process employee data under the GDPR?
In addition to the data delegate, union delegates may also process employees' personal data without their consent, according to the GDPR. However, provided that the information is strictly necessary for the performance of their representative duties, such as holding union elections.
Remember that in this case the people in charge of union work will also have to take special care to protect workers' data. Hence, more and more companies are turning to online voting software such as Kuorum to achieve more secure and confidential data processing in any voting process, whether it is a union election or a collective bargaining agreement vote.
We hope we have helped you to better understand the relationship between GDPR and employees, and how to protect their personal data. If you need more information about our online voting platform contact us or request a demo.
