Novelties in Data Privacy and HR: Be Prepared
WHAT IS THE LEGAL BACKGROUND?
The European Commission proposed its reform of Directive 95/46/EC of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data to strengthen privacy rights and boost Europe’s digital economy.
Therefore, Regulation (EU) 2016/679 of the European Parliament and of the Council (hereafter: ‘GDPR’) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was announced on April 27, 2016.
Since every company processes data regarding their personnel for the purpose of recruitment, the performance of the employment contract, the evaluation of the employees, health and safety, etc. a uniform international framework adapted to the needs of nowadays is crucial.
WHAT DOES THE REGULATION STATE?
The GDPR entered into force on May 24, 2016 and shall apply after a transition period of two years, i.e., as from May 25, 2018.
From an HR perspective, the GDPR has the following main consequences:
- Reinforcing the formalities for consent given by the employee: The GDPR includes additional formalities for the employer to rely on consent given by the employee, as it should be given freely, specifically and on an informed basis. The current position of the Belgian Data Protection Authorities already implies that no free consent can be given by an employee in a subordinate employment relationship. With the GDPR it becomes even more difficult to rely on the consent given by employees.
- A broader scope: The GDPR has a broader scope than the current legal framework. It does not only consider employers processing the personal data of their employees, but also HR service providers that process such data on behalf of the employer (“data processors”).
- Increased transparency towards the employees involved: More detailed information must be given about the objectives and reasons of the processing to the employees. Amongst others, the employees must be informed about the right to revoke their consent and the right to file a complaint with the Belgian Data Protection Authorities. Further, employees will be entitled to require the employer to erase personal data about them in certain circumstances (“right to be forgotten”), but the employer may in certain circumstances preserve a copy of the data for legal reasons (e.g., in the framework of litigation). These obligations go beyond the current legal framework, therefore the information which is currently given to the employees in this respect must be checked.
- New obligations to demonstrate compliance: Companies with at least 250 employees must keep a detailed record of HR processing activities. In certain circumstances (e.g., the processing is not occasional or includes special categories of data such as racial or ethnic origin or political opinions, etc.) smaller companies must also keep such record. Further in certain events, companies may be obliged to implement other measures such as consulting the data protection authorities before new data processing activities are commenced, appointing a data protection officer or carrying out a data protection impact assessment. The latter may be the case when using an IT tool to analyse publicly available data (i.e. for recruitment purposes).
- Increasing enforcement and higher fines: The Data Protection Authorities are given more specified powers regarding the monitoring and enforcement of the application of the GDPR. In this respect fines up to 20 million EUR or 4%, whichever is higher, of the global worldwide turnover can be imposed. Employers may also be obliged to notify a data breach to the Data Protection Authorities and individuals within 72 hours.
However, there is an important caveat to be made with regard to personal data in the employment context. The GDPR expressly authorizes individual Member States to implement other more specific rules in respect of the processing of HR-related personal data. This means that an adoption of specific rules under Belgian law will also be possible.
Therefore, we will keep you updated on any national law developments in the field of privacy in the workplace.
HOW DOES THIS AFFECT YOUR BUSINESS? WHAT CAN K LAW DO FOR YOU?
The GDPR provides for a two year transition period for implementation, i.e., until May 25, 2018.
Nevertheless, it is not excluded that Belgian legislation will be affected sooner.
In order to be well prepared, the following steps should be taken:
- Mapping of the HR data which is currently processes (salary data, evaluation data, internet monitoring, ...) together with the processors
- Mapping of the current justification grounds to process the data and the information to be provided to the employees in this respect
- Analysis of the differences/gap between the current principles and the future principles
- Implementation of the new principles of GDPR
Please contact our expert lawyers Alexis Ceuterick or Sara Beutels for any questions you may have in this regard.