The State Data Protection Inspectorate (SDPI) has published guidelines on the processing of employees’ personal data, which are relevant not only for employees but employers too. ECOVIS ProventusLaw invites you to read a brief overview of the most important recommendations of the SDPI.
The legal bases for the processing of employees’ personal data
Processing of personal data on the basis of consent may be carried out where the individual has a real and feasible opportunity to freely choose whether to give consent and to withdraw the consent at any time without adverse consequences. The SDPI notes that the inherent dependence of the relationship between employer and employee makes it difficult to ensure this and that processing of employees’ personal data on this basis should be avoided. As a general rule, an employee’s personal data may be processed on the basis of consent on grounds unrelated to the performance of the employee’s job functions, such as
- capturing an employee’s image;
- informing the employee’s family members about an accident at work;
- congratulating the employee on his/her birthday.
The SDPI reminds that personal data may only be processed on this basis where it is necessary for the pursuit of the employer’s legitimate interests which override those of the employee. The employer must carry out a balancing test for each of the purposes of the processing of personal data on the basis of legitimate interests in order to determine which party to the employment relationship has the overriding interests.
Processing of publicly available personal data of employees
The SDPI emphasises that the mere fact that an employee’s personal data is publicly available does not mean that the employer has a legitimate basis for processing it. The processing of personal data made publicly available can only be carried out in exceptional cases where the employer can justify its legitimate interest.
Processing of special categories of personal data
In order to process special categories of personal data, the employer must assess whether the processing can be justified by at least one of the exceptions set out in Article 9 of the General Data Protection Regulation (hereinafter – GDPR), such as the processing is necessary for the performance of obligations and the exercise of specific rights in the field of labour and social security protection law, to the extent permitted by law or collective agreements (e.g., processing of personal data in employees’ medical records, data justifying the employees’ entitlement to social security benefits).
Processing of personal data relating to criminal convictions and offences
This personal data of an employee may only be processed if the employee’s job title or job function requires him/her to be free from criminal convictions and offences. For example, in order to recruit a bank manager, it is necessary to check his/her non-(criminal) record.
Processing of personal data during recruitment
The SDPI reminds employers of the possibility of collecting personal data relating to the qualifications, professional skills and qualities of a job candidate from past and present employers:
- personal data can only be collected from former employers after informing the candidate in advance;
- personal data may only be collected from a current employer with the consent of the candidate.
Furthermore, candidates’ personal data should be deleted at the end of the recruitment process, unless a mandatory retention period is provided for by law or the candidate agrees to a longer retention period (e.g., in the case of a future recruitment for the same position). This also means that if an employer wishes to invite a former candidate to take part in a new recruitment process, a separate consent would have to be obtained to process the candidate’s contact details for this purpose.
Processing of personal data after the end of the employment relationship
If an employer wishes to continue to process a former employee’s work e-mail after the end of the employment relationship, the following should be considered:
- what tasks the employee performed;
- whether and how any unfinished tasks have been transferred to other employees;
- whether the e-mail contains information not available from other sources.
In order not to delete an employee’s email for some time after the end of an employment relationship, the employer must ensure that employees are properly informed of:
- the scope of use of work email;
- the checking of e-mail communications, the instances, scope and duration of checking;
- the way in which the e-mail may be processed.
Information about the Data Protection Officer
Employers often forget about their obligation to inform not only the SDPI but also the employees about the appointment of a Data Protection Officer (DPO). Once the DPO has been appointed, the employer must inform employees of the DPO’s name and contact details, their right to contact the DPO, and the issues they can address.
The SDPI guidelines can be found here.
Prepared by Gabija Bacevičiūtė, Junior Associate at ECOVIS ProventusLaw