GDPR for employees
The General Data Protection Regulation (GDPR) came into effect on Friday 25th May 2018. Publicity around this subject centred on the processing of personal data held about customers or potential customers. But GDPR isn't just about mailing lists and customer personal data. GDPR puts data security and privacy of employees' personal data at the forefront of an employer’s consideration. It creates significant rights for employees in relation to their personal data and substantial penalties for an employer who breaks the law.
Businesses hold and process a significant amount of employees' personal data: for background checks, contracts of employment, disciplinary proceedings, grievance proceedings, annual reviews, payroll, benefits, training, sickness procedures and health records, monitoring performance, CCTV images of employees, clocking in and out, security checks, files notes, minutes of meetings, emails referring to employees (even indirectly). All of these will involve the processing of personal data, and so GDPR applies.
It may be helpful to read our guide for employers, to see if your employer is compliant with their duties
Six lawful bases to process data
Your employer must be able to demonstrate one of these six lawful bases is applicable to any personal data they process or control:
with your consent
where the personal data is necessary for the performance of a contract e.g. an employment contract
they require the personal data to be able to comply with a legal obligation e.g. provide information to HMRC
the personal data is necessary to protect the vital interests of you asn an employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues
it is necessary in the public interest
it is necessary for the purposes of a legitimate interest of your employer or a third party. Your interests and fundamental rights and freedoms as an employee can override this basis
Consent
GDPR says that consent must be:-
freely given
specific
informed
unambiguous
distinguishable- this means that it should be separate from other things such as employment contracts and policies
Able to be withdrawn
Your rights as an employee
You have the right to:
access your personal data
correct your personal data
erase personal data (the right to be forgotten)
restrict processing of data
object to data processing
receive a copy of your personal data
transfer your personal data to another data controller
not to be subject to automated decision making
Your employer must provide requested data without undue delay. Usually this must be no later than one month from the initial request, or two months for complex or onerous requests. Your employer is no longer able to apply a £10 fee, although reasonable charges can be made for unfounded or excessive requests. If your employer refuses to comply with your request, you have the right to complain to the ICO.
Your employer must inform you of:
the identity of the data controller and any data protection officer
the purpose of processing the data and the relevant legal basis
the source and category of any data that you did not provide yourself
who will receive the data (department or roll)
how long your employer intends to keep the data - for example, 3 years after the end of your employment
your rights under GDPR
whether the data is to be transferred out of the EU, the legal basis for this and the safeguards in place
whether your employer uses any automated decision making or profiling
Get in touch
Do you have a legal matter you'd like to discuss with us? Get in touch using the details below or use the form here and a member of our team will be in touch to discuss your enquiry.
Address: Spencer Shaw Solicitors Limited
Vancouver House, 111 Hagley Road, Edgbaston, Birmingham B16 8LB
Opening hours:
Monday - Friday 9:00AM - 5:00PM
Saturday, Sunday & Bank Holidays - Closed
Connect on social media
