How does GDPR affect me as an employee?
The General Data Protection Regulation (GDPR) came into effect on Friday 25th May 2018. Publicity around this subject centred on the processing of personal data held about customers or potential customers. But GDPR isn't just about mailing lists and customer personal data. GDPR puts data security and privacy of employees' personal data at the forefront of an employer’s consideration. It creates significant rights for employees in relation to their personal data and substantial penalties for an employer who breaks the law.
Businesses hold and process a significant amount of employees' personal data: for background checks, contracts of employment, disciplinary proceedings, grievance proceedings, annual reviews, payroll, benefits, training, sickness procedures and health records, monitoring performance, CCTV images of employees, clocking in and out, security checks, files notes, minutes of meetings, emails referring to employees (even indirectly). All of these will involve the processing of personal data, and so GDPR applies.
It may be helpful to read our guide for employers, to see if your employer is compliant with their duties
Your rights as an employee
As an employee, you have the right to:
access your personal data
correct your personal data
erase personal data (the right to be forgotten)
restrict processing of data
object to data processing
receive a copy of your personal data
transfer your personal data to another data controller
not to be subject to automated decision making
Your employer must provide requested data without undue delay. Usually this must be no later than one month from the initial request, or two months for complex or onerous requests. Your employer is no longer able to apply a £10 fee, although reasonable charges can be made for unfounded or excessive requests. If your employer refuses to comply with your request, you have the right to complain to the ICO.
Your employer must also inform you of:
the identity of the data controller and any data protection officer
the purpose of processing the data and the relevant legal basis
the source and category of any data that you did not provide yourself
who will receive the data (department or roll)
how long your employer intends to keep the data - for example, 3 years after the end of your employment
your rights under GDPR
whether the data is to be transferred out of the EU, the legal basis for this and the safeguards in place
whether your employer uses any automated decision making or profiling
Six lawful bases to process data
There are six potential lawful bases for your employer to process your personal data. They must be able to demonstrate at least one of these is applicable to the personal data they process or control. The lawful bases are:
with your consent
where the personal data is necessary for the performance of a contract e.g. an employment contract.
they require the personal data to be able to comply with a legal obligation e.g. provide information to HMRC.
the personal data is necessary to protect the vital interests of you asn an employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues.
it is necessary in the public interest.
it is necessary for the purposes of a legitimate interest of your employer or a third party. Your interests and fundamental rights and freedoms as an employee can override this basis.
Consent
GDPR says that consent must be:-
freely given;
specific;
informed; and
unambiguous.
It should be distinguishable. This means that it should be separate from other things such as employment contracts and policies. It can also be withdrawn.
Give us a call to discuss how we can help assert your rights under GDPR
Get in touch
Phone: 0121 452 5130
Email: enquiries@spencershaw.co.uk
Address: Spencer Shaw Solicitors Limited
Vancouver House, 111 Hagley Road, Edgbaston, Birmingham B16 8LB
Opening hours:
Monday - Friday 9:00AM - 5:00PM
Saturday, Sunday & Bank Holidays - Closed