GDPR for employees 

The General Data Protection Regulation (GDPR) came into effect on Friday 25th May 2018. Publicity around this subject centred on the processing of personal data held about customers or potential customers. But GDPR isn't just about mailing lists and customer personal data. GDPR puts data security and privacy of employees' personal data at the forefront of an employer’s consideration. It creates significant rights for employees in relation to their personal data and substantial penalties for an employer who breaks the law. 
 
Businesses hold and process a significant amount of employees' personal data: for background checks, contracts of employment, disciplinary proceedings, grievance proceedings, annual reviews, payroll, benefits, training, sickness procedures and health records, monitoring performance, CCTV images of employees, clocking in and out, security checks, files notes, minutes of meetings, emails referring to employees (even indirectly). All of these will involve the processing of personal data, and so GDPR applies. 
It may be helpful to read our guide for employers, to see if your employer is compliant with their duties 

Six lawful bases to process data 

Your employer must be able to demonstrate one of these six lawful bases is applicable to any personal data they process or control: 
with your consent 
where the personal data is necessary for the performance of a contract e.g. an employment contract 
they require the personal data to be able to comply with a legal obligation e.g. provide information to HMRC 
the personal data is necessary to protect the vital interests of you asn an employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues 
it is necessary in the public interest 
it is necessary for the purposes of a legitimate interest of your employer or a third party. Your interests and fundamental rights and freedoms as an employee can override this basis 

Consent 

GDPR says that consent must be:- 
 
freely given 
specific 
informed 
unambiguous 
distinguishable- this means that it should be separate from other things such as employment contracts and policies 
Able to be withdrawn 

Your rights as an employee 

You have the right to: 
 
access your personal data 
correct your personal data 
erase personal data (the right to be forgotten) 
restrict processing of data 
object to data processing 
receive a copy of your personal data 
transfer your personal data to another data controller 
not to be subject to automated decision making 
Your employer must provide requested data without undue delay. Usually this must be no later than one month from the initial request, or two months for complex or onerous requests. Your employer is no longer able to apply a £10 fee, although reasonable charges can be made for unfounded or excessive requests. If your employer refuses to comply with your request, you have the right to complain to the ICO
Your employer must inform you of: 
 
the identity of the data controller and any data protection officer 
the purpose of processing the data and the relevant legal basis 
the source and category of any data that you did not provide yourself 
who will receive the data (department or roll) 
how long your employer intends to keep the data - for example, 3 years after the end of your employment 
your rights under GDPR 
whether the data is to be transferred out of the EU, the legal basis for this and the safeguards in place 
whether your employer uses any automated decision making or profiling 

Get in touch 

Do you have a legal matter you'd like to discuss with us? Get in touch using the details below or use the form here and a member of our team will be in touch to discuss your enquiry. 
Phone: 0121 452 5130 
Address: Spencer Shaw Solicitors Limited 
Vancouver House, 111 Hagley Road, Edgbaston, Birmingham B16 8LB 
Opening hours: 
Monday - Friday 9:00AM - 5:00PM 
Saturday, Sunday & Bank Holidays - Closed 
Connect on social media 
We take your privacy seriously and will only use the information you provide on this contact form to deal with your enquiry. Please see our Client Privacy Policy for more detail. 
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings