How does GDPR affect me as an employee? 

 
The General Data Protection Regulation (GDPR) came into effect on Friday 25th May 2018. Publicity around this subject centred on the processing of personal data held about customers or potential customers. But GDPR isn't just about mailing lists and customer personal data. GDPR puts data security and privacy of employees' personal data at the forefront of an employer’s consideration. It creates significant rights for employees in relation to their personal data and substantial penalties for an employer who breaks the law. 
 
Businesses hold and process a significant amount of employees' personal data: for background checks, contracts of employment, disciplinary proceedings, grievance proceedings, annual reviews, payroll, benefits, training, sickness procedures and health records, monitoring performance, CCTV images of employees, clocking in and out, security checks, files notes, minutes of meetings, emails referring to employees (even indirectly). All of these will involve the processing of personal data, and so GDPR applies. 
It may be helpful to read our guide for employers, to see if your employer is compliant with their duties 

Your rights as an employee 

As an employee, you have the right to: 
 
access your personal data 
correct your personal data 
erase personal data (the right to be forgotten) 
restrict processing of data 
object to data processing 
receive a copy of your personal data 
transfer your personal data to another data controller 
not to be subject to automated decision making 
 
Your employer must provide requested data without undue delay. Usually this must be no later than one month from the initial request, or two months for complex or onerous requests. Your employer is no longer able to apply a £10 fee, although reasonable charges can be made for unfounded or excessive requests. If your employer refuses to comply with your request, you have the right to complain to the ICO. 
 
Your employer must also inform you of: 
 
the identity of the data controller and any data protection officer 
the purpose of processing the data and the relevant legal basis 
the source and category of any data that you did not provide yourself 
who will receive the data (department or roll) 
how long your employer intends to keep the data - for example, 3 years after the end of your employment 
your rights under GDPR 
whether the data is to be transferred out of the EU, the legal basis for this and the safeguards in place 
whether your employer uses any automated decision making or profiling 

Six lawful bases to process data 

There are six potential lawful bases for your employer to process your personal data. They must be able to demonstrate at least one of these is applicable to the personal data they process or control. The lawful bases are: 
with your consent 
where the personal data is necessary for the performance of a contract e.g. an employment contract. 
they require the personal data to be able to comply with a legal obligation e.g. provide information to HMRC. 
the personal data is necessary to protect the vital interests of you asn an employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues. 
it is necessary in the public interest. 
it is necessary for the purposes of a legitimate interest of your employer or a third party. Your interests and fundamental rights and freedoms as an employee can override this basis. 

Consent 

GDPR says that consent must be:- 
 
freely given; 
specific; 
informed; and 
unambiguous. 
 
It should be distinguishable. This means that it should be separate from other things such as employment contracts and policies. It can also be withdrawn. 
Give us a call to discuss how we can help assert your rights under GDPR 

Get in touch 

Do you have a legal matter you'd like to discuss with us? Whether you're an employer or employee we'd love to hear from you. Get in touch using the details below or use the form here and a member of our team will be in touch to discuss your enquiry. 
Phone: 0121 452 5130 
Address: Spencer Shaw Solicitors Limited 
Vancouver House, 111 Hagley Road, Edgbaston, Birmingham B16 8LB 
Opening hours: 
Monday - Friday 9:00AM - 5:00PM 
Saturday, Sunday & Bank Holidays - Closed 
Connect on social media 
We take your privacy seriously and will only use the information you provide on this contact form to deal with your enquiry. Please see our Client Privacy Policy for more detail. 
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings