GDPR – what will change in the HR domain?

28 May 2018

25 May 2018 means a revolution in the processing of personal data. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) introduces many changes to be faced by all enterprises.

This also applies to HR departments whose work involve first of all the processing of personal data – both at the stage of seeking candidates to work, during recruitment and after termination of employment relationships. Both failure to get prepared for the changes and any breach in the processing of personal data may trigger negative consequences, including high administrative fines. The fines may be imposed on both data controllers and processors, as well as badly affect the image of e.g. headhunters.

New rights, new obligations

The GDPR introduces a number of changes aimed mainly at ensuring a high level of protection of personal data. This is reflected, above all, in new rights of individuals (right to be forgotten, the right to restriction of processing), as well as in new obligations of the data controller and of the processor. Throughout the processing they are obliged to act in line with the principle of transparency towards those whose data they collect, by meeting the information obligation (providing the relevant information in the privacy policy, or in the information clause when getting relevant consent) and by modifying its form so as to make it clearly legible, easy to understand and accessible to data subjects. In addition, the controller and the processor are required to use their own internal procedures with the aim to ensure a high level of data security.

The GDPR is not a document providing ready solutions which ensure that the data are processed in accordance with laws. It is the controller or the processor who are responsible for identifying "adequate technical and organisational measures" that should be implemented to ensure safe processing of personal data, a "data protection impact assessment" necessary to analyse data processing operations, as well as for finding out whether their operations cover the processing "on a large scale" and whether they have to keep a record of processing activities. The afore-mentioned obligations are only examples of ambiguities that enterprises need to face under the GDPR rules. It may turn out that without support from professional firms providing legal and IT auditing services, the rules will be misinterpreted, thus leading to their infringement and triggering a risk of high fines being charged.

Personal data processing in recruitment processes

The GDPR significantly affects operations of HR departments and headhunters whose business involves day-to-day processing of personal data, including sensitive data (which, under the GDPR, are subject to even more extended protection). While selecting candidates for work it is crucial to determine the function of the interested entities. The situation varies depending on whether the employer decides to seek an employee in his own capacity (then acting as an independent data controller), or to use the services of a headhunting agency. In the latter case it may happen that the headhunting agency is either a processor or a separate data controller. In the case when personal data are only entrusted for processing, the employer should enter into a relevant data processing agreement (DPA) clearly specifying the obligations of the two parties. In addition, it needs to be emphasised that upon receiving candidate’s personal data the applicable information obligation needs to be met. This requirement applies irrespective of whether the data are received directly from the candidate or from other entities. The information clause should, first of all, specify the data to be processed by the controller, the purposes of collecting the data, the legal basis for the processing, as well as to inform the individual whose data have been collected by the controller about his rights.

In addition, keeping the so-called blacklists in recruitment processes is forbidden under the GDPR. The Inspector General for the Protection of Personal Data gave many times negative opinions on the lists of unwanted candidates, pointing to the fact that the applicable law gives no legal grounds for keeping such lists. In the light of the GDPR this remains unchanged – there are still no legal grounds and, moreover, such approach constitutes a gross breach of regulations which is punishable with a high administrative fine and involves civil liability towards a blacklisted person.

Personal data processing during employment relationship

Upon deciding to hire an employee the employer becomes a controller of the employee’s personal data, which again triggers the need to meet the information obligation. This time, the information obligation is different as regards the legal basis for the processing and the scope of the collected data, as these matters are governed to a large extent by the Labour Code. The Labour Code defines what kind of data can be collected from the employee and, at the same time, is the legal basis for data processing. Draft changes to the Labour Code in the context of the GDPR coming into force cover also the employee’s data which, as a rule, the employer must not process, i.e. the sensitive data. Exceptions involve two cases: when the employer collects such data under applicable law, or when the employee provides the employer with biometric data upon explicit consent and the data are to be used exclusively to monitor access to the work establishment. It should be pointed out that if the employee does not consent to the above, the employer cannot impose negative consequences on the employee. Draft changes to the Labour Code also govern the monitoring aspects. The amended Labour Code provides for two categories: ordinary monitoring (video surveillance) and e-mail correspondence monitoring The former aims at ensuring staff security and protection of the employer’s property. The latter is supposed to aim exclusively at checking whether the employer’s tools are used appropriately and whether the employees work effectively. The employer is obliged to inform in advance the employees about using the two forms of monitoring, and the scope and purpose of the monitoring should be laid down in the collective labour agreement or in the work rules and regulations.

Importantly, the GDPR affects not only the employer’s obligations towards the employee. The employee should be aware of the processing of personal data in the company as well as should ensure the security of the processing of the collected data. It is, therefore, advisable to provide adequate training to the employees as well as to draw up the guidelines and good practices in the area of personal data processing at work. Each of the employees dealing with personal data processing should be duly authorised, with the authorisation specifying the scope and purposes of the processing on behalf of the controller, that is, the employer.

Personal data processing after termination of employment relationship

After the employment relationship is terminated, the employer is still held liable towards the former employee in terms of personal data processing. It is wrong to say that the employee may immediately request that his right to be forgotten is exercised and that the employer must delete all records which contain the data of the employee. The right to be forgotten is not an absolute right and, therefore, can be excluded. Firstly, the exclusion applies to the controller’s data processing obligation required by law. This concerns relevant regulations governing the archiving of documents, like personnel files, or the transferring of data to appropriate tax authorities. Another exclusion applies in case of identifying, seeking or defending claims. The employer may store personal data of a former employee throughout the statute of limitation for claims, e.g. due to termination of a contract of employment, discrimination or mobbing.

The need to audit data processing in HR departments

The GDPR is not a clear document which provides easy solutions. HR departments must introduce solutions relevant to the amended regulations. First of all, it is advisable to analyse how many data records are processed and how many of them are sensitive data of employees and candidates. Next, it should be determined what function in the processing operations is performed by the employer as a controller, and by potential processors as well as employees being at the same time "data subjects" and "persons authorised to process personal data on behalf of the controller". Audit, training and development of internal procedures are, in terms of the GDPR, the key solutions which may form the basis for proving accountability.