As per 25 May 2018 the General Data Protection Regulation (“GDPR“) (Algemene Verordening Persoonsgegevens) comes into force.
The GDPR is applicable in the entire European Union with the purpose to create unity with regard to data protection. The current applicable legislation in the Netherlands is the Personal Data Protection Act (“PDPA“) (Wet Bescherming Persoongegevens) and its implementation Act – based on the Privacy directive 1995 – which will be replaced by the GDPR.
The current PDPA does show similarities with the GDPR, such as the general principles relating to processing of personal data (lawfulness, fairness, transparency and accuracy), data minimisation, the notification obligation in case data breach, purpose limitation, storage limitation, limitative grounds for data processing and the transfer of personal data to other countries (the principle that for a transfer to a country without an appropriate protection level, the consent of the employee will be required). However, the GDPR entails changes which will have impact to the people who are dealing with personal data.
In the performance of their work HR is dealing with data protection on a daily basis. Therefore it is of major importance for HR to be familiar with upcoming changes and to execute the work in compliance with GDPR. Should HR breach the obligations as set out in the GDPR employers may risk sky-high fines. Therefore we advise employers to assess the way personal data is being processed and to implement the GDPR. In this article we will set out the main changes the GDPR entails for HR.
Main changes for HR following the GDPR
The rights of data subjects (or as the case may be “employees“)
In order to protect the rights of employees the GDPR introduces several new rights for the employee, namely the “right to be forgotten”, the “right to restriction of processing” and the “right to data portability”. Furthermore the employee’s rights of access to his or her personal data will be extended.
Right of access to collected personal data
Under the PDPA the employee already has the right of access to collected personal data and to receive a description of the storage purpose, the categories of data to which the processing relates and the recipients or categories of recipients, as well as the available information on the origin of the personal data.
However following the GDPR this right of access will be extended in such a way that the employee has the right to obtain information of the employer on (i) the storage period, (ii) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the employee and (iii) the right to lodge a complaint with a supervisory authority.
Right to data portability
Under current law employees have the right to ask for access to their personal data that are collected by the employer. However the employer may decide how to provide an employee with access to his or her personal data.
Under the GDPR this will change. The employee will have the right to receive the personal data concerning him or her in a structured, commonly used, machine readable and interoperable format and will have the right to transmit this to others. Therefore the employer should develop interoperable formats that enable data portability. The employer must generally comply with a request within one month.
Right to be forgotten
In the PDPDA no explicit provision is included on a right of erasure. Under the GDPR the employee will have the right to obtain from the controller erasure of personal data without undue delay. The employer shall have the obligation to erase personal data in case (i) the personal data are no longer necessary for the purpose the data are processed for, (ii) in case the employee withdraws its consent on which the processing is based, or (iii) in case there are no legitimate grounds for the processing. The employer will also be obliged to inform the third parties which are processing such personal data to erase any links to, copies or replications of those personal data.
Right to restriction of processing
Another right of the employee is the right to obtain restriction of processing in case (i) the accuracy of the personal data is contested by the employee, (ii) the processing is unlawful and the employee opposes the erasure of the personal data and requests the restriction of their use instead, (ii) in case the employer no longer needs the personal data for the purposes of the processing, (iv) or in case the employee has objected to processing the personal data.
The obligations of the controller (or as the case may be the “employer”)
Not only will the employee obtain more rights, it is also the employer who will have more obligations under the GDPR. Following the GDPR the employer has an information obligation and the obligation to keep record of the processing activities. Furthermore the employer may be obliged to execute a Data Protection Impact Assessment (“DPIA“) and to assign a Data Protection Officer.
Information obligation of the employer
In case personal data have not been obtained from the employee, the employer is obliged to provide the employee with extensive information on the processing, such as (but not limited to) the purposes and legal ground for the processing, information on the Data Protection Officer, the involved categories of personal data, the recipients of the personal data, whether the personal data will be transferred to third countries and the storage period. With reference to this information obligation it is advisable for employers to draw up a general and understandable information leaflet with regard to the storage of personal data.
Records of processing activities
Currently the employer has the statutory obligation to report the processing of personal data to the competent authority. This obligation will lapse as per 25 may 2018.
The GDPR introduces the obligation for the employer to keep record of processing activities which shall be in writing, including electronic form. The record should demonstrate (amongst others) the categories of personal data; the purpose for which the personal data are processed; the place of storage and the retention period need to be demonstrated; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where possible the envisaged time limits for erasure of the different categories of data and where possible a general description of the technical and organisational security measures. This record must be available to the supervisory authority on its request.
Derogation of this regulation is possible in case the employer has less than 250 employees, unless (i) the processing of data is likely to result in risk for rights and freedoms of employees, (ii) the processing is not occasional or (iii) in case the processing concerns special categories of personal data. Records should be available to the Data Privacy Officer on request.
Privacy Impact Assessment (“PIA“)
A PIA is required before personal data may be processed if the processing is likely to result in a high risk to the rights and freedoms of the employees, for example when personal data are processed on a large scale, or special categories of personal data (sensitive for instance) are processed.
Data Protection Officer
Under the PDPA it is optional to appoint a Data Protection Officer. Following the GDPR it will be required to appoint a Data Protection Officer under certain circumstances. This is especially relevant in case the processing is carried out (i) by a public body or authority, (ii) in case of systematic monitoring of employees on a large scale or (iii) if special categories of personal data are processed. In other instances, it is optional to appoint a Data Protection Officer. Tasks of the Data Protection Officer (are amongst) others to inform the employer and the employees who carry out processing of their obligations, to monitor compliance with the GDPR and to provide advice thereof. Employees may contact the Data Protection Officer with regard to all issues related to processing of their personal data.
Should the employer share personal data with third parties that will process the personal data, for example with an occupational health and safety service or a payroll company, this relationship will be become heavily regulated under the GDPR. The third party shall only be involved by the employer in case the processor guarantees that the processing meets the requirements resulting from the GDPR, for example by concluding a GDPR-compliant data sharing agreement with the employer.
Under the PDPA the maximum fine for employers due to infringement will be € 900,000,- . Under the GDPR the possible administrative fine will increase drastically. There are two sorts of infringements with accompanying maximum administrative fines. In general infringements of the employer’s obligations may be fined up to a maximum of 10 million euro or alternatively 2% of the worldwide annual turnover whichever is higher. Should employers breach the principles of the GDPR or the rights of the employees, the DPA may fine up to a maximum of 20 million euro or alternatively a fine of 4% of the worldwide annual turnover whichever is higher.
The aforementioned subjects give an impression of the changes that are lying ahead of us. Please note that there are more changes which should be taken into account by HR.
In order to implement and complement the GDPR a concept implementation Act has been drawn up. The DPA has been giving its advice on this concept and at this moment the concept implementation Act has been before the Council of State. This advice however has not been published yet and it is still unclear if this implementation Act will come into force as per 25 May 2018.
Should you wish for more information and updates on the GDPR and the Dutch implementation Act, our employment and data privacy experts can provide you with the requested and proper assistance.