Guest post by heyData - first published on HR Works
With the increasing digitization of society and thus also of companies, data protection is becoming increasingly important. However, this not only has an impact on the relationship between customers and companies, but also between employees and employers: GDPR-specific rights for employees and applicants, deletion periods, high requirements for the secure handling of their data and the simple variety of legal norms are enormous Challenge for small and medium-sized companies. An outline of the most important points for HR professionals can be found here.
Employee data protection: the legal basis
There are many legal sources for employee data protection: In addition to the already mentioned GDPR (“General Data Protection Regulation”), the BDSG (“Federal Data Protection Act”) is of particular importance. In special cases, for example, branch-specific special law comes into consideration. The aim of employee data protection is to protect the personal rights of employees and applicants. For this purpose, as little personal data as possible should be collected, which corresponds to the principle of data minimization from Article 5 (1) (c) of the GDPR.
Also, once collected data may not be further processed at will: According to the principle of purpose limitation from Art. 5 Para. 1 lit. b of the GDPR, data may only be processed for the purpose for which they were originally collected.
If, for example, the address data of an applicant was collected as part of the application process with the purpose of contacting him, it may not be used later, for example to send him a newsletter. This also means that when data is collected, everyone involved must be aware of the purpose for which this data is collected.
In addition to a precisely defined purpose, the collection and continuous storage of personal data also always requires a legal basis. These legal requirements can be found in the employee data protection in § 26 BDSG. According to this, processing is possible in particular if it is necessary for the decision on the establishment of an employment relationship or later for its implementation.
Leaving the company - deleting the data?
According to the principles described above, the personal data recorded about an employee must be deleted immediately after the termination of the employment relationship. In principle, this includes not only entries in databases, but also every e-mail, every note, every memo and every other medium that contains the personal data of the former employee. It is not only possible to delete the affected documents, but also to anonymize the respective employee, e.g. to blacken them.
But beware! The obligation to delete has important exceptions: data that can be significant for labor law disputes are three years, tax-relevant documents and business letters (including e-mails) six years and documents that are relevant to the company's profit determination are to be kept for 10 years - even if they contain the name of the employee who has left the company.
In the case of rejected applicants, even greater caution is advisable, as they can use incorrect data processing as an excuse to take action against the company. Employers need to be prepared to identify, locate, and delete applicants' data. Data from rejected applicants may be retained so that the company can protect itself against a possible lawsuit under the General Equal Treatment Act. However, the deadlines for this are short - they must be deleted after a maximum of six months after the position has been filled.
Does data protection mean the end of talent pools?
The procedure described makes the popular practice of saving candidates in talent pools impossible: In this practice, the data of good applicants is saved for a later point in time at which a new position is to be filled. Without effective consent, however, the applicants' personal data may not be stored, so that companies run the risk of losing interesting candidates from their pool. We therefore recommend that you take the necessary care when formulating and documenting your consent.
Workers have these rights
In addition to this basic protection, employees have certain rights that they can assert against their employer at any time - even after the employment relationship has ended:
- Incorrect, outdated or illegally recorded data must be deleted, corrected or blocked from further access by the employer at the employee's request.
- The employer must protect special personal data, such as those relating to health, religion or sexuality, from unauthorized access. Employees or applicants may withhold certain, particularly sensitive data, also vis-à-vis the employer. If the employer tries to obtain data that is not subject to the obligation to provide information, the employee or applicant has the right to refuse to answer or to tell the untruth.
The monitoring of employees, for example via video, is particularly critical. The data protection authorities set strict limits on practice and have already fined companies several times for inadmissible surveillance practices. Every company should carefully consider whether monitoring is really necessary. In any case, the data protection officer must be involved in the decision-making process.
Duty to provide information: transparency for those affected
In the context of Art. 15 of the GDPR, processors of data, i.e. employers in the context of the employment relationship, are obliged to provide a range of information. This includes in particular the categories of data collected, as well as the purposes for which the data is processed, the recipients of the data and the planned duration of storage. The fact that data is transferred to third countries, for example in cloud applications, is also required to provide information.
However, companies are obliged to be transparent even without a request from an employee. You must already proactively provide the data mentioned, e.g. as part of a data protection declaration for employees.
Data security: the standards
The respective security standards are of particular importance: The processor is obliged to guarantee "appropriate" standards at all times in order to prevent unauthorized persons from gaining access to the data or from falsifying or losing the data. What exactly is considered appropriate is highly dependent on the situation. The following guidelines can apply:
- Data may only be transmitted in a secure way. Particularly sensitive data (e.g. health data) may only be sent in encrypted e-mails and faxes are no longer up to date.
- Only authorized persons may have access to data. An access system with passwords or other access restrictions must therefore be set up.
- Different personal data must be separated from one another as far as possible in order to keep the damage to a minimum in the event of a data leak.
- Data must be stored on secure data carriers, for example in an encrypted database, or for paper files in a locked filing cabinet.