GDPR and employment contracts: pitfalls to avoid
Most people associate the GDPR with websites and
e-mail, maybe with the Internet on the whole. But where it can really come back
to bite you is offline, in a place as inconspicuous as employment contracts.
This chunk of legalese is most likely not
part of your standard employment contract:
Employers are legally required by the GDPR’s Article 13 to inform their employees of a number of things relating to the use of personal data. They include:
- The identity of the person responsible for processing their personal data
- Their contacts
- The time period for which their personal data will be kept
- Their right to have that data erased under certain conditions
- That they, if relevant, can withdraw their consent to the use of their personal data
- That they have the right to complain to a state watchdog authority
- The extent to which they are required to divulge their personal data
Now, some of this obviously seems commonsensical. So commonsensical in fact that you would think, why make such a fuss?
But be warned. The GDPR, in this case, is a thing
to be reckoned with. If you fail to include these points in your employment
contract, you are opening yourself up to all kinds of attacks—most notably to
that good old one, a disgruntled former colleague taking the chance to get back
at you.
The EU’s love for paperwork continues on, going well beyond this little list:
employees also have to be informed about any and all automatic uses of their
data, be it for statistical reasons, profiling, modelling and the like.
Obvious?
Doesn’t matter. You need to spell it out—or risk to be fined
Whether or not you see any of this as self-evident or important at all
unfortunately doesn’t matter. If the above isn’t part of your employment
contracts, or isn’t stipulated in your privacy notice, and the employee has
been required to share any personal data, they can go straight to the Data
Protection Inspectorate and file a complaint.
It gets even more complicated. Article 14 of the GDPR states that wherever you
hold on to an individual’s personal data, but did not receive this data
directly from them, you must tell them so.
An example. Imagine you’re collecting information about applicants for an open
position in your business. If you now keep this information—out of LinkedIn
profiles, say, or something you’ve come across googling an applicant’s name—you
need to let the applicant know.
On top of that, the same logic applies here as in Article 13 we discussed
earlier. You need to give the individual all the information they may need to
access, restrict or remove their personal information from wherever you’re
keeping it. The same applies for the time for which information is kept, and so
on. Full disclosure.
If you don’t follow this rule, again, anyone affected can file a complaint with
the DPI simply because you failed to tell them all that.
Legal requirements continue anywhere you conduct background checks with or
without the consent of an applicant or employee, or in fact any individual at
all you may be looking into. However superficial the procedure, data protection
regulations must be observed. The processed data must be accurate, consistent
with the purpose for which it was collected, and so on.
Another tripwire is the question of how long an individual’s information is
kept, the so-called “data retention period”. For many of our clients this has
been a headache in the past, because not only is there the requirement to
delete personal data at some point, but in some cases it actually has to be
kept for a minimum time period.
An example here is a discrimination claim under Estonia’s Equal Treatment Act.
Any person who finds their rights have been violated needs to submit their claim
within a year of the moment they realised that damage was done. This means that
the company in question then has to hold on to all the relevant data for at
least a year in case e.g. an applicant for an open position does submit such a complaint.
Changes are
legally binding,
not just a precaution
These are just three examples. In most situations, this is all rather abstract. But today’s hyperconnected world is affecting standard legal texts and agreements, such like an employment contract, and that is what we are looking at here.
So be careful.
This isn’t just sound advice here, this is an absolute legal requirement these
days. Make sure you are compliant and include these personal data references in
your standard contracts ASAP to avoid having to deal with complaints.
If you have any
questions, or if you need help with that, we are at your disposal. You can
write to advocate
Mari Anne Valberg at Glikman Alvin LEVIN
(mari.anne.valberg@levinlaw.ee) or call us on
+372 686 0000.