Legal Basis for Processing Hr Data
While it is possible to imagine situations where an employee has a real choice (and can withdraw consent) in relation to some of the data processed about them, these are likely to be extremely limited and employers must be very careful not to rely on consent to legitimize the processing of HR data. A clause in a standard employment contract will certainly be insufficient and will no longer provide a “fallback” justification for HR data processing. Employers should also note that where consent is used as a basis for lawful processing, the data subject has the right to have his or her data erased under the new “right to be forgotten”, unless there are other legal bases justifying the processing. Other circumstances in which an employee may request deletion of data are when it is no longer necessary for the purposes for which it was collected. Employers should therefore consider other grounds for lawful processing to justify the processing of HR data. The draft ICO directive states: “When you process employee data. You should look for another basis for the processing, such as “legitimate interests”. Businesses have suffered significant losses due to data breaches, cybersecurity failures, human error, lack of automated tools, and a lack of understanding of current and upcoming data protection laws. Therefore, data protection certifications are required for. 3. How long should I keep employee data? What is a best practice? The CCPA does not require that information be retained for a specific period of time, but it is recommended that information not be retained longer than necessary. The European Union`s General Data Protection Regulation (GDPR) is designed to protect European Union residents when processing their personal data.
It treats natural persons, including consumers and workers, on an equal footing and grants them several rights and guarantees. 3. How long should I keep employee data? What is the best practice? The PDPA does not prescribe a retention period for personal data. However, an organisation should cease to retain its records containing personal data or delete the means by which personal data may be attributed to a particular employee as soon as it can reasonably be assumed that the purpose of the collection is no longer achieved by storage; and retention is no longer necessary for commercial or legal purposes. Disclaimer: This article is for informational purposes only and does not constitute legal advice. It is designed to allow you to identify gaps in your current processes to work with your privacy advisors regarding your particular situation. Increased financial exposure The GDPR provides for two levels of fines for GDPR violations, depending on the type of violation. Unfortunately for employers, the majority of HR data processing triggers risk exposure in the category of the highest fines, allowing fines of €20 million or 4% of the company`s global turnover, whichever is higher. Don`t miss any steps: personal data is broad within the meaning of the GDPR and includes any information relating to an identified or identifiable natural person who can be identified by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to physical factors, physiological, genetic, the mental, economic, cultural or social identity of that natural person. When an employer hires an employee, they have a number of rights over the use of their personal data.
In most cases, employers have certain misconceptions about what they can and cannot do with employees` personal data under the law. Here are the most common misconceptions an employer may have about protecting their employees` data. Most employers must rely on the “legitimate interest” allowance, but to do this, the employer must first do start-up work. In order to use the tolerance for legitimate interests, employers must carry out a data protection impact assessment in which they balance their legitimate interest against employees` data protection interests. The tricky part is that this has to be documented to prove that the legitimate interest of the employer outweighs workers` rights. The next step that employers should not overlook is that even if the employer has a basis to process employee data, the employer must inform the employee, detailing what data the employer will collect and what the employer will do with it. Requirements for sensitive HR data According to the GDPR, there are “personal data” (see above) and special categories of data, i.e. sensitive data. Sensitive data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person`s sex life or sexual orientation. The processing of sensitive data is strictly prohibited unless 1 in 10 exceptions is met, including: with explicit consent; to the extent necessary to meet employment obligations, including compliance with a collective agreement; and to protect the vital interests of the data subject. Data Protection Impact Assessment (DPIA) The GDPR requires companies to carry out a DPIA if the processing of data is likely to result in a high risk to the rights of the data subject.
Current guidance on this topic states that a DPIA must be carried out if two of the following are present: According to Articles 12 to 23 of the GDPR, an employee has the following rights in relation to his or her personal data: 4.