Skip to main content

View more from News & Articles or Primerus Weekly

Russell Advocaten B.V.
Amsterdam, Netherlands

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?

You may have heard a lot about the General Data Protection Regulation (GDPR) and the necessary changes you have to make to your website, the mandatory privacy statement, and the processing agreements you have to conclude. But even if you don’t have a website or web store, you will have to deal with the GDPR.

General Data Protection Regulation

The GDPR will give citizens more control over their personal data, such as name, address, bank account number, etc. The GDPR requires organisations to make transparent in advance which personal data they process, for what purpose, what the legal basis is for the processing, and how the data are processed. This does not just apply to personal data of customers and suppliers, but also to the personal details of your employees.

Personnel Data Are Personal Data

The data an organisation collects and processes of its employees are certainly personal data which fall under the GDPR: wages, pension, leave, etc. In addition, special category personal data will be processed, such as citizen service numbers and sick leave. Also, data used in the application process are personal data within the meaning of the GDPR.

Usually, the processing of personal data is based on a legal requirement under fiscal or social legislation, or labour law and pension law. There is no legal requirement for an in-company “face book”, for instance, or a birthday calendar and the legal basis for the processing must be a legitimate interest (employees must be able to identify each other for the purpose of security) or the processing has to be based on the informed consent of the individual employees.

Sharing Data With Third Parties

Employees have to be informed of what happens with their personal data, for instance, that part of the data will be shared with a payroller, a pension fund, and – in the event of sickness – with the occupational health and safety service and/or employee insurance agency. You also have to conclude processing agreements with the external parties you involve in your staff management, where they declare to comply with the GDPR and your privacy policy.

Employee Rights

In addition, make your employees aware of their rights, such as the right to be forgotten, the right to obtain restriction of data processing, and the right to object to processing. These rights cannot be invoked where you are legally required to process data. The storage period of salary details for fiscal purposes is, for instance, 7 years from the termination of employment. During this period, the (former) employee cannot require you to delete these data from your files.


The GDPR does not just have consequences for the relationship with your customers or suppliers but it does also affect the internal relationship with your employees. We recommend you draft a separate privacy policy for your employees and conclude the required processing agreements.

More information

Would you like to learn more about the GDPR and what you, as an organisation have to do for a “GDPR-proof” staff management? Would you like to make changes to your privacy statement, or would you like us to draft a processing agreement? Please contact us.