Business Law Articles
Russell Advocaten B.V.
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?
You may have heard a lot about the General Data Protection Regulation (GDPR) and the necessary changes you have to make to your website, the mandatory privacy statement, and the processing agreements you have to conclude. But even if you don’t have a website or web store, you will have to deal with the GDPR.
General Data Protection Regulation
The GDPR will give citizens more control over their personal data, such as name, address, bank account number, etc. The GDPR requires organisations to make transparent in advance which personal data they process, for what purpose, what the legal basis is for the processing, and how the data are processed. This does not just apply to personal data of customers and suppliers, but also to the personal details of your employees.
Personnel Data Are Personal Data
The data an organisation collects and processes of its employees are certainly personal data which fall under the GDPR: wages, pension, leave, etc. In addition, special category personal data will be processed, such as citizen service numbers and sick leave. Also, data used in the application process are personal data within the meaning of the GDPR.
Usually, the processing of personal data is based on a legal requirement under fiscal or social legislation, or labour law and pension law. There is no legal requirement for an in-company “face book”, for instance, or a birthday calendar and the legal basis for the processing must be a legitimate interest (employees must be able to identify each other for the purpose of security) or the processing has to be based on the informed consent of the individual employees.
Sharing Data With Third Parties
In addition, make your employees aware of their rights, such as the right to be forgotten, the right to obtain restriction of data processing, and the right to object to processing. These rights cannot be invoked where you are legally required to process data. The storage period of salary details for fiscal purposes is, for instance, 7 years from the termination of employment. During this period, the (former) employee cannot require you to delete these data from your files.
Would you like to learn more about the GDPR and what you, as an organisation have to do for a “GDPR-proof” staff management? Would you like to make changes to your privacy statement, or would you like us to draft a processing agreement? Please contact us.