Which employers are covered by the General Data Protection Regulation (GDPR)?
If a company, regardless of its location, has EU- or UK-based employees whose behaviour it “monitors” (see below) it will need to comply with the GDPR regarding its processing of those employees’ personal data. “Monitoring” is not defined in the GDPR itself but is likely to cover the normal day-to-day tracking of employees’ activities most, if not all, employers undertake in respect of their employees, for example, in order to take disciplinary, performance or other employment-related actions.
Given the technologies employers use, and require EU- and UK-based employees to use, in the workplace, employers with EU-based employees should assume that they are covered by the GDPR. This means that companies based outside the EU and the UK will need to comply with the GDPR in respect of their EU- and UK-based employees, even though they may have no corporate presence there. Such companies must appoint EU and UK representatives established in one of the EU Member States where they have EU-based employees and the UK.
What do employers need to do?
The GDPR requires that employers take certain steps prior to, and while, processing employees’ personal data including:
- collecting employees’ personal data for specified, explicit and legitimate purposes;
- providing certain information regarding their processing of employees’ personal data to employees;
- allowing employees to exercise certain rights over their personal data; limiting access to employees’ personal data and keeping it secure;
- having a legal basis for the processing of employees’ personal data;
- only transferring employees’ personal data outside the European Economic Area (EEA) and UK if the data are adequately protected; and
- notifying employees if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
Can employers rely on employees’ consent to process their data?
Prior to the GDPR coming into force, many companies relied on employees’ consent to process their personal data and short consents were often included in the employment contract. However, under the GDPR, for consent to be valid it must be freely-given, specific, informed and revocable. The GDPR states that, given the imbalance of power between employer and employee, employees can only freely give consent in exceptional circumstances. In reality, it will be extremely difficult for employers to rely on consent to process employees’ personal data.
What should employers do instead of relying on employees’ consent?
Consent is only one of a number of potential legal bases for processing employee data. Alternative legal bases include processing being:
- necessary for the performance of the employment contract. This would cover, e.g., employees’ bank account data which the employer requires to pay employees;
- required by law. This would cover, e.g., processing of sickness absence data to facilitate the payment of statutory sick pay in the UK; and
- in the employer’s legitimate interests which outweigh the general privacy rights of employees. This is potentially wide in scope.
What steps should employers take to comply with the GDPR?
Companies should review their template employee documentation such as employment contracts and any free-standing employee data processing consents. For both new hires and existing employees, companies should replace the consent language in these documents by language referencing the alternative legal bases referred to above. For existing employees, companies should roll out employee data processing notices which refer to these alternative legal bases.
What are the potential sanctions for non-compliance?
Failure to comply with the GDPR can result in fines of up to €20 million or 4% of a company’s (or the entire group company’s) annual worldwide turnover. This is significantly higher than the previous penalties available for non-compliance with the previous regime (e.g. fines of up to £500,000 in the UK).