Since employers will almost certainly encounter two, employers must perform a DPIA. Disclosure of rights under the RGPD confers on the person concerned a number of rights relating to his or her personal data, including the right to delete, the right to portability, the right to recertification, the right to restrict treatment, the right of objection, etc. While many of these rights are limited in the employment context, many require employers to act to ensure that the rights of the individual concerned are protected. Therefore, employers must ensure that they have taken steps to inform workers of these rights, to give these rights to workers; and allow them to continue to monitor the exercise of these rights for the future. Appointment of a Data Protection Delegate (DPA) The RGPD provides that a company must designate a Dpa if its core activities involve regular and systematic monitoring of the person concerned on a large scale or the processing of sensitive data on a large scale. The problem with HR data processing is that it is usually large amounts of sensitive data and staff monitoring. Therefore, a company that would not otherwise have to designate DSB for processing customer or supplier data may be required to process HR data. Compliance with country data protection requirements The RGPD allows EU countries to impose additional requirements for the processing of HR data through national laws and collective agreements, and these laws may be stricter than the RGPD. In France, there are laws prohibiting the transfer of personal data outside France. Germany has passed a law that imposes additional or stricter data processing requirements for data processing.
In addition, many trade union collective agreements and enterprise committee agreements covering workers cover additional or stricter requirements for the processing of worker data. The same applies to compliance with country-specific labour legislation, which regulates how and when employee information is processed and for how long certain types of HR data can be retained. Enforcement Business is more likely to face enforcement issues with respect to employees` personal data, as workers and/or their unions and company committees are more likely to use workers` rights under the RPM, collective agreements, national data protection laws and corporate committee conventions. Consent is only the appropriate basis is a very limited number of cases, z.B. if you want to process your employee`s biometric data (for example. B with fingerprint identification to gain access to the premises). In this context, the Greek data protection authority reminds us that the consent of workers because of the imbalance between the parties cannot generally be considered to be truly free – a valid requirement of consent. However, we believe that the RGPD has introduced some leniency to accept, in certain circumstances, the valid agreement of the workers, provided that the law or the collective agreements of the Member States permit it. Organizations that use third parties to process staff data, such as recruitment agencies or wage processing providers, are responsible for the fact that the third party is compliant with the RGPD and must have appropriate agreements. They must also comply with the RGPD`s obligations to transfer data outside the EU. Most employers will have to rely on “legitimate interests,” but to do so, the employer will first have to do some start-up work.
In order to qualify for the legitimate interest allowance, employers must carry out a data protection impact study that has focused on their legitimate interest in the data protection interests of workers. The difficult part, this must be documented to prove that the legitimate interest of the employer outweighs the rights of the workers.
