Following our last year’s event around the fuss generated by the General Data Protection Regulation (GDPR), this week we discussed with our community on how things evolved and what is happening now, one year later. Together with Tudor Galos, we’ve discussed what are the main HR issues related to GDPR compliance.
1. Employee consent: As per the GDPR regulation, consent means that data are “freely given, specific, informed and unambiguous”. Because of the imbalanced employer - employee relationship, consent as a basis for data processing cannot be always correctly used. Don’t assume that for every processed information you need employees’ consent - start by making a detailed risk assessment and determine what’s the basis for data processing. Instead check legitimate interest or legal obligation basis.
2. CVs: data collected can be kept as long as it is necessary to accomplish “specified, explicit and legitimate purposes”. Once you have closed the job opening, you don’t have any legitimate purpose to keep the collected CVs. Instead, to be able to keep the CVs for a longer period, use a legal basis, such as: additional consent, legitimate interest (be aware of the LIA - legitimate interests assessment) or contract (in case of talent community platforms).
4. Suppliers: have a clear vision of who your suppliers are (REVISAL, recruitment agency etc.), and determine their roles: are they joint or independent representatives of controllers, or processors?
5. Photos and videos: Make sure everyone looks nice in these. Several good practices for specific cases:
- Photo on the access card: possible basis to be used is legitimate interest, as the employer or the landlord wants to limit unauthorized access into the building;
- Photos at corporate events: legitimate interest might be used, with the mention that employees have the right to refuse appearing in those pictures. Also, make sure everyone looks nice in the pictures;
- Photos for employer branding campaigns: sign a contract for the right of use of pictures. For digital channels is much easier, but for outdoors & TV the recommendation is to have a contract, otherwise financially speaking, it might hurt;
- Events for employees’ children (Christmas, Kids day etc.): create a form so that employees can voluntarily register them and their children for participation. Again, make sure everyone looks nice in the selected pictures.
6. Closed-circuit television (CCTV): Camera use might violate several rights of employees, such as the one for intimacy, for example. It is recommended to implement a DPIA (data protection impact assessment). In case of electronic monitoring systems, legitimate interest might be considered only if the company is compliant with the conditions mentioned by the law no. 190/2018 (art.5).
8. Data-loss prevention systems: these systems provide informational support and tools to help the implementation of GDPR: deleting personal information if no longer needed, restrict personal data usage, maintain data security standards, prevent personal data loss, identifying where the data are stored etc.
9. Employee empowerment: Train your employees and make them feel responsible for keeping data safe - sign an addendum to the labour contract, implement an internal data processing policy, organize training (online and in person), send newsletters, periodically test employees etc.
In conclusion, don’t assume! Instead make a proper research. Don’t do something just because others do it, and remember: Give Data Proper Respect.
HR Hub Team