October 16, 2019

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

The Countdown Begins for GDPR Compliance for EU Human Resources Data

On May 25, 2018, a short 12 months from now, employers must be in full compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for EU human resources data. The GDPR requirements regarding notice, data breach notification, consent, and an individual’s access to data are significantly broader and stricter than the requirements under current national data protection laws and the EU Data Protection Directive. Additionally, the penalties for noncompliance with the GDPR are severe. Employers that violate the GDPR face fines of 20 million Euros or 4 percent of the company’s worldwide revenue, whichever is greater.

GDPR Compliance for HR Data Is Complex

Compliance with the GDPR for HR data will present greater challenges than the compliance requirements for customer data. For example, the GDPR expressly provides that individual EU Member States may enact laws specific to the processing of employee data to implement the GDPR. Germany and Austria have already passed legislation that provides for specific requirements regarding employee data or specifies that the processing of employee data will be governed by national employment laws in addition to the GDPR. Thus, to comply with the GDPR, employers must analyze and follow the data protection and employment requirements of each EU Member State in which they have employees.

Some other areas where GDPR compliance will differ for HR data include the following:

  • While businesses typically rely on a customer’s consent to collect and process the customer’s information, employers generally will not be able rely upon an employee’s consent to process the employee’s data because such consent will not be deemed voluntary or freely given because of the unequal bargaining positions between employers and employees. Thus, employers must rely on other grounds to legally process employee data.

  • Unlike customer data which typically is collected and processed through business websites, employee data is collected and stored on multiple sources such as human resources information systems (HRIS), corporate intranet and email systems, social media platforms, mobile devices, and third-party payroll and benefits service providers’ systems. Thus, mapping employee data and providing employees access to their data will be more complex.

  • The GDPR restricts the processing of criminal history information to only those situations specifically authorized by EU or Member State laws. Thus, employers must tailor their criminal background check procedures to comply with individual Member State laws.

  • The GDPR creates new rights for data subjects regarding the portability of their data. Employers will need to provide a mechanism to permit terminated employees to transfer their data to new employers.

Next Steps

Because GDPR compliance for human resources data will be different from and more complex than compliance for commercial data, companies’ human resources departments and internal employment counsel should take the lead regarding their organizations’ compliance efforts. Further, while the GDPR effective date of May 25, 2018, seems to be a long way off, employers need to begin compliance efforts now to complete all compliance requirements by the effective date and avoid severe penalties.

© 2019, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Grant Petersen, Labor, Employment, Ogletree Deakins
Shareholder

Mr. Petersen represents and counsels employers regarding a broad range of U.S. and international labor and employment law issues, Foreign Corrupt Practices Act and other anti-corruption law issues, and data privacy and data protection law issues. He represents clients in a wide variety of industries, including manufacturing, service, healthcare, financial, retail, and food processing, as well as multinational companies and trade associations.

813-221-7231
Simon McMenemy, Labor Employment, Managing Partner, New York, OgleTree Deakins law firm
Managing Partner

Simon is an experienced employment law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits. Simon advises on the increasingly complex issues arising on data privacy and data protection in the workplace and is a Certified Information Privacy Professional and a member of the International Association of Privacy Professionals. He is trusted advisor to many employers on all their people management issues and has particular expertise in investigations including those relating to potential business ethics violations. Simon is a trained mediator and is also a senior reservist officer in the military.

 

44 (0)20 7822 7620
Hendrick Muschal, Ogletree Deakins, Employment Attorney, Germany
Managing Partner / Certified Specialist for Employment Law

Hendrik Muschal is a partner in Ogletree Deakins’ Berlin office.  He advises numerous German and international clients on all aspects of individual employment law, collective employment law in both the private and public sector, international employment law and criminal labor law.  Hendrik is strongly involved in international business activities, particularly in the field of international investments and cross-border transactions as well as global HR management.

One of the focal points of Hendrik’s work regarding global HR management is data protection and monitoring inside the EU...

+ 49 (0) 30 862030 161