Data Protection and Human Resources
Human Resources Data Protection
The processing of personal data of the Human Resources of any company is regulated by the European(RGPD) and Spanish(LOPD-GDD) data protection regulations. This regulation contains some essential principles, which will determine that the employment relationship between the company and the employees or job applicants, is adjusted to the aforementioned regulatory framework:
Legitimacy of the treatment
Information and Rights
Consent
Minimization Principle
Safety measures
Below we will analyze each of these principles, showing the implications that the processing of HR data has with the Data Protection Regulation. What we intend is to offer some guidelines to follow when processing HR personal data and to go into detail in more specific cases, where companies may not be aware of the rules they should follow to comply with the Data Protection Regulation:
Legitimation
The company needs and is obliged to request certain data from the employee in order to materialize and maintain the employment contract (legitimization of the processing). But not everything goes, because the data requested must be relevant, appropriate and limited to the purpose for which they are collected.
That is to say, the company needs data to fulfill its labor contracting, social security or tax obligations, being necessary to ask the worker for his/her name, surname, ID card number, age and social security number, but not for personal telephone numbers or e-mail addresses.
It is also common to request certain accreditations depending on the job position, as is the case of criminal record certificates required by the Organic Law 1/1996 on Legal Protection of Minors, for those jobs that involve direct contact with minors. On other occasions the certifications requested, for example, in transport companies, are driving licenses to verify if the candidate can drive vehicles with certain characteristics. In the same sense, there would be positions that require specialized knowledge or authorization to exercise them (doctors, architects, etc.).
On the other hand, workers or job applicants are not obliged to provide their profiles on social networks for the employer to inquire about their opinions, preferences, friendships and other personal matters, nor would the company be entitled to request ‘friendship’ to candidates or workers.
Information and rights
The employer is obliged to inform the worker or job applicants about the purpose of the processing of the requested data, the legitimacy of such processing, storage periods, possible transfers to third parties, as well as informing them of their rights (access, rectification, deletion, limitation, opposition, portability, claim before the supervisory authority), and how they can exercise them.
This is important and should be taken into account in business groups where the parent company assumes and centralizes the administrative and labor management of the rest, as this issue requires information to the employee.
Consents
There are cases in which express consent may be requested from the employee to process certain data in addition to those considered legitimate, such as images for publication on the corporate website, as well as obtaining consent for the transfer of data to third parties that are not related to labor matters (e.g. collaboration agreements), means of communication to be agreed between the parties (e.g. e-mail or instant messaging), etc.
Although consent is not always a formula of legitimization, a good example is to request the delivery to the company of clinical reports resulting from medical examinations included in the health surveillance of workers, since requesting such consent may be disturbed by the consequences of the refusal.
Therefore, consent must be free and without consequences in case of refusal and it is not admissible to create black lists that identify or discriminate against workers or job applicants based on their decision.
On the other hand, there are cases where the company can legitimately process data without the worker’s consent, for example the processing of video surveillance images, although this should be analyzed in more detail in each case. Nor is consent required for the use of systems for monitoring information systems or recording geolocation data as part of the control functions granted to the company by the Workers’ Statute. Other cases where consent for data processing is not required is for compliance with legal obligations or for health issues of public interest.
In the same sense would be the transfers that do not require consent, as is the case of the international transfer of data for the execution of an employment contract, business or business relationship. However, in any of the above cases, it is mandatory to inform employees about the use of these mechanisms.
As a relevant novelty, according to a recent publication of the AEPD, on the treatment of personal data by the company in its labor relations, it would be acceptable to receive CVs on paper, informing the applicants by means of an informative poster.
Remember that receiving CVs by e-mail is feasible, although it will require a reply from the company and in turn the applicant’s affirmative response to the treatment and other information or consents requested by the company, although this option requires monitoring and from Business Adapter® is discouraged by the work overload involved, offering much more practical alternatives and with full guarantee of compliance.
Minimization Principle
In order to determine which data can be processed in compliance with the minimization principle, a processing assessment exercise should be carried out, using the following factors:
- Judgment of necessity: to determine whether the measure is really necessary and to have different alternatives available for the proposed purpose.
- Adequacy judgment: establishes whether the measure adopted achieves the proposed purpose.
- Proportionality judgment: determine whether the proposal offers benefits for all parties involved.
A practical example would be if the company wants to implement a workday registration system, which includes geolocation. The first step will be to analyze if the working time registration is necessary, as it is obvious the answer is yes, therefore other existing methods will be analyzed to achieve the goal and the chosen one should bring benefits to all. But in this case the company achieves its goal at the cost of an aggravation for the worker because the company knows his/her geolocation at all times. Therefore, the principle of proportionality would not be justified, but with this analysis it can be determined that this means can be used but using a less intrusive technique, such as knowing the location of the worker only at the time he/she starts and ends the day, not continuously. The benefit is for everyone.
Safety measures
A fundamental principle of the company with respect to labor relations is the adoption of security measures that guarantee the confidentiality, integrity and availability of the personal data processed.
For this it will be necessary to develop and approve by the governing body of the company, security policies, manuals of standards to be met by workers, as well as a programming of the necessary training to ensure that all staff know how to act in each case, achieving a corporate culture and awareness in terms of protection of personal data and information security.
Taking into account the principle of minimization, take as an example a CV which offers abundant information about the individual, since it shows identification, professional, academic and sometimes health-related data (disabilities, allergies or intolerances and handicaps), as well as hobbies. In other words, the CV as such gives us a profile of the job candidate and it seems sensible to think that extraordinary security measures should be applied without any doubts when there are special category data.
Data Protection Officer
What everyone agrees on is the benefits of appointing a Data Protection Officer (DPD / DPO) in the company, as far as labor relations are concerned.
It is based on the principle that it can be hired externally or be part of the staff and be a legal or natural person and have a voluntary or mandatory nature. In the latter case, Article 34 of the LOPD-GDD determines which activities must appoint a DPO on a mandatory basis:
- Public or private health centers.
- Educational centers.
- Financial institutions and credit institutions.
- Distributors and marketers of electricity and natural gas.
- Professional associations.
- Sports federations when processing data of minors.
- Etcetera
The requirements that must be met by a data protection officer, according to the article 37. are:
- He shall be appointed on the basis of his professional qualifications and, in particular, his specialized knowledge of data protection law and practice and his ability to perform the duties referred to in Article 39.
Article 39 of the GDPR sets out the functions assumed by the Data Protection Officer. We detail some of them:
- Obligation of secrecy and confidentiality regarding the performance of their duties.
- Cooperate with the AEPD and act as the AEPD’s point of contact in the company.
- Inform and advise the company and its employees of their obligations regarding Personal Data Protection.
- Oversee compliance with data protection regulations and policies approved by the company, including assignment of responsibilities, staff training and audits.
- It will attend to the interested parties for the exercise of their rights and everything related to their personal data.
- Provide the necessary advice on the impact assessment and supervise its implementation.
Other HR processing with data protection implications
Whistleblowing systems for internal channeling of complaints
These are ethical whistleblowing channels, in the form of an online mailbox, where the whistleblower (e.g. employees or candidates), exposes unlawful acts or acts contrary to the Workers’ Statute and where the person being reported can be identified. The consent of the reported party will not be required for these matters as the legitimacy is based on Article 6.1.e) of the RGPD, although the information obtained may not be used for other purposes.
Although the channel should make it easier for the whistleblower to decide whether to do so anonymously or not, the necessary security measures should be applied to ensure the confidentiality of the persons involved until the facts are clarified.
These Channels or mailboxes are usually managed by external consultants, so that the investigation of the facts is independent, which will assume the status of Data Processor. Both the operation and use of the channel, as well as the identification of the external consultant, must be made known to the Staff.
Wearable Technology
The monitoring of health data on smart devices, such as bracelets or watches, is generally prohibited, as such action is considered a violation of the principle of proportionality, since it results in permanent monitoring and would allow the employer to access specific health data, and not exclusively to assess fitness for work. These systems would be acceptable if access to the data were exclusive to the worker who uses it.
Record of the working day.
The record shall be kept in the least invasive way possible, and shall not be publicly accessible or accessible to other colleagues, nor shall it be located in a place visible to third parties or colleagues, in the case of paper documents. More information about the Workday Register.
Victims of workplace harassment or survivors of gender-based violence.
Cyberbullying, labor or sexual harassment, as well as survivors of gender violence, will be considered special category data and the need to implement specially reinforced processing and protection systems to avoid identifying both victims and their harassers is established. the need to implement specially reinforced processing and protection systems to avoid identifying both victims and their harassers.
We remind you of the existence of the Priority Channel of the AEPD to denounce some of these acts.
There are more treatments that affect the employment relationship in companies and that we have already analyzed in our blog, such as:
Video surveillance
Geolocation
Biometrics
And others that are also known and of which we conveniently advise all our clients, as is the case of:
Psycho-technical or psychological tests
Salary record
Labor control (absenteeism / productivity)
Insurance and pension plans
Legal representation of employees
Union relations
Grants awarded for social action
Etcetera
Business Adapter® data protection in constant evolution
The quality commitment with our clients is based on the Knowledge of the Regulations (European and Spanish), the Experience to offer solutions adjusted to the law but that combine with the daily operation of any company, the Training on regulatory and normative novelties, that influence in the correct advice to our clients and the Constant effort of Improvements of Processes so that our services of data protection are at the height of the needs of our clients, guaranteeing the complete normative fulfillment. All this with our unique system of implementation in record time and simple and understandable.
Everything you need to comply with the RGPD and the LOPD is in Business Adapter®.
Don’t settle for less and delegate everything to Business Adapter®.
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]WE HELP YOU[/su_button]