GDPR for employers: keep calm and accept the challenge

Also in Belgium companies are preparing the European General Data Protection Regulation (GDPR in short). From May 25, 2018 onwards, GDPR will apply on all companies in the European Economic Area (EEA). The goal of this regulation is to introduce similar rules in the whole Area regarding the processing of personal data and to protect these data.

The Member States can determine further rules by law or CLA for some aspects, amongst which employment relationships. Up until now, the Belgian government has not yet taken any initiative in this respect.

The processing of personal data in the scope of the GDPR is a broad concept and can involve collection, structuring, storage, consultation or use of data, whether or not by automated means. From the moment the processed data allow one to identify a certain person, it concerns personal data and the rules of the GDPR apply.

As an employer, you are a data controller with regard to the personal data of your employees. After all, it is you who determines why and how the data are being processed. Apart from that, almost every employer will work with several data processors, who process the personal data of their employees based on their instructions. As to its clients, Pro-Pay is such a data processor.

What are the basic principles of the GDPR?

The GDPR is an extensive document. We would like to highlight the most important principles you need to take into account as an employer.

  • Personal data can only be processed on certain grounds. The most relevant grounds in an HR-context are the following:
    A) Consent: if the person concerned has given its explicit consent, the processing will be lawful. A tacit approval or the use of boxes which have already been ticked will not be regarded as a consent. Moreover, the consent can be withdrawn at any time.
    B) Respecting an agreement: a lot of processing in employment law finds its lawfulness in this purpose, like for instance salary and personnel administration. Payroll data are indispensable for an employer to calculate and pay the salary in a correct manner, as agreed upon in the employment contract.
    C) A legal obligation: the processing of some data is mandatory by law. In the scope of an employment agreement, it will for example be required to know the family composition of the data subjects in order to calculate a correct salary.
  • There is a principal prohibition to process sensitive data (race, political and religious beliefs, criminal offences, etc.). Exceptions to this principle are the explicit consent of the person concerned or the necessity to process these data because of a legal obligation.
  • Free movement of personal data within Belgium and the EEA. When personal data are transferred to countries outside the EEA, the data controller needs to ensure a right level of protection of these data (for some countries such as Canada and Switzerland, there is a general recognition of providing a right level of protection).
  • Extensive rights of the employees to access their data, receive a copy and correct them.
  • The right to be forgotten in certain circumstances and the right to portability of the data. The right to portability entails that an employee has the right to receive all data that concern him and that he has provided to the employer, in a structured format to allow him to carry over these data to another data controller.
  • The right to object to the processing of his or her personal data.

Article published with permission of Pro-Pay