Matheson legal experts discuss the importance of reviewing employee documents for GDPR compliance.
Employers must now show how they comply with data protection principles, and be clear and open with employees about the data processing and the rights of the employees.
The additional employment documentation that employers have in place will play a vital role in demonstrating GDPR compliance generally. Below, we focus on three examples of this: the employment contract data protection clause, the data protection policy and the privacy statement.
For employers, the contract of employment is the first document that should be reviewed. Thereafter, a data protection policy and a privacy statement should be put in place, either combined as one document or two separate documents.
While they can be included in the employee handbook, our recommended approach is for these two documents to sit outside the handbook to ensure that they can be updated when and if required to reflect the constant changing organisational needs of a business, otherwise it may require reissuing an updated handbook quite frequently.
To ensure that you as an employer can demonstrate compliance with GDPR and the transparency requirements, we would recommend that upon commencement of employment, you obtain a written acknowledgment from the employee that they have received a copy of the organisation’s data protection policy and privacy statement (and also the handbook, if contained in it).
Contracts of employment
Most employment contracts contain an express provision confirming the consent of the employee to the processing of personal data. However, under GDPR, an employer will need to review these template contracts to consider the extent to which consent is still appropriate. In most cases, it will not be.
For now, our recommended approach is for employers to take a relatively general approach in the contractual clause referring to the detail in the privacy statement and data protection policy, the same way a contract will refer to a disciplinary procedure rather than list its details in the contract.
A privacy statement is a short document that clearly states the basic information on how an employer gathers, uses, discloses and manages an employee’s personal data. Privacy statements are critical to complying with the transparency obligations in GDPR, so it is vital that they are presented correctly and have the appropriate information included in them. Among other things, a privacy statement must state, in clear and plain language, the following:
- the legal basis for the employer’s processing activities, contractual necessity, compliance with a legal obligation or otherwise
- the period for which data will be retained
- the new and enhanced rights of employees, such as the right of erasure, the right of rectification, the right to restrict processing, the right to object to processing and the right of data portability
- details of the data protection officer must be included as well as details of the employee’s right to complain to the relevant supervisory authority
Data protection policy
A data protection policy on the other hand is a document that should clearly set out the role of employees relating to the use of personal data by the organisation.
It can contain some of the information mentioned above, including the rights of the employees, but, equally importantly, should contain the obligations that apply to employees who handle personal data, be that within the HR function or more generally in relation to customer or business contact data. The policy should also ideally deal with subject access requests, including an authentication and response procedure for any subject access requests received.
For employers, the contract of employment is the starting point when reviewing employment-related documentation for compliance with GDPR.
A version of this article originally appeared on Matheson’s website.