Dive into the essential facts about protecting employee data with our top ten tips. Based largely on EU law but including aspects specific to German law, this guide offers crucial pointers to help you navigate the complexities of data protection in the workplace. Get ready to ensure your company's compliance and safeguard your employees' privacy.
No processing without a legal basis
When you process employee data, you must have a permitted legal basis for doing so - this is non-negotiable. Businesses operating in Germany must comply with the GDPR (General Data Protection Regulation) and local law addressing privacy, in particular the Bundesdatenschutzgesetz (the Federal Data Protection Act or BDSG).
The data protection laws apply to all employee personal data just as they do to customer personal data. Every piece of data, regardless of its source, is subject to the same level of safeguarding and respect for privacy. In addition, local laws regulate some aspects of employee data processing and can be even stricter. The GDPR mandates that personal data can only be processed where a permitted lawful basis applies. In addition to those in the GDPR, under s26 BDSG, employers are allowed to process essential personal data without consent if it is necessary for starting, maintaining, or ending an employment relationship. This encompasses usually personal information, address details, account numbers, and tax information necessary for payroll processing (such as tax class and tax ID). It's worth noting that while consent may look like an appealing legal basis, it can be difficult to achieve in an employment context as the potential imbalance of power in the employer/employee relationship means it is difficult to demonstrate that consent has been freely given as required under the GDPR. Having said that, in Germany, the BDSG does underline that freely given consent in an employment context is theoretically achievable provided certain conditions are met.
Don't forget: this applies to data of candidates, consultants and contractors as well!
Collect only what you need
When it comes to personnel files, less is more. In addition to the GDPR data minimisation and storage limitation principles, under s26 BDSG, the principle of necessity dictates that you should only store data essential for the employment relationship. This includes application documents, employment contracts, and relevant personnel documents. Within an employment relationship, the employer might also have access to more sensitive data like information on religious beliefs (which must be processed in Germany to comply with tax law) or health information. This sensitive data is subject to strict access limitations and you must ensure that the level of risk is appropriate by performing a Data Protection Impact Assessment (DPIA Article 35 GDPR).
Avoiding the storage of unnecessary information becomes crucial when an employee exercises their right of access under Article 15 of the GDPR (see below). In such instances, the company is obliged to provide the employee with a copy of all data held about them. Given that this data can potentially be used by the employee, for example in legal proceedings like unfair dismissal actions, it's wise to keep data retention to a minimum quite apart from the GDPR requirements to do so.
Restrict access to employee data
Keeping employee data secure is a top priority. According to Article 32 GDPR, access to personnel files must be tightly controlled, whether they're electronic or paper based. This means ensuring robust access and input controls. Typically, only a select few such as HR, direct supervisors and management, should have access. Additionally, all processing activities, like data entries or changes, need to be documented. Implement strong technical and organisation measures to safeguard the data, including encryption, access restrictions, and regular security audits. Your employee data needs to be protected from data breaches in the same way as your customer data.
Additionally, you want to make sure that there is no private personal employee data on your IT systems. In today's digital landscape, it's imperative to establish clear guidelines for internet and email usage within a company. In particular when personal use is permitted, employees’ privacy rights limit the access to log files and communications stored in the inbox. A straightforward policy covering how to use IT systems (including accessing emails and the internet) is a powerful tool to help ensure strict separation of private and business information.
Have privacy policies for employees and subcontractors
Transparency is key! Make sure your employees are informed about the data you collect, why you need it, and how you use it through clear internal data protection notices. Keeping everyone in the know not only builds trust but also ensures compliance with data protection law. Attention to detail is vital, especially when it comes to your subcontractors. Whether it's external payroll offices or IT service providers, these players are in the game of processing data on your behalf, falling under Article 28 GDPR. It's imperative to meet the Article 28 obligations, especially by entering into Data Processing Agreements with subcontractors.
Empower employees
Employees have a robust set of rights when it comes to their data. Not only can they access their personnel file under the Betriebsverfassungsgesetz (the German Works Constitution Act, “BetrVG”), but they also enjoy all the rights granted by the GDPR. This includes the rights to access, rectification, to be forgotten, and to restrict processing. The Article 15 subject access right is particularly important. When an employee exercises this right, the employer is required to provide not only a copy of their personal data but also information about its processing purposes, recipients, storage duration, and the individuals' rights. This information will also have to be scrutinised to ensure that disclosure does not compromise the rights of other employees or individuals.
Companies need to implement systems to uphold these rights, ensuring that employee profiles remain complete and accurate. They may also need to appoint a Data Protection Officer (DPO). While the GDPR provides a broad DPO framework, the BDSG goes into greater detail, requiring companies with a minimum of 20 employees engaged on a recurring basis in automated personal data processing to appoint one. The DPO can be selected either internally from staff or externally using a specialised service provider. Internal DPOs are granted rights and protective measures. Their employer's ability to dismiss them is limited to exceptional circumstances during their tenure. Moreover, they enjoy extended protection from dismissal for one year following the conclusion of their term. For some businesses, it might, therefore, make more sense to assign an external DPO.
Deal with data after the end of the employment contract
Companies must establish clear protocols for data retention and deletion, ensuring information is held only for as long as necessary before being securely erased. While employee data is typically deleted on termination of employment, certain legal obligations mandate the retention of specific documents, such as payroll records. However, even in cases where data must be retained for evidentiary purposes, access should be restricted to essential personnel.
In Germany, applicant data, on the other hand, may only be stored for a maximum of six months following the selection process to address any potential grievances under the General Equal Treatment Act (AGG). Continued storage beyond this timeframe is only permitted with the explicit consent of the applicants.
Raise awareness and train your staff
Under Article 29 GDPR, organisations must cultivate a culture of confidentiality in their employees from day one. This entails educating them about data protection principles and enforcing strict rules against unauthorised processing of personal data. As part of the recruitment process, employees can sign a form along with their employment contract, acknowledging this obligation. Regular training sessions are also crucial to keep employees informed about best practice for handling personal data. This proactive approach not only fosters compliance but also minimises the risk of data breaches stemming from human error. And don’t forget to document the training efforts of your employees!
Whistleblower protection and data privacy: what you need to know
The Hinweisgeberschutzgesetz (The Whistleblower Protection Act, “HinSchG”) brings in new measures to ensure compliance with EU law, making it mandatory for companies with over 50 employees to set up an internal whistleblower system. The HinSchG isn't just about compliance; it's also a significant factor in data protection. This law covers breaches of GDPR requirements and involves handling sensitive personal data. Operating a whistleblower system means dealing with information about the whistleblower (if not anonymous), case details, and information about witnesses and other involved parties. Key data protection considerations need to be taken into account when designing and operating the whistleblower system. You'll need legal permission to process this data, and you should assess whether a DPIA is necessary, and implement robust technical and organisational measures.
Use data protection compliance to help attract investors
Data protection compliance instills both customer trust and investor confidence in today's competitive market. However, the repercussions of non-compliance can be severe, leading to significant financial penalties and reputational damage. Time is of the essence - initiating compliance efforts early mitigates complexity and costs. Prioritising data protection from the outset (privacy by design and default) ensures a solid foundation for sustained success.
Consult the works council
The works council holds co-determination rights regarding data protection in Germany, especially concerning the introduction of technical measures for data security or the collection, processing, and utilisation of employee data. This means that the works council must be consulted before the implementation of such measures and that its approval may be required, particularly if the measures could affect the rights of the employees.
These are just some of the main considerations when handling employee data. There are many nuances which become more complex as a business grows, particularly if it transfers personal data outside the EU (see our introduction to data transfers for more). Our international team will be happy to help you through the process.