Recent Changes to EU Employee Data Protection – Two Years to Comply with New Requirements

Orrick - Employment Law and Litigation
Contact

Employee Data Protection in the EU is subject to major changes, notable to multinational companies with employees in the EU.

A few days ago, after 4 years of negotiation, the European Parliament adopted the General Data Protection Regulation (“GDPR”). As it is planned to be effective in 2018, companies should be aware that they only have two years from now to prepare for compliance.

Orrick’s global Cybersecurity & Data Privacy team recently summarized the key changes in a Blog post.

From an employer’s perspective, it is notable that many provisions in the new GDPR directly or indirectly concern employee data protection. The main novelties of particular relevance for employers are the following:

  • Scope of application: The GDPR also applies to a controller or processor not established in the EU when offering goods or services to EU citizens or monitoring their behavior.
  • Sanctions: For breaches of data protection law, companies may face fines of up to EUR 20 m. or 4 % of their worldwide annual turnover.
  • Consent of employee: Consent to the processing of personal data of the employee is still possible, however, a statement or clear affirmative action with regard to the employee’s agreement is required and the consent is revocable at any time.
  • Works agreements: Although consent by means of a collective agreement remains possible, new substantial requirements must be considered by employers and works councils regarding existing and future works agreements. Worth mentioning are in particular the required precise and transparent description of data processing, the requirement to name both the rights of the affected persons as well as the obligations of those responsible for the data processing, and the mandatory illustration of possible changes in purpose of collected data.
  • Accountability: Employers will be required to provide data subjects with detailed documentation on processing as well as the legal basis for processing. In certain contexts, data protection impact assessments will have to be arranged. Furthermore, employers have to keep documentation on the personal data being processed and the purposes of such processing. In addition, a new provision requires that companies must report any security breaches to the data protection authorities on their own initiative.
  • Administration: The newly required evaluation process of possible implications of data protection and prior consultation will create big efforts for companies. The same is true for the new data transfer right and data deletion right of employees.

Apart from these new obligations for employers, especially regarding information and transparency towards employees, it is possible for national governments to adopt supplementary provisions in order to take into account national peculiarities. Therefore, most of German regulations as well as settled case law by German labor courts will likely continue to apply.

With respect to the many new documentation requirements on the one hand and the difficulty to maintain control over personal data on the other hand, it is strongly recommended for companies to start preparing for the new data protection regime.

For co-determined companies, it is important to note that most provisions on the processing of employee data require the consent of the works council. Consequently, time for negotiations should be taken into account when planning new processes and policies in relation to employee data.

With regard to recent developments concerning the EU-US Privacy Shield which is meant to regulate the transfer of personal and employee data from Europe to the United States as a replacement to the Safe Harbor Framework, we will provide a separate blog post in due course.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Employment Law and Litigation | Attorney Advertising

Written by:

Orrick - Employment Law and Litigation
Contact
more
less

Orrick - Employment Law and Litigation on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide