The Institute of Continuous Professional Training and Education (ICPTE) offers an extensive variety of Self-Paced Online and Live Online seminars created by Professional and qualified Instructors with years of experience in their field.
The ICPTE platform allows You the flexibility to watch online self-paced seminars at Your own convenience, at Your own pace, in Your own time and place. Start watching a seminar today and complete it at Your own time. You can have access from anywhere. All self-paced online seminars are in the form of PowerPoint presentations.
Processing of employees’ personal data
Regulation EU 2016/679 (General Data Protection Regulation or simply “GDPR”) entered into force and applies from the 25th of May 2018. GDPR is a set of rules relating to the protection of natural persons regarding the processing of personal data and in relation to the free movement of personal data.
According to the GDPR, the processing of personal data always requires a legal basis. That means that a Company that processes personal data shall ensure that the processing of personal data is lawful.
A company processes the personal data of data subjects. A data subject is defined by the GDPR as an identified or identifiable natural person, in particular by reference to an identifier (such name, ID number) from whom or about whom personal data is collected. A person is “identified” if “within a group of persons” he/she is “distinguished from all other members of the group”. A person is “identifiable” if it is possible to identify him/her. Personal data is any information relating to a natural person (data subject). For example, full name, ID number, passport number, an online identifier, etc.
A person can directly be identified with his/her name. Indirectly, a person can be identified through information about his/her residence, phone number, ID number, etc.
The employees of a Company are data subjects for the Company. Therefore, a Company is obliged to comply with the GDPR provisions when processes their personal data. A Company can process an employee’s personal data for various purposes related to employment (e.g. to perform the contract of employment, for health and safety at work, for equality and diversity in the workplace, etc).
The provision of information to data subjects, regarding the processing of their persona data is an important provision of the GDPR. Therefore, a Company is obliged to provide certain information to its employees, regarding the processing of their personal data.
What information must be provided to employees
When personal data is collected from an employee, the Company must provide to the employee, at the time when personal data is collected, the following information:
a) The name and contact details of the Company.
b) The contact details of the DPO.
c) The purpose(s) of the processing and the legal basis for which the personal data of the employee is collected. (In accordance with the Article 6 of the GDPR)
d) In case the legal basis of the processing is for the legitimate interests of the Company, then the Company must inform the employee for these legitimate interests.
e) In case the Company shall transfer the personal data of the employee to any recipient, then the Company must inform the employee for this recipient or at least to inform the employee for the category of recipients (e.g. personal data shall be transferred to ABC Ltd that is the accountant of the Company)
f) The fact that the Company shall transfer personal data to a third country or to an international organisation and the security measures to protect the employee’s personal data during the transfer.
g) The time period that the Company shall keep the personal data of the employee in storage or at least the criteria that the Company uses to determine that time period. (e.g. during the employment period and for seven years after the termination of the employment period)
h) The fact that the employee has a number of rights as those are provided in the GDPR. (e.g. right to access to the personal data, right for the rectification of personal data, etc)
i) The right of the employee to withdraw his/her consent, in case a consent is requested by the Company.
j) The right of the employee to lodge a complaint with a supervisory authority. (e.g. with the supervisory authority for personal data in Cyprus, that is the “Office of the Commissioner for Personal Data Protection”)
k) Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract. Furthermore, whether the employee is obliged to provide the personal data and of the possible consequences of failure to provide his/her personal data to the Company. (e.g. the Company needs to collect the employee’s bank account details for payroll purposes)
l) The fact that the Company uses an automated decision-making process, including profiling, and information about the logic involved for such processing. Also, the Company shall inform the employee for the consequences of such processing for the employee. (e.g. the Company uses an automated decision-making process to assess the employees’ performance and productivity using digital data of employees records).
Also, in case the Company shall collect personal data not directly from the employee but from another source, then the Company must inform the employee for the source where his/her personal data have been collected and if they have been collected from a publicly accessible source. In this case, the information to the employee must be provided a) within a reasonable period after the personal data have been collected, but at the latest within one month from the date when the personal data have been collected or b) at the time of the first communication with the employee or c) at the time when the personal data is first disclosed to another recipient.
In addition, in case the Company shall further processes the personal data of an employee for a purpose other than that for which the personal data was collected (e.g. for a purpose other than the employment), the Company must provide to the employee, prior to that further processing, with information on that other purpose and with any relevant further information.
A good practise is the Data Protection Officer (DPO) of the Company to review and ensure that the Company has provided the necessary information to the employees. A Company should keep evidence in place to demonstrate that the employees have been informed for the processing of their personal data.
In the context of the employment relationship, an employee is expected to provide information which is required by the Company (employer) for the performance of the contract of employment. The protection of personal data has an impact on handling recruitment, keeping employees’ record and many other Human Resource activities for a Company. A Company must understand its responsibilities as an employer and apply the necessary security measures to protect its employees’ personal data. Providing the necessary information to employees regarding the processing of their personal data is an obligation of the Company to comply with the GDPR.