Human Resources

AuthorKatherine H Woodcock; W Gregory Voss
Pages97-129
97
4
Human Resources
The processing of employees’ personal data by employers is extensive, as are the
privacy concerns it raises. Whenever acting as an employer and processing per-
sonal data of employees (for example, in a personnel le, when granting benets
and options, for payroll purposes, etc.), organizations—specically the employing
entity—will act as the controller. Therefore, processing within the human resource
(HR) context is generally the most widespread and common processing undertaken
by organizations. This processing is further complicated in larger—multinational—
organizations, where personal data is frequently stored, transferred, and accessed
outside of the European Union. This Chapter will rst deal with general provi-
sions relating to human resources (Section I), then it will address technology and
employee relationships including e-mail, video surveillance, social media, BYOD,
and GPS and biometrics (Section II), and nally it will discuss the subject of sen-
sitive data (in the EU sense of the term), including health and background check
information (Section III).
I. GEN ERAL PROVIS IONS R ELATING TO HUMAN R ESOUR CES
Personal data processed in an employment relationship must be looked at in context.
Indeed, national labor laws of the countries where employees habitually carry out
their work must be investigated in addition to any analysis under the Directive. These
labor laws are outside the scope of this book; however, it is important to understand
at what point to turn to the relevant labor laws.1 In addition, fundamental data pro-
tection principles (nality, transparency, legitimacy, proportionality, accuracy, and
retention of the data, security, and awareness of the staff),2 discussed in Chapter 1,
Section III, apply to the processing.
1. The Working Party has highlighted the relationship with labor law as follows: “[D]ata protection
law does not operate in isolation from labour law and practice, and labour law and practice does not oper-
ate in isolation from data protection law. This interaction is necessary and valuable and should assist the
development of solutions that properly protect workers’ interests.” See Working Party, Opinion 8/2001
on the Processing of Personal Data in the Employment Context (WP 48) (Sept. 13, 2001), at 4 [hereinafter
WP 48], http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/
les/2001/wp48_en.pdf.
2. For a discussion of these principles in an employment context, see WP 48, at 19–22.
woo51396_04_c04_097-130.indd 97 12/4/15 4:35 PM
98
Navigating E U Privacy and Data Protec tion Laws
A. Records in the Employment Context
WP 48 of the Working Party sets out some examples of records in the employment
context that typically contain personal data and, hence, are subject to the provisions
of the Directive:3
• Application forms, resumes/CVs and work references
• Payroll and tax information-tax as well as social benets information
• Sickness records
Records on annual leave, including vacation and maternity/paternity leave, and
unpaid leave/special leave records
• Annual appraisal, evaluations or assessment records
• Records relating to promotion, transfer, training
• Disciplinary records
• Records relating to accidents at work
Information generated by computer systems (such as user names, computer or
laptop terminal numbers, etc.)
• Attendance and time records
Emergency contacts as well as beneciaries and dependents for compensation
and benets purposes
• Reimbursement of expenses, for example travel
Other categories could include contact details or photographs for company direc-
tories and the inclusion of a responsible employee contact for a customer, client, or
service ticket.
One complication arises where records are kept in manual form, as not all manual
records fall under the Directive. In order for the Directive to be applicable to manual
records, the records must “form part of a ‘personal data ling system.’”4 The latter
is dened in the Directive as “any structured set of personal data, which are acces-
sible according to specic criteria, whether centralized, decentralized or dispersed
on a functional or geographical basis.”5 However, the Working Party comments that
“[m]ost employment records are likely to fall within this denition,” but in certain
3. Id. at 7.
4. Id. at 13. Indeed, Article 3(1) of the Directive provides that “[t]his Directive shall apply to the pro-
cessing of personal data wholly or partly by automatic means, and to the processing otherwise than by
automatic means of personal data which form part a ling system or are intended to form part of a ling
system.” Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protec-
tion of individuals with regard to the processing of personal data and on the free movement of such data
[hereinafter Directive], 1995 O.J. (L 281) 31 (Nov. 23, 1995), art. 3(1), at 39.
5. Directive, art. 2(c), at 38. For a discussion on the different ways that Member State national laws
have implemented this denition, and for the ramications of such divergent transpositions of the Direc-
tive, see Douwe Korff, Study on the Protection of the Rights and Interests of Legal Persons with regard to
the Processing of Personal Data relating to such Persons, at 19–20, Study Contract ETD/97/B-5-9500178,
European Commission, Brussels, Oct. 1998, http://ec.europa.eu/justice/data-protection/document
/studies/les/20000202_rights_interests_legal_en.pdf.
woo51396_04_c04_097-130.indd 98 12/1/15 5:44 PM
99Human Resources
countries some handwritten notes are excluded by implementing measures, when not
contained in a ling system.6
B. Lawfulness of the Personal Data Processing
Also interesting is the application of the criteria for lawfulness of the processing of
personal data (see Chapter 2 Section IV.D) in the employment context. Lawfulness
must be established under Articles 6 and 7 of the Directive. Article 8 of the Directive
concerns sensitive data, which is discussed in Chapter 4 Section III. As Article 6 of
the Directive refers to data quality and the collection, processing, or keeping of data,
we will turn instead to Article 7.
The main legitimating criteria for personal data processing in the employment con-
text are contained in Article 7(1) (b), (c), and (f) of the Directive. In the rst such para-
graph, processing is legitimate when “necessary for the performance of a contract to
which the data party is subject.” This is often the case in a contract of employment that
requires, for example, the processing of salary and other payments. In Article 7(1)(b),
processing may be lawful if “necessary for compliance with a legal obligation,” such
as where the employer must disclose data to the tax authorities or for social security
payments. Finally, in Article 7(1)(f), processing may be legitimate where “necessary
for the purposes of the legitimate interests pursued by the controller or by the third
party or parties to whom the data are disclosed, except where such interests are over-
ridden by the interests for fundamental rights and freedoms of the data subject.” Here
the issue is the balancing of interests of the controller with those of the data subject.
It is worth noting that there is a residual right to object to processing under Article
7(1)(f); the Working Party points out that “the worker retains the right to object to
the processing on compelling legitimate grounds.”7 In practice, the exercise of this
right depends on the exact circumstances of processing; it is difcult to clearly carve
out the situations where it straightforwardly applies. Nevertheless, if an employee
does object to processing, a distinction must be made between the personal data that
the employer needs for the functioning of a proper employer-employee relationship
(likely falling under Article 7(1)(b) or (c)) and the personal data processed on its legiti-
mate interest. The employee would have to object that his or her fundamental rights
would outweigh the employer’s legitimate interest in a particular circumstance. If an
employee objects to the processing of his or her social security or tax identication
number in the personnel le, this objection would not be successful as this informa-
tion is necessary for the employer to make social security or tax contributions under
the law. Another example could be the objection of an employee to the processing of
his or her photograph in a company directory. Here, the employee could legitimately
object to this processing, as the processing is not necessary for the employment
6. WP 48, supra note 1, at 13.
7. Id. at 15.
woo51396_04_c04_097-130.indd 99 12/1/15 5:44 PM

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT