Data Protection Summer Dive - Data Protection @ Work (Part 2/2)

Each week in July and August, our focus will be on a different topic that has been scrutinized by the Belgian Data Protection Authority. With a few simple tips, your summer cocktail of data protection news will be complete.

This week’s topic: Data Protection @ Work (Part 2/2)

In some of its recent enforcement decisions, the Belgian Data Protection Authority (“DPA”) has given further guidance on the application of the GDPR in an employment/HR context.

Below, we have summarized our key findings in this respect, noting that the DPA has also expressly stated that it is not its intention to interfere with the competences of the labour courts, only to enforce compliance with the GDPR.

1.   GDPR in the recruitment process

  • Accepted as legal ground for retaining job candidates’ personal data (of course taking into account purpose limitation and storage duration): explicit opt-in consent at occasion of job interview (e.g. by having candidates sign a consent form) + clear and unambiguous opt-out possibility for inclusion in recruitment database.

2.   Exchange of information between former and current employer

  • Purely oral disclosures or oral transfers of information between a former and current employer do not fall within the scope of the GDPR if none of this information is processed automatically or included in a file.
  • The legitimate interests of an employer can cover the processing of personal data for its defense in (threatened) legal proceedings against a former employee. The legitimate interest must however be real and present, and the data processing must be necessary and proportionate for the legal defense purpose.

3.   ‘Sensitive’ employee data

  • Article 10 GDPR concerns data relating to criminal convictions or offences. This type of personal data is deemed to be particularly sensitive and therefore deservers additional legal protection (i.e. a general prohibition of processing such data, with only very limited exceptions). This protection does however not extend to any type of non-criminal ‘judicial data’ (as was the case pre-GDPR in the Belgian Privacy Act of 1992).)

4.    Data subject rights in HR context

  • When requested, access should be given to underlying documents substantiating the decision not to re-appoint someone for a certain mandate of function (= “essential information”), of course taking into account the rights and freedoms of others (e.g. colleague who reported an incident or made a confidential complaint) and the protection of trade secrets and other confidential information of the company.
  • The right to data deletion is not an absolute right, data does not have to be deleted if processing is based on the presence of a legitimate interest which outweighs the data subject’s interest to have certain data deleted.

A data deletion request can be refused if the personal data concerned is not (or no longer) included in a computer system, database or file.

5.    Processing of personal data by employees

  • The employer is deemed to be the responsible “data controller” for all personal data processing activities carried out by its employees during the execution of a task entrusted to them by their employer. In this capacity, employees act on behalf of their employer cannot separately and individually be qualified as “data controllers”.

We remain of course happy to provide further guidance on any of the topics discussed above.