the impact of gdpr on maxicon's hr policy

IMPACT OF GDPR ON THE RELATIONSHIP BETWEEN EMPLOYER & EMPLOYEE

The GDPR legislation applies to all personal data, including the personal data of any employee collected in an employment context. Moreover, there are no general exceptions to this either.

However, there is a specific chapter provided around the processing of personal data in the context of the employment relationship which allows each Member State of the European Union to adopt rules to protect the rights and freedoms with regard to the processing of employees' personal data in the context of the employment relationship (Article 88 GDPR).In other words, the general rule applies to everyone, but each Member State is free to decide how they want to organise this specifically in practice.

Whereas previously one could and did collect any kind of information subject to consent, although this was often given unknowingly or unknowingly, GDPR legislation stipulates that from 25 May 2018, there are only 6 reasons by which a company can justify processing personal data:

1. The data subject has given consent for their data to be processed
2. The processing is necessary for the performance of a contract, e.g. the conclusion of an employment contract
3. The processing is necessary to comply with a legal obligation incumbent on the company
4. The processing is necessary to protect the vital interests of the data subject or another person.
5. The processing is necessary for the performance of a task or a public interest
6. The processing is necessary for the protection of legitimate interests

Either way, consent must be by explicit declaration. Regarding this explicit declaration, discussions can quickly arise in practice. So placing a signature and ticking a standard sentence clearly stating consent will be the best option.

GDPR IN PRACTICE

The GDPR legislation has a considerable impact within Maxicon's HR policy at different times. In chronological order, we briefly go through these steps and indicate the challenges that arise.

Recruitment

Everything starts with the application interviews. Here, our HR coordinators conduct a thorough screening of the candidate. Apart from the substantive questions, the candidate is also asked to fill in a lot of data, such as traditional personal data but also references, proof of good conduct and morals, etc.

Is all this still allowed under the new GDPR legislation? In principle, GDPR does allow this, but it also provides the candidate with the right to be forgotten. If we do not retain the candidate, do we still need this data? GDPR assumes not, which means that the data of a candidate who is not retained must be deleted.

For HR policy, this has quite an impact as the non-rejection of a candidate can have many different reasons. For instance, it often happens that we currently do not have any assignments that fit the specific profile of the candidate but we certainly see a possible cooperation in the future. In this case, our HR coordinators want to keep the candidate's details up to date.

Fortunately, the GDPR provides options here! If the candidate gives his explicit consent to keep his data anyway and for a limited period of time (e.g. 1 year), Maxicon is allowed to keep these data. The limited time period for which this consent is requested has everything to do with the previously mentioned 6 basic reasons that justify the processing of personal data. Thus, it will be difficult for any HR department to justify why it would want to keep a candidate's data for an unlimited period of time based on the 6 basic reasons.

Employment

Even during the employment of our employees, our HR coordinators will have to be a lot more attentive to GDPR from 25 May 2018. For instance, the question arises whether it is really necessary to post a photo of an employee on the website. Moreover, this will always require the consent of the person in question anyway. Clear consent is mainly a matter of clear communication, something that Maxicon has long been convinced of anyway. The necessity of certain things will certainly be fodder for discussion at any company in the future.

Retirement

After an employee leaves employment, it seems obvious that this person's data is no longer needed, were it not for the company's legal obligations, asevery company is obliged to keep personnel files for 5 years, after which we must destroy them. Again, the question arises here as to what information is or is not necessary to fulfil the legal obligation to keep personnel files.

Again, at Maxicon, we assume transparency and clear communication to employees regarding what we do with their data, why we collect it, ... Thus, thanks to GDPR, employees also have the right to view their records at any time, amend them when necessary as well as the right to be forgotten.

WHAT HAVE WE ALREADY DONE AT MAXICON?

1. Creation of a data register. A data register is not only a practical tool, but above all a legal obligation under GDPR that must make clear how data is processed, which data is processed and when it is processed
2. Clear and transparent communciation to our employees how personnel data is managed in the future!
3. Reviewing all our standard documents (agreements, general terms and conditions, privacy statements, etc.) and adapting them to GDPR legislation where necessary

PRACTICAL TIPS

1. Do not leave confidential info unattended on the desk (e.g. during lunch break)
2. Print out as little personal information as possible. It is also more environmentally friendly!
3. Throwing personal data in a paper bin is not enough. As far as possible, try to put it through a paper shredder first.
4. Make sure the archive is well protected and placed under lock and key. Adding a cupboard is enough in itself, it must also be effectively locked!