Since employers will almost certainly complete two of them, employers must complete a DSFA. In accordance with the GDPR, data subjects have a number of rights regarding their personal data, including the right to erasure, the right to portability, the right to recertification, the right to restriction of processing, the right to object, etc. While many of these rights are limited in the context of employment, many require employers to take action to ensure that the rights of those affected are protected. Therefore, employers must ensure that they have taken steps to inform workers of these rights in order to grant these rights to workers. and which allow them to continue to monitor the exercise of these rights to ensure future compliance. Appointment of a Data Protection Officer (GDPR) The GDPR provides that an entity must designate a data protection authority when its core activities involve regular and systematic monitoring of the data subject on a large scale or the processing of sensitive data on a large scale. The problem with HR data processing is that it is usually large amounts of sensitive data and staff monitoring. Therefore, an entity that would not otherwise have to designate a DSB for the processing of consumer or supplier data may be necessary for the processing of HR data. Compliance with national data protection requirements The GDPR allows EU countries to impose additional requirements on the processing of personal data through national laws and collective agreements, and these laws may be stricter than the GDPR.
France has laws that prohibit it from transferring personal data outside of France. Germany has passed a law that imposes additional or stricter requirements on the processing of personal data. In addition, many trade union collective agreements and works council agreements covering employees cover additional or stricter requirements for the processing of employee data. This also applies to compliance with specific national labour legislation, which specifies how and when staff information may be processed and how long certain types of HR data may be retained. Application Companies are more likely to face enforcement issues when it comes to employees` personal data, given that employees and/or their unions and works councils are more likely to exercise workers` rights under the NPL, collective agreements, national data protection laws and works council agreements. Consent is the appropriate basis only in a very limited number of cases, for example. B if you wish to process your employee`s biometric data (e.g. B with fingerprint identification to access the premises). In this regard, the Greek DPA reminds us that due to the imbalance between the parties, workers` consent generally cannot be considered truly free – a valid consent requirement. However, we believe that the GDPR has introduced a certain leniency to accept, in certain circumstances, valid consent from workers, provided that the law of the Member States or collective agreements allow it.
Organizations that use third parties, such as human resources agencies or pay slip providers, for the processing of personnel data, are responsible for ensuring that the third party complies with the GDPR and must have appropriate agreements. They must also comply with the commitments made by the GDPR with regard to the transfer of data outside the EU. With regard to processing, this term is also broad and includes the collection, storage, recording, collection, organization, modification, consultation, use, disclosure or otherwise making available of personal data of staff. . . .