General Data Protection Regulation (GDPR) for Human Resources Staff: eco Association Identifies Seven “Do’s and Don’ts” for 2018

  • More information obligations for human resources managers as of May 2018

  • Best practices for data protection keep HR processes on the legally safe side

When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, this will also have an impact on HR departments – by the May deadline at the very latest, companies must have effective protection of their employees’ and applicants’ data in place. This is determined by Article 88 of the GDPR. High fines of up to 20 million Euro or four percent of worldwide sales face those who do not comply with the new regulation.

“By abiding by our tips, HR managers who already take data protection seriously and who comply with legal regulations will also legally be on the safe side beyond May 2018,” says Lucia Falkenberg, Chief People Officer and Head of the Competence Group New Work at eco – Association of the Internet Industry. Clarissa Benner, LL. M, Attorney in the Professional Services division at the eco Association, agrees, adding that: “Transparency is and will remain as the foremost principle: Employees must know what their employer stores and processes and for what reasons, and that they have a right of revocation.”

The eco Association has compiled the seven most important Data Protection Do’s and Don’ts in the area of human resources:

  1. Employers must provide their employees and applicants with full information on why they store personal data and explain to them their right of revocation. The employees/applicants must be able to understand this transparently and declare themselves in agreement with the processing of their data.
  2. Application documents must be deleted or returned by HR departments after an application has been rejected. This includes the applicant letter.
  3. No exceptions exist for corporations: Anyone wanting to pass on personnel data from the subsidiary to the parent company must be able to justify this. Grounds for transfer of such data include, for example, where human resources management is centrally organized and a contract for order data processing exists between the individual parts of the corporation or, alternatively, where the parties concerned have agreed to this process – for example, by means of standard clauses in the employment contract.
  4. Private use of the corporate email account remains legally problematic as there is no clear boundary between personal and business-related information.
  5. Inquiring about the applicant with his/her prior employer is only possible with his or her consent. In the interview, the employer may only ask questions that help to assess the suitability or skills for the advertised job. In Germany, for example, questions about an existing pregnancy, marriage intention, or the desire to have children fall within the scope of protected privacy and are therefore prohibited. If the employer nonetheless poses such questions, the applicant does not have to answer them truthfully; legally he or she has a so-called “right to lie”.
  6. Personnel files in paper form may only be kept by HR staff in secured cabinets. All sensitive documents must also be stored digitally in a protected area, with graded access options for HR managers. A log should clearly show when and who has inspected which files.
  7. Video surveillance of the workstations is only permissible in absolute exceptional cases and for a limited period of time – for example, if the employer has a particular safety concern or if a concrete suspicion of a criminal offence against an employee is to be detected. On the other hand, it is permissible to measure an employee's work performance – for example, in comprehensive data analyses or through screenings. However, in such cases, the employee must not be subjected to permanent monitoring pressure and a personality profile may not be created.