Business life

Processing of personal data at work

Processing of personal data at work is very common. Here you can read a summary of what applies to companies in such cases. The information is primarily aimed at private companies, and not actors active in the public sector.

What categories of personal data are commonly processed in the workplace?

The following are some examples of categories of personal data that are common to process at work:

Contact details of employees.
Payroll register.
Address lists.
Information on employees sick leave.

Processing of sensitive personal data at work

According to the GDPR, the processing of sensitive personal data is prohibited under the general rule, but there are some exceptions. Examples of sensitive personal data are data on health, religious beliefs and trade union membership.

Employers may also process privacy-sensitive personal data at work

In addition, there are other personal data that are particularly worthy of protection, so-called “privacy-sensitive” personal data. For example, data on social conditions and card details. The more important the personal data, the higher the requirements for security, among other things.

How can data on sick leave, which is sensitive personal data according to GDPR, be processed by the employer?

In the context of employment, it is usually common for employers to process information about employees’ sick leave. Information about sick leave is data on health, and thus constitutes sensitive personal data according to Article 9 of the GDPR.

What legal basis can be used for the employer's processing of sensitive personal data?

The legal basis that the employer often uses for the processing of sensitive personal data is a legal obligation, pursuant to Article 6(1)(c) of the GDPR. This is because the processing is necessary for the employer to comply with its legal obligations under applicable labour law. For example, in order to calculate and pay the correct sick pay, report to social security under the applicable law, etc.

The legal basis for such type of processing is thus not the contract (employment contract) with the data subject. This applies even if the payment of wages is part of the employer’s obligations under the employment contract.

Are there any exceptions for employers who allow the processing of sensitive personal data?

Yes, Article 9(2)(b) of the GDPR provides a specific exception for employers who allow the processing of sensitive personal data. Namely, in cases where the processing must be carried out by the employer in order for the employer to fulfil its obligations under labour law.

However, note that it is important that the employer does not send a pay slip containing sick leave by unencrypted e-mail or any other method that is not sufficiently secure.

What is the responsibility of an employer when processing personal data?

An employer who processes the personal data of its employees, and decides how and why they should be processed, is the controller of the processing.

For example, if a company operates an accounting firm, the accounting firm may process personal data either as a data controller or as a data processor. It processes personal data as a data processor, when the personal data belongs to the customer’s employees and the processing takes place on behalf of the customer.

Can the manager or owner of the company be the controller or processor of personal data?

It is usually not the manager of the company or the owner who is personally considered as the controller or processor. Instead, it is the company as an entity that has such a role under the GDPR.

However, there may be situations where an individual holds the role, for example if the employer operates as a sole trader and his personal identity number is the same as the company’s corporate identity number.

Do all employers need to appoint a data protection officer under the GDPR?

No, not all employers need to appoint a data protection officer under the GDPR. Only some employers need to do this. The GDPR sets out clear requirements for which organisations need to appoint a data protection officer.

Can all employers appoint a data protection officer under the GDPR?

Yes, an employer who is not required to appoint a data protection officer may choose to do so voluntarily. If the employer has appointed a data protection officer, employees shall have the right to contact the data protection officer in case of any questions regarding the processing of their personal data. The same applies to the other data subjects.

Who must appoint a data protection officer under the GDPR?

Authorities must always appoint a data protection officer, but not all private companies. Data protection officers shall be consulted, inter alia, when the company intends to carry out an impact assessment.

Does an appointed data protection officer need to be notified to the supervisory authority?

Yes, all appointed data protection officers shall be registered and notified to the supervisory authority, including their contact details.

Is the data protection officer personally responsible for the organization's compliance with the GDPR?

No, the data protection officer has no personal responsibility for the organization's compliance with the GDPR. Instead, it is the organization itself that has this responsibility.

Recruitment systems and competence databases

It is common for companies to process personal data when recruiting new employees for the business. The same applies to the use of competence databases for this purpose. It is important to have a legal basis for such processing of personal data.

What legal basis is commonly used for personal data processing in connection with recruitment?

The legal basis of legitimate interest under Article 6(1)(f) of the GDPR may be an appropriate legal basis to use in such cases.

Consent as the legal basis is however usually not appropriate to use. This is because there is an unequal power relationship between an employer and an employee.

Is it necessary to carry out an impact assessment prior to the processing?

It may be necessary in certain cases to carry out an impact assessment before the employer starts processing the personal data. For example, if a temporary work agency carries out background checks when recruiting a new person.

Different types of monitoring

If an employer wants to implement camera surveillance at the workplace or other type of monitoring and processes personal data in connection with this, the company needs to comply with the GDPR. However, it is labour law that primarily regulates an employer’s right to monitor and supervise its employees.

Camera surveillance

Camera surveillance is an intrusion of privacy and in workplaces, and employees have a strong interest in general not being subject to such surveillance. However, there are situations where the employer may have a stronger interest in conducting the surveillance. For example, in the case of camera surveillance within a warehouse where there are luxury goods. In some cases, it may be relevant to only have the cameras in a warehouse during the night time when no employees are there, if the purpose is to prevent or more easily cope with break-ins.

Processing of biometric data at work

Examples of biometric data are fingerprinting or facial recognition. Biometric data are sensitive personal data according to Article 9 of the GDPR. It is data that makes it possible to identify an individual, since it refers to a person’s physiological, behavioural or physical characteristics.

Therefore, it is important to bear in mind that the rules are stricter when processing such sensitive personal data. Companies processing biometric data at work must take appropriate safeguards to protect the personal data.

Are all companies allowed to process biometric data of employees?

Companies may be allowed to process biometric data as employers, but not if it is possible to achieve the same purpose in a less privacy-sensitive manner. In order to use biometric data, the company must have a strong reason. Also, it may be necessary to carry out an impact assessment before the processing begins.

Can biometric data be processed for attendance control?

No, biometric data should not be used for attendance control, as it is usually prohibited. In Sweden, a school had to pay a fine after using facial recognition when checking pupils for attendance.