GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Communication

Processing of personal data in HR work

Companies usually carry out the processing of personal data in the context of HR work. Everything from recruitment, during the employment to after the termination of the employment. 

Examples of processing personal data in HR work

Most companies must process personal data in their HR work. For example, the names, contact details, bank account details and the like of the employees. In addition, there may be other rules than the GDPR that require the employer to save certain personal data of the employees. For example, for reporting employer contributions.

What breaches of the GDPR can lead to an administrative fine?

Legal bases that may be appropriate to use in connection with HR work

What is the definition of anonymised data?

Contract

Many personal data that the employer processes about its employees is supported by the legal basis performance of a contract with data subjects.

Measures that companies need to take to comply with GDPR

Legitimate interest

In some cases, the employer may have a legitimate interest in processing some of the employees' personal data in the HR work. Keep in mind that in such cases, the employer must make a balance of interests, to see if the employer's interests outweigh the employee's.

Sensitive personal data according to GDPR

Legal obligation

Legal obligation means that it is regulated in another law or regulation that the employer must process certain personal data of the employees. For example, data on sick leave, for reporting employer's contributions or similar.

Please note that consent is often an inappropriate legal basis for employers to use, as there is an unequal power relationship between the employer and the employee. This also applies to recruitment, where the power relationship is unequal between the employer and the job seeker. 

Can employers process sensitive personal data in their HR work?

According to the main rule, it is forbidden to process sensitive personal data under the GDPR, but there are exceptions. Employers usually process sensitive personal data belonging to the employees and this may be allowed in some cases. However, it is important to keep in mind that the rules are stricter. For example, the employer must take adequate technical and organisational security measures to protect the personal data, and the requirements are higher when processing sensitive personal data. 

Employers usually needs to process data about health

An employer usually needs to process data about health, such as sick leave, possible allergies or other data about health that may be necessary to process. For example, an employer should not send pay slips containing information about sick leave or other sensitive personal data via unencrypted email, as it is not considered secure enough.

Can the employer allow a data processor to handle the processing?

Yes, there are no rules that prohibit an employer from hiring another company to do part or all of the HR work. For example, if a company hires an accounting firm to manage the payroll of its employees. In such cases, the accounting office is a data processor for the processing. Please note, however, that it is not possible to transfer the actual responsibility for the processing, but only the practical execution of the processing. 

Employers who process subjectively privacy-sensitive data, for example in their work on skills development

It i’s important to keep in mind that notes dealing with employee skills can be subjectively privacy-sensitive data. Therefore, this personal data must be processed with restriction and sufficient security, as it can have major consequences for employees if they leak via a personal data breach. Please note that it should be clear when this personal data is erased

Skills development that includes profiling and automated decisions

GDPR regulates how companies can work with profiling and automated decisions. It is not always easy to comply with GDPR when using systems that provide skills development services and include profiling and automated decisions. For example, the tools must enable the controller to comply with the requirements concerning the rights of data subjects, such as the right to information, rectification, etc. 

How companies should do step by step in their HR work in accordance with GDPR

Measures that companies need to take to comply with GDPR
Purpose

Companies must always have a purpose for each individual processing. For example, to process certain personal data in order to be able to pay wages.

What is the definition of anonymised data?
Legal basis

When the company knows the purpose of the processing, the company can choose an appropriate legal basis. Please note that consent is usually an inappropriate legal basis in HR work, as the power relationship between the employer and the employee is not equal.

Sensitive personal data according to GDPR
Transfer to third parties

If the company will transfer the personal data to a third party, the data subjects shall be informed. An example of a transfer to a third party is if the company hires an accounting firm to handle payroll.

Subjektivt integritetskänsliga personuppgifter
Erasure

Companies shall delete the personal data when they are no longer necessary for the purpose of the processing. This also applies to personal data that is processed as part of HR work.

Write instructions for employees

It is the employees at the company who in practice work with issues related to GDPR. For example, when a manager receives a job application from an individual. In such cases, it is a processing of personal data and then the manager needs to know how to proceed correctly. Therefore, it is good to draw up written instructions for how employees should act when processing personal data in their daily work. 

Stored personal data of an employee long after termination of employment

A company in Finland/Sweden (Viking Line) had to pay a fine after, among other things, they had continued to store personal data for a long time after the employment ended. In addition, it included the processing of sensitive personal data. 

Personal data processing in recruitment

Companies usually need to process personal data when recruiting staff, such as contact information. This also applies to people who do not necessarily get a job. This constitutes a processing of personal data and therefore the GDPR must be taken into account in the process. 

Different things to consider when processing personal data when recruiting staff

Here are some things that are important to keep in mind when companies process personal data when recruiting staff: 

Right of access

Data subjects have the right to access information in accordance with the GDPR. In other words, the right to know what personal data about the data subject that the company is processing, how long the processing takes place, what rights the data subject has, etc. The right of access also applies to recruitment. If a company has created a page on the website where applicants can enter their contact details and attach their CV, they must inform them about the processing in connection with the collection of the data. This is usually done in a privacy notice that the applicant can read before submitting the data.

Automated recruitment decisions

It can be illegal for a company to use automated decisions when recruiting. For example, if testing in recruitment involves profiling, there are several issues to consider, such as consent not being an appropriate legal basis.

Criminal offence data

Criminal offence data constitute a special category of personal data according to article 10 of the GDPR. It means, inter alia, that they must be processed with greater certainty than ‘ordinary personal data’. In some professions, it is a requirement for the employer to request information about this, and in such cases the legal basis for the processing is a legal obligation. For example, for police officers and school staff. On the other hand, there are companies that request a criminal record even though there is no legal requirement, and in such cases the rules are strict.

Conclude a personal data processor agreement if another company handles the recruitment

It is not uncommon for companies to hire other companies to manage the recruitment of staff. It is important to keep in mind that in such cases the recruitment company is a data processor and that a written data processing agreement must be concluded between the parties pursuant to article 28 of the GDPR.

Not allowed with ‘blacklists’

It is not allowed to create a register of individuals who are not wanted or welcomed, so-called “black lists”. In some cases, managers may create such lists to try to streamline their work in recruitment, but this is prohibited.

GDPR regulates how companies can work with profiling and automated decisions. It is not always easy to comply with GDPR when using systems that provide skills development services and include profiling and automated decisions. For example, the tools must enable the controller to comply with the requirements concerning the rights of data subjects. Such as the right to information, rectification, etc. 

Processing of personal data during employment

There are usually many different types of processing of employees’ personal data within the employment period. 

Informing about the processing of personal data in employment contracts

In employment contracts, it is good to refer to a separate privacy notice specifically developed for employees. It describes what processing of personal data about the employee takes place. 

Legal bases that may be appropriate for processing during employment

Here are three legal bases that may be appropriate for companies to support the processing of personal data, when it concerns employees within the employment period. 

Sensitive personal data according to GDPR
Contract

The employment contract may provide a legal basis for the processing operations necessary for the performance of the person’s duties. For example, processing first name and last name in order to create a work-related email address for the employee. Please note, however, that it may be difficult to use an employment contract as a legal basis if the purpose of the processing is unclear.

Subjektivt integritetskänsliga personuppgifter
Legitimate interest

An employer may have a legitimate interest in processing certain personal data about employees. However, the company must first carry out an impact assessment to prove this. An example of when it might be appropriate is if a brokerage firm publishes a picture of a sales item and a profile picture of the broker on the company's social media.

Measures that companies need to take to comply with GDPR
Legal obligation

There are several laws that regulate the processing of personal data by employees. For example, companies need to process personal data about employees' sick leave, report occupational injuries and the like. When a processing is carried out in order to comply with the provisions of another law, the legal basis is a legal obligation.

Please note that consent is usually an inappropriate legal basis to use, as there is an unequal power relationship between the employer and the employee. 

Continue to process personal data after employment

It may be possible for a company to process personal data even after employment. For example, in order for the employer to be a future reference to the person. 

Future reference - consent may be appropriate

As mentioned earlier, consent is not appropriate when the power relationship between the parties is unequal. If a person stops working for a company, they are no longer employed. It may be in the interest of the data subject that certain data is still processed by the former employer. For example, information about performance, reviews or similar that may form the basis for a future reference. On the other hand, it is not necessary for the company to continue to process this data if the former employee does not wish to do so. Therefore, it may be useful to obtain consent when the employment ends that the company may continue to process these and inform the person that they can request to have it deleted in the future. 

There may be other laws that require further processing

There may be other laws than the GDPR that require companies to process personal data for a certain period of time even after termination of employment. Such as having to save payslips in accordance with tax or accounting legislation. If continued processing is required by law, the legal basis for the continued processing is a legal obligation. Please note that in such cases the personal data should be stored in a location that is separate from other personal data used in the daily work. For example, in archived and password-protected digital folders stored on a separate storage area.

More about GDPR

Rules regarding the processing of personal data in social media

There are many companies that process personal data on social media and believe that they have no responsibility for the processing there, as it is not their platform. However, this is not always the case. In some cases, a company may have joint controllership with the company operating the social media platform. For example, this applies if a customer contacts the company via social media to have any rights satisfied. Although the company may have informed that such information should be submitted via email in its privacy notice, it is still a processing operation when they receive a message via social media. Keep in mind, for example, to clear out the in- and out-box in the company’s social media, just like email and other communication routes.

Want to learn more?

Read more
Scroll to Top