Work place
Responsibility for personal data
Employers have a responsibility when processing personal data under the GDPR (EU General Data Protection Regulation). Among other things, employers need to ensure that their processing of employees’ personal data is done correctly. Employers need to process the personal data of their employees in order to fulfil their obligations under labour law.
Who is the personal data controller?
The company itself as an organization is the personal data controller, when processing the personal data of its employees. It is therefore not the manager or other individual at the company who holds the role of “controller”. However, individuals may be data controllers in certain cases. For example, if a person operates as a sole trader.
Is it common for employers to process sensitive personal data of their employees?
Yes, it is common for employers to process different categories of sensitive personal data of their employees in the context of employment. Examples of sensitive personal data under Article 9 of the GDPR are health and trade union data.
What kind of sensitive personal data is common for an employer to process?
Employers usually process data about their employees’ health, for example information about employees’ sick leave. In addition, it is common to include such information in the pay slip. It is important information that affects the size of the salary.
What are examples of other reasons for employers to process sensitive personal data about its employees?
It is important that employers ensure a safe and secure workplace according to the law, which is suitable and adapted to the employees’ possible special needs.
For example, an employee can inform their employer about their possible disabilities or diagnoses. These are examples of sensitive personal data that the employer may need to process in accordance with the GDPR, including any other applicable labour law.
Are there any specific rules that applies for processing of sensitive personal data about employees
Yes, and it is important to note that the storage and transfer of sensitive personal data requires higher security than the processing of other categories of personal data. Therefore, for example, the employer should never email a pay slip unencrypted, if it contains data on health, such as sick leave.
What is the responsibility of employers when processing personal data under the GDPR?
Employers shall ensure that the processing of personal data of its staff is carried out in accordance with the rules of the GDPR. This means, among other things, that the employer has an obligation to inform the employees about the processing of their personal data. The information to be disclosed is regulated in more detail in Articles 13 and 14 of the GDPR.
How should the employer's information about the processing of its employees personal data be presented?
The information should be drawn up in writing in a special privacy notice intended for employees. However, this does not have to be published on the employer’s website, but can instead be published or shared internally directly to only the employees.
Are the employees considered as “data subjects” under the GDPR?
Yes, employees are considered as “data subjects” under the GDPR, when the employer processes their personal data. They are thus entitled to various rights, which the employer is obliged to provide upon request. For example, the right of access and the right to rectification of their personal data processed by the employer.
Can the employer be liable for damages towards the employees for unlawful processing of their personal data?
Yes, the employer may be liable for any damage caused by its processing of the employees personal data in accordance with Article 82 of the GDPR, if the processing has been carried out in breach of the provisions of the GDPR.
Employees working from home
Whether the employees work from a physical office or from home, the employer must comply with the rules of the GDPR. This includes implementing and having:
- a sufficiently high level of security,
- a clear purpose for each individual processing of personal data,
- fulfilling the rights of data subjects; and
- deleting personal data when they are no longer necessary for the purpose for which they were collected.
The employer had to pay a fine for camera surveillance of employees in inappropriate places
An employer received a fine of ISK 5 000 000 from the Icelandic data protection authority after having had camera surveillance in the changing room of the staff. In addition, the company had failed in its obligations to inform the employees about this. The employees also had no other place to change clothes that was not under camera surveillance. The Icelandic data protection authority ordered the company to cease the camera surveillance in the changing room. In addition, they were ordered to delete all recorded material.
Employers may delegate the execution of the processing, but not the responsibility for the processing
According to the GDPR, data controllers can never delegate or transfer the actual responsibility for the processing. However, it is possible to delegate the execution of the processing itself to someone else. In such cases, the company that processes personal data on behalf of the other company is a data processor.
Examples of delegation of processing activities to a processor
An employer may hire an accounting firm to take care of everything related to administration and payment of wages in the company. In this case, the employer is the data controller. However, the accounting office processes the personal data of the employer’s employees as the employer’s engaged data processor.
Does the controller and processor need to enter into a data processing agreement in writing?
Yes, all controllers and processors must enter into a written data processing agreement with each other. This is a requirement under Article 28 of the GDPR.
More information about work life
Processing personal data in connection with recruitment and in competence databases
A company processes personal data in connection with the recruitment process. In addition, it is common to use competence databases containing personal data, in both external and internal recruitment. It is important not to process more personal data than necessary for the purpose of recruitment. Legitimate interest is usually an appropriate legal basis for such processing. Consent as the legal basis, on the other hand, is often not appropriate to use, as the power relationship is unequal between jobseekers and employers.