GDPR: The Next Day. The Regulation in the context of employment
It is a “convenient” myth that we (should) expect for the Greek legislation to decide on how we adapt. There is a draft law (its consultation was completed in March 2018), but it has not yet been adopted nor is necessary to be. The Regulation applies as is.
It is accurate and not a (malicious) exaggeration that all businesses process personal data. Sometimes even “sensitive”: Like those of their employees. Thus, businesses need to adapt according to their strengths and (in particular) depending on the potential impact of the data leakage they process, that is, depending on the number and degree of “sensitivity” of the data.
It is also accurate that the Regulation is not entirely clear on all points. However, we have been armed with the relevant interpretative tools. Such as, for example, the views of the Working Party of the 29-member Group of Member States’ Data Protection Authorities.
The role of GDPR in employment relationships
What is the role that GDPR plays in the relationship between the Employer and the Employee and which are the main obligations of a business?
- To train the Employees on the processing of third-party data it processes in the context of the provision of its services, in the wide sense of awareness and cultivation of new habits.
- To re-approach the employment contracts with the addition of the employee’s obligations with regard to the development of a new corporate culture. (Which is) The adaptation of a new modus operandi, as such is required as mandatory by the Regulation.
- First of all, to inform employees on the processing of their data. In particular: for the categories of their data to be collected, their retention time, the purpose and the legitimate basis for their processing, their possible transmission to other organizations (or other countries), and above all for their rights as identified in Articles 15 to 22 of the General Regulation.
It is thus very important to be noted that the employers are obligated to inform their employees on the processing of their personal data which are necessary, thus, not to obtain their consent. Such consent would be contrary to the spirit (objective) of the Regulation for the following two reasons:
(a) Consent must be the “last resort” of a legitimate base for processing as it presupposes true freedom of choice and is revocable. It would be misleading make an employee think that if he/she does not give or withdraw his/her consent, it is possible for the employer not to ask for or delete the necessary personal data of his/hers: In fact, the labor and insurance legislation as well as the performance of the employment contract impose the processing of specific personal data of the employee.
(b) Consent must be given freely. The relationship between the employee with the business is characterized by a certain imbalance of powers, leading to a “forced” and therefore to an illegal consent.
GDPR is a cumbersome Regulation which, however, carries a significant gift: Extrusion into a change of mentality.
P.S. This article has been published in Greek in MAKEDONIA Newspaper (December 23, 2018)