News

GDPR for Employers

Cooley Alert
July 10, 2017

Who is covered?

If a company has EU-based employees whose behaviour it "monitors" (see below) it will need to take steps to ensure that it is compliant with the GDPR when it comes into force in May 2018. "Monitoring" in an employment context is not defined in the GDPR itself but is likely to cover the tracking of employees' activities in order to take disciplinary, performance or other employment-related actions in respect of them. In reality, given the technologies most employers will require EU-based employees to use in the workplace, most employers with EU-based employees are likely to be tracking the behaviour of their employees and therefore covered by the GDPR. This means that companies based outside the EU will need to comply with the GDPR in respect of their EU-based employees, even though they may have no corporate presence there. Such companies must appoint an EU representative established in one of the EU Member States where they have EU-based employees.

What do employers need to do?

Although the structure and concepts in the GDPR will in some respects be familiar to employers (because they reflect current requirements under the existing law), there are some key changes. The most important of these is the restriction on the use of consent in the context of the employment relationship.

Can employers rely on employees’ consent to process their data?

Currently, many companies rely on employees' consent to process their personal data and short consents are often included in the employment contract. However, under the GDPR, for consents to be valid it must be freely-given, specific, informed and revocable. The GDPR states that, given the imbalance of power between employer and employee, employees can only give free consent in exceptional circumstances. In reality, it will be very difficult for employers to rely on consent to process employees' personal data.

What should employers do instead of relying on employees’ consent?

Consent is only one of a number of potential legal bases for processing employee data. Alternative legal bases include processing being:

  • necessary for the performance of the employment contract. This would cover, e.g., employees' bank account data which the employer requires to pay employees
  • required by law. This would cover, e.g., processing of sickness absence data to facilitate the payment of statutory sick pay in the UK
  • in the employer's legitimate interests which outweigh the general privacy rights of employees. This is potentially much wider in scope and will assume much greater prominence under the GDPR

What steps should employers be taking to comply with the GDPR?

Companies should review their template employee documentation such as employment contracts and any free-standing employee data processing consents. For new hires we recommend that companies replace the consent language in these documents by new language referencing the alternative legal bases referred to above. For existing employees, companies should roll out employee data processing notices which refer to these alternative legal bases.

What are the potential sanctions for non-compliance?

Failure to comply with the GDPR can result in fines of up to €20 million or 4% of a company's (or the entire group company's) annual worldwide turnover. This is significantly higher than the current penalties available for non-compliance with the existing regime (e.g. fines of up to £500,000 in the UK).

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.