Following passage of the GDPR earlier this year, what information should organisations tell their employees about the personal data processed about them?
All data subjects, including employees, should be provided with certain information about the ways in which their personal data is processed by their employer. This information is set out in Article 13 of the General Data Protection Regulation (GDPR).
- the identity and contact details of the data controller;
- the contact details of the data protection officer, where applicable;
- the purposes of processing and the legal basis for processing;
- where the organisation is processing on the grounds of legitimate interests, what those legitimate interests are;
- the recipients or categories of recipients of the personal data;
- information in respect of any transfer of personal data outside the EEA;
- the retention period for the personal data (or criteria used to determine that period);
- the rights available to the data subjects;
- the right to complain to the Information Commissioner’s Office (or other supervisory authority in another jurisdiction);
- information about a statutory or contractual requirement on the data controller to process the data; and
- the existence of automated decision making.
Don’t forget that the same information will need to be provided to candidates (including unsuccessful candidates) as well. You may choose to provide this information within the same fair processing notice that is provided to employees, or to produce a separate fair processing notice for candidates, which could be made available on your organisation’s website.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.