GDPR in HR Management

Regardless of what they do, all organizations are engaged in the processing of personal data relating to their employees and associates.

Personal data relating to employees are processed for the purposes of fulfilling the legal obligations of the employer, fulfilling the rights and obligations that arise from the contract of employment, realization of employer’s legitimate interests, etc.

The processing of personal data relating to employees starts with the hiring process through collection of candidate applications, and it continues even after the contract of employment is terminated. During all that time, it is necessary to ensure the lawfulness of the processing activities and to adequately protect the personal data and privacy of employees.

This course includes an overview of the GDPR requirements related to the processing of employees’ personal data, as well as a multitude of examples and case law.

Course topics

• Overview of decisions and opinions of the EU supervisory authorities (AZOP and others)
• Responsibilities of the DPO
• Processing of personal data in the hiring process – job competitions, open applications, online platforms, employment agencies
• Special considerations relating to high school and college student workers
• Transparency principle – examples of providing information through employment contracts, labour rulebook and other internal regulations
• Records of processing activities with examples
• Rights of currect and past employees – how to fulfill them?
• When can employer’s legitimate interests be justified?
• Under what conditions is surveillance of employees allowed – entry points surveillance, call recording, GPS surveillance, surveillance of the use of company mobile phones, computers, e-mail and internet traffic?
• CCTV surveillance of areas of work
• When is it mandatory to conduct a data protection impact assessment (DPIA)?
• Processing of special categories of personal data – health information, disabilities, religious beliefs, trade union membership, results of psycho tests, certificates of impunity, etc.
• Evaluation of work performance = profiling?
• Processing of biometric data
• Data retention periods
• Transferring data to third countries
• Processing of personal data relating to employees as part of EU projects
• Employee obligations – confidentiality, examples of statements and contractual provisions
• Adequate safeguards for protecting documentation and IT systems
• Education and awareness-raising programs for employees on the importance of personal data protection
• Protection of personal data in relation to the right of access to information