Applicability of Data Protection Laws on Employee’s Personal Data

10 March 2022

This article gives an overview of Data Protection regime over the employee’s personal data collected by the employer/ organization in the course of employment. It is a recommended read for the HR Personnels, Recruitment firms, Payroll management and C-suite stakeholders.

Introduction

In every organization whether large, medium, small and even in technology/ automation driven company manpower plays a vital role. Starting from recruitment process, numerous types of personal data like name, contact details, address, e-mail id, identification numbers, qualifications, medical information, salary/ pay slips, family details and biometric information is collected and processed for the streamlined purposes like onboarding, employee benefits, pension, gratuity, statutory reporting, performance evaluation etc. Such information’s are mandated to be protected by the organization (i.e. collector or processor) under various employment laws and data protection laws either by virtue of existence in the region or by processing the data of individual.

Risks of Non compliance

Non-compliance of legislation can result in hefty fines from authorities and can hamper the reputation amongst customer and employees. For instance, under the EU-GDPR fines can be sanctioned up to EUR 20 million or 4 percent of the worldwide turnover. In the year 2020, the Data Protection Authority of Hamburg, Germany sanctioned one of the largest GDPR fine on H&M a clothing retailer, EUR 35 million for illegal monitoring of employees[1]. In a recently published report by DLA Piper, the year 2021 topped the data protection fines which totaled to approx. USD 1.2 billion[2].

Key regulatory frameworks — Globally

EU — General Data Protection Regulations (GDPR)

As per Article 6 of the EU-GDPR, employers can process the data of employees on the basis of either a contract or for the legitimate purposes of the business. Further, Article 88 of the EU-GDPR, further covers processing of personal data in the context of employment which states that Member states can provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context.[3]

US — California Consumer Privacy Act (CCPA)

Under Section 1798.145(h)(3) of the CCPA, since Jan. 1, 2020, a notice must be provided to employees by employers, at or before the point of the collection of personal information. Further, Section 1798.100(b) read along with CCPA Regulation Section 999.305.(f) this notice to employees needs to include information such as the categories of personal data and the purpose of collection. Under Section 1798.150 businesses are liable for undertaking adequate and reasonable security measures to protect the data of their employees. However, there are certain exemption provided under the CCPA on collection of employee personal data.’[4]

Canada — Personal Information Protection and Electronic Documents Act (PIPEDA)

Section 4(1)(b) of PIPEDA applies to every organization operating in the private sector, in respect of personal information that ‘is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.’[5] PIPEDA does not apply to employee information in provincially-regulated organizations.[6]

However, organizations in the private sector are required to adhere to the applications of the Act. As per Section 4.7.4, ‘Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.’

Brazil — Lei Geral de Proteção de Dados Pessoais (LGPD)

Article 17 of LGPD provides assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law. Further, Article 18 of the LGPD requires organizations to immediately adopt and fulfill employee DSR requests without cost to the employee, within a given time period and according to the terms provided in regulation.[7]

Rights of Employees

Amongst the protection provided, few legislations also provide for rights to current and/ or former employees for protection over their personal data which can be exercised, such as:

· Right to Withdraw their Consent

· Right to Information

· Right of Access

· Right to Correction or Rectification

· Right to Data portability

· Right to Object

· Right to Automated individual decision-making including profiling

Compliance action points

Any personal data collected by an employer in the course of their employment is protected under data protection laws. Hence, it lays an obligation on the employers to ensure appropriate security measures and practices in place. Few of the key measures which can be adopted are as follows:

• Defining the purpose of data collection and processing

• Formulation and implementation of privacy policies, forms, code of conduct and procedures

• Training and sensitization on data protection and privacy laws

• Provide a grievance redressal mechanism for employees

[1] https://datenschutz-hamburg.de/assets/pdf/2020-10-01-press-release-h+m-fine.pdf and https://www.tessian.com/blog/biggest-gdpr-fines-2020/

[2] https://www.dlapiper.com/en/us/insights/publications/2022/1/dla-piper-gdpr-fines-and-data-breach-survey-2022/

[3] https://gdpr-info.eu/art-88-gdpr/

[4] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1281

[5] https://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html

[6] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_26/

[7]https://iapp.org/media/pdf/resource_center/Brazilian_General_Data_Protection_Law.pdf

Published here: Applicability of Data Protection Laws on Employee’s Personal Data | by Reina Consulting | Mar, 2022 | Medium

Disclaimer: This article is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Cookie Consent