On 25 May , the GDPR will be definitively implemented. This regulation, which will govern the collection, processing, storage and management of personal data, represents a major transformation in the use of personal data and has important repercussions in the field of employment.
It incorporates the principles of proactive responsibilityand the principle of transparency, through which it includes, together with the ARCO rights (access, rectification, cancellation and opposition), the rights to be forgotten, to portability and to limitation in the collection of data.
As a novelty, it incorporates the figure of the data protection delegate and reinforces the figure of the collective agreement in the field of data protection, since its treatment can be negotiated and included in them.
The entry into force of the regulation has important repercussions in the labour sphere, both in the selection process and throughout the employment relationship and in the use of the means of control of workers' activity through new technologies (video-surveillance, biometric controls....). These and other issues are dealt with in this multimedia.
General obligations
Information
-If personal data are collected (from employees, applicants, etc.), the data subject must be informed of the processing or use to which the data will be put, as well as other information such as: the identity and address of the company (contact details); details of the data protection officer, if such a person exists;
- the rights of access, rectification, limitation of processing, erasure, portability and opposition are recognised.
Consent
- the right to information is essential for the provision of consent to the processing of personal data;
- consent must be specific, informed and unambiguous;
- consent should not be sought from employees, as the processing of their data derives from the existence of the employment contract.
In the labour field
Recruitment
- if the CV is submitted directly by the candidate, a procedure should be established for the collection and use of this data, including acknowledgement of receipt;
- if CVs are not retained they should be securely destroyed.
Payrolls of employees
-If the management of the employees' payroll is outsourced, this company is considered to be the data processor;
- the obligations of the data processor must be reflected in a written contract stating that the data will only be processed in accordance with the instructions of the data controller:
- will only be processed in accordance with the instructions of the data controller;
- will not be used for a purpose other than that set out in the contract.
Risk prevention
- prior consent of the worker is not required;
- workers must be informed of the processing of their data for risk prevention or health surveillance purposes.
Insurance
- If insurance or pension plans are taken out, employees must be informed of the processing of their data and of their transfer to the insurance company or pension fund manager;
- only the data necessary for the conclusion of the contract may be collected.
Corporate control
-The use of technology to monitor work activity (monitoring of e-mail, company computer, etc.) is permitted;
- the employee's consent is not required, but he/she must be informed about the processing of his/her data, and about what he/she is allowed to do and what he/she is not allowed to do.
The company must clearly disclose these instructions to all workers affected by the monitoring measure;
- they should be proportionate to the objective pursued;
- video surveillance cameras must meet the following requirements:
- images of public spaces may not be obtained, unless this is unavoidable;
- the placement of cameras must respect the principle of proportionality and the right to privacy;
- The placement of the cameras should be announced with an explanatory sign in a visible place in the video-monitored areas;
- Recordings may only be kept for a maximum period of one month from the date of capture.