At the end of the week, on 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?
You may have heard a lot about the General Data Protection Regulation (GDPR) and the necessary changes you have to make to your website, the mandatory privacy statement, and the processing agreements you have to conclude. But even if you don’t have a website or web store, you will have to deal with the GDPR.
The GDPR will give citizens more control over their personal data, such as name, address, bank account number, etc. The GDPR requires organisations to make transparent in advance which personal data they process, for what purpose, what the legal basis is for the processing, and how the data are processed. This does not just apply to personal data of customers and suppliers, but also to the personal details of your employees.
The data an organisation collects and processes of its employees are certainly personal data which fall under the GDPR: wages, pension, leave, etc. In addition, special category personal data will be processed, such as citizen service numbers and sick leave. Also, data used in the application process are personal data within the meaning of the GDPR.
Usually, the processing of personal data is based on a legal requirement under fiscal or social legislation, or labour law and pension law. There is no legal requirement for an in-company “face book”, for instance, or a birthday calendar and the legal basis for the processing must be a legitimate interest (employees must be able to identify each other for the purpose of security) or the processing has to be based on the informed consent of the individual employees.
Employees have to be informed of what happens with their personal data, for instance, that part of the data will be shared with a payroller, a pension fund, and – in the event of sickness – with the occupational health and safety service and/or employee insurance agency. You also have to conclude processing agreements with the external parties you involve in your staff management, where they declare to comply with the GDPR and your privacy policy.
In addition, make your employees aware of their rights, such as the right to be forgotten, the right to obtain restriction of data processing, and the right to object to processing. These rights cannot be invoked where you are legally required to process data. The storage period of salary details for fiscal purposes is, for instance, 7 years from the termination of employment. During this period, the (former) employee cannot require you to delete these data from your files.
The GDPR does not just have consequences for the relationship with your customers or suppliers but it does also affect the internal relationship with your employees. We recommend you draft a separate privacy policy for your employees and conclude the required processing agreements.
Would you like to learn more about the GDPR and what you, as an organisation have to do for a “GDPR-proof” staff management? Would you like to make changes to your privacy statement, or would you like us to draft a processing agreement? Please contact us at:
At the end of the week, on 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?
In this newsletter Russell Advocaten will inform you, in short, about the most important changes to be expected in the European data protection regulations. More detailed information on this topic can be found in our previous newsletters.
A director under the articles of association is appointed by an appointment decision by an authorised body. What might be the consequences if this decision was not established in writing?
With the Dutch Tax and Customs Administration again enforcing the Deregulation of Assessment of Employment Relationships Act (DBA Act), these questions have become even more important. In a recent ruling on Uber drivers, the Supreme Court provided additional guidance on how to determine whether someone is a self-employed person.
If employers want to terminate the employment of an employee for poor performance, they need to take a number of steps before they are allowed to do this. Which actions do they have to take? What issues should expats take into account?
The works council has an important task when it comes to working conditions in the company, including social safety. What tools can the works council use to ensure a safe corporate culture?
