We offer a personalized service in view of what our clients want. This can be a memo with legal references, a short confirmation by e-mail or a second opinion via phone.
With a large team of specialized HR lawyers in six different offices across Belgium, we are where you need us to be. And as a founding member of Ius Laboris, we offer HR law services for cross-border legal issues in all major jurisdictions.
The European Parliament formally adopted the new GDPR on 14 April 2016. The negotiation process preceding the adoption has taken more than four years, involving the European Commission, the European Parliament and the European Council. The Regulation covers every context in which personal data is processed. All organisations will be affected whether processing data as employer or in relation to suppliers, customers or other users. The Regulation also applies to government and governmental authorities.
Many known elements
The Regulation applies many of the concepts in the existing rules. So much will be familiar. For example terminology such as “data controller”, “processing” and “personal data” is the same. The provisions laying down when personal data may be processed, on safeguards and on security measures are also similar. Employers have a legal basis for processing data where doing so is necessary for the performance of the employment contract. This will continue.
Employers are likely to continue receiving subject access requests from their employees. They will still need to enter data processor agreements with external processors such as providers of IT services including cloud providers, for personality tests and payroll administration services.
However, the GDPR also involves a range of new elements. Data Protection Officers (DPO) will become mandatory across Europe for businesses whose core activities involve systematic monitoring or large scale processing of sensitive data such as health data, and data on criminal records or trade union membership.
The current notification procedure is abolished. Employers will need to provide data subjects, with more detailed documentation on processing and the legal basis for processing. Data protection impact assessments will have to be prepared in certain contexts and documentation kept on the personal data being processed and the purposes of such processing etc.
In addition, there is a new requirement that businesses must report any security breaches to the data protection authorities on their own initiative.
Fines will be a real risk factor
Also the much debated fine regime has been adopted. As a result, undertakings will risk sanctions of EUR 20 million or, if higher, 4% of their global annual turnover.
Although the sanctions will depend on which provisions the breach concerns – and the circumstances in which such breach takes place – there is no doubt that the intention with the new regime is to dramatically increase the level of fines imposed under the former data protection regime. The potential for very significant penalties creates a real risk factor for businesses if they breach data protection law in future.
National legislative review ahead
With the adoption of the GDPR, there is likely to be considerable further legislation. The GDPR gives both national governments and the EU extensive powers to adopt supplementary provisions
In the area of employment law, the GDPR also includes a provision authorising member states to implement specific national provisions in connection with the processing of employee data.
Not too soon to begin
Although detailed national regulation is not in place, it is not too soon to begin making plans for the new data protection regime. For whatever the final details of the legal regime, a precondition for is that businesses exercise real control over personal data they hold and process. And this is easier said than done. For with modern technology, personal data are collected and used to an ever increasing extent. Data controllers may not know of all data processing operations that they undertake; they will not know the content of the data that they process.
Mapping the data flow of employee data alone is a significant and necessary task. And, in practice, the new documentation requirements mean that it will be important to keep a clear head to ensure that the policies established not only cover the right areas but are also applied in practice. In other words, it is not too soon to prepare for the new data protection regime – even if it does not take effect until in 2018.
In countries with co-determination, most rules on the processing of employee data require the consent of the works council. Time for negotiations must be taken into account. It may be advisable to involve the works council very early in the planning of new processes and policies, e.g. in relation to employee data, information or deletion rights, data portability, etc.
The EU has finally approved a new regulation on data protection (the General Data Protection Regulation or GDPR). This regulation introduces a “one-stop shop” of rules which will apply in all EU member states.
Although the new law will not come into force until May 2018, all businesses will need to consider how it will affect them and make preparations.
Ius Laboris, the Global HR Lawyers, are organising a series of seminars for employers on the new rules and how they are likely to affect them. These seminars will take place in several places across Europe.
At each seminar there will be an explanation of the impact of GDPR with a particular focus on the position in the country hosting the event – followed by a round table discussion. Topics include:
- What’s the scope of the GDPR in an HR context?
- What duties do you have as an employer?
- What information do you need to give your employees?
- Do we need to appoint a data protection officer?
- What happens if we make a mistake – data breaches?
- Penalties – how bad can it get?
- How should we handle things in practice?