Employees & privacy

3min
⚡TL;DR
The employer processes its employees' personal data and acts as a controller. 
Health-related data such as sickness leave details are sensitive personal data. 
Your employees must be properly trained to avoid security breaches. 
You need consent to keep an applicant's file after the recruitment period. 
Book a free call with us. 
When hiring, paying, or generally interacting with employees, the employer processes personal data and acts as a controller subject to data protection laws. 
The processed data generally include: 
Recruitment data: CV, letter of motivation, picture, etc.
Identification data: name, address, residence permit, etc. 
Financial data: IBAN, salary information, etc. 
Health data: sickness, injury, insurance-related information, etc.
Other sensitive data: Union membership, religious beliefs, biometric data, etc.
An employer must properly inform its employees to ensure that it can fulfill its obligations and be compliant. A company cannot be compliant if its employees are, for example, processing personal data outside of the scope communicated by the company to the data subjects. 
Read more on the LEXR Blog
 https://www.lexr.com/en-ch/blog/it-security-employees/﻿
Obligation to inform 
As a controller, the employer must inform the data subjects (i.e., the employees) of: 
Its role as controller 
The type of data being processed and where they are coming from 
The processing purposes 
The data retention period
The categories of data recipients (e.g., in case of third-party transfer)
This can be done in an internal privacy policy shared with all employees upon their onboarding. 
You usually do not need to obtain consent from the employees. Indeed, the legal ground to process personal data in such cases is to execute a contract. For example, the employer has a legitimate interest to know the IBAN of its employees in order to pay them as per the employment agreements.   
Processing sensitive data 
Employers often process sensitive data. This is notably the case of any health-related data (e.g., sickness of employees, pregnancy, etc.). 
Processing sensitive data calls for additional measures. Check out our Basics﻿ page for more information. 
Recruitment data 
During the hiring process, an employer also processes the personal data of the applicant. Usually, the applicant is informed directly about the personal data processed via the public-facing Privacy and cookies policies﻿. 
The key question for recruitment data is about the retention period. The employer only has a legitimate interest in processing data during the recruitment phase. Once the applicant has been denied, the employer needs consent to keep processing the applicant's data. This means that an employer must ask for consent in order to keep an applicant's file in case another job opens at a later stage.
Best practices
Employee privacy policy: An employee privacy policy is implemented with regard to the data processed by the company as an employer. This policy is presented to new hires.  
Employee health data: The number of people having access to the employee's health details is limited to a strict need-to-know basis. 
Applicant's file: If the company wants to keep the file of a rejected applicant for more than 6 months, the applicant's consent is requested and protocoled. 
Book a free call here.
Check out our employee awareness workshop package here. 
﻿
﻿
DPA
Financial markets
Employees & privacy

⚡TL;DR

Why is that relevant?

Read more on the LEXR Blog

What should I pay attention to as an employer?

Obligation to inform

Processing sensitive data

Recruitment data

Best practices

How do I get this done?
