EN
Data protection

New guidelines on data protection in employment relationships

13 December 2018

The Danish Data Protection Authority has published a new set of guidelines on some of the most common issues arising when processing personal data in employment relationships.

The guidelines include answers to the more general questions on the processing of personal data before, during and after employment - among other things, the guidelines address the following subjects:

  • Processing of personal data during the recruitment process
  • Rights of prospective candidates and employees, e.g. the right to be informed, the right of access and the right to be forgotten
  • Storage of personal data following termination of employment
  • Disclosure of employees’ personal data
  • Publication of employees’ personal data, e.g. photos on the company website
  • Employee monitoring, e.g. CCTV- and GPS-surveillance
  • Trade unions’ and union representatives’ processing of personal data

Several aspects within the new guidelines have also previously been addressed in an exhaustive manner by the Danish Data Protection Authority in the authority's other guidelines, e.g. on consent, the rights of registered data subjects etc. The new guidelines should therefore be read together with these other guidelines.

Processing personal data of prospective candidates

Among other things, you can read about what employers must be aware of in relation to the recruitment process. This includes obtaining of criminal records, gathering of personal data from candidates’ social media profiles, implementation of personality tests and storage of job applications. Additionally, if companies want to obtain references, it is important to be aware that this presumes the consent of prospective candidates.

What personal data can companies register and disclose about its employees?

The guidelines describe to what extent employers can process personal data collected in connection with employee performance and development interviews and workplace assessments, but also when and on which legal basis the employer subsequently can disclose such data lawfully, e.g. to trade unions, pension companies etc.

Surveillance, logging and employee monitoring

Employee monitoring is regulated in the Agreement on Control Measures between the unions and the employers’ organisations on the labour market and applies to companies’ subject to collective bargaining agreements. However, monitoring also includes processing of personal data and companies must therefore ensure compliance with applicable data protection law, especially if CCTV-surveillance or logging of internet use and e-mails is applied. In its guidelines, the Data Protection Authority provides a description of the general legal basis for such processing.

Do union representatives have an independent responsibility as data controllers?

The Data Protection Authority also describes when union representatives and trade unions qualify as data controllers. As a starting point, trade unions are the data controllers of union representatives from that organisation, if provided by the applicable collective bargaining agreement, rules etc. and if the representative is subject to its instructions. If this is not the case, the union representative will typically be considered as an independent data controller.

IUNO’s opinion

Processing of personal data in employment relationships is an extensive subject. The new guidelines provide some clarifications, but also give rise to new issues which the Data Protection Authority has not addressed. For example, the guidelines do not include information on the challenges arising from a data protection perspective, when employees use the company’s systems outside the workplace, e.g. when working from home or travelling abroad.

You can read the guidelines issued by the Danish Data Protection Authority here (in Danish). 

The guidelines include answers to the more general questions on the processing of personal data before, during and after employment - among other things, the guidelines address the following subjects:

  • Processing of personal data during the recruitment process
  • Rights of prospective candidates and employees, e.g. the right to be informed, the right of access and the right to be forgotten
  • Storage of personal data following termination of employment
  • Disclosure of employees’ personal data
  • Publication of employees’ personal data, e.g. photos on the company website
  • Employee monitoring, e.g. CCTV- and GPS-surveillance
  • Trade unions’ and union representatives’ processing of personal data

Several aspects within the new guidelines have also previously been addressed in an exhaustive manner by the Danish Data Protection Authority in the authority's other guidelines, e.g. on consent, the rights of registered data subjects etc. The new guidelines should therefore be read together with these other guidelines.

Processing personal data of prospective candidates

Among other things, you can read about what employers must be aware of in relation to the recruitment process. This includes obtaining of criminal records, gathering of personal data from candidates’ social media profiles, implementation of personality tests and storage of job applications. Additionally, if companies want to obtain references, it is important to be aware that this presumes the consent of prospective candidates.

What personal data can companies register and disclose about its employees?

The guidelines describe to what extent employers can process personal data collected in connection with employee performance and development interviews and workplace assessments, but also when and on which legal basis the employer subsequently can disclose such data lawfully, e.g. to trade unions, pension companies etc.

Surveillance, logging and employee monitoring

Employee monitoring is regulated in the Agreement on Control Measures between the unions and the employers’ organisations on the labour market and applies to companies’ subject to collective bargaining agreements. However, monitoring also includes processing of personal data and companies must therefore ensure compliance with applicable data protection law, especially if CCTV-surveillance or logging of internet use and e-mails is applied. In its guidelines, the Data Protection Authority provides a description of the general legal basis for such processing.

Do union representatives have an independent responsibility as data controllers?

The Data Protection Authority also describes when union representatives and trade unions qualify as data controllers. As a starting point, trade unions are the data controllers of union representatives from that organisation, if provided by the applicable collective bargaining agreement, rules etc. and if the representative is subject to its instructions. If this is not the case, the union representative will typically be considered as an independent data controller.

IUNO’s opinion

Processing of personal data in employment relationships is an extensive subject. The new guidelines provide some clarifications, but also give rise to new issues which the Data Protection Authority has not addressed. For example, the guidelines do not include information on the challenges arising from a data protection perspective, when employees use the company’s systems outside the workplace, e.g. when working from home or travelling abroad.

You can read the guidelines issued by the Danish Data Protection Authority here (in Danish). 

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Associate

Similar news

logo
Data protection

15 May 2018

Get ready for the GDPR – Part 5: E-mails

logo
Data protection

18 April 2018

Get ready for the GDPR – Part 4: Whistleblower arrangements

logo
Data protection

22 February 2018

Get ready for the GDPR – Employees’ right of access

logo
HR Legal Data protection

23 January 2017

Data security challenged in the home office

logo
HR Legal Data protection

5 November 2013

Mandatory whistleblower systems just around the corner

logo
HR Legal Data protection

21 December 2012

Financial services sector might introduce whistleblowing system

Events

logo
HR Legal Data protection
18 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Stockholm)

logo
HR Legal Data protection
17 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Oslo)

logo
HR Legal Data protection
11 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Copenhagen)

logo
HR Legal Data protection
10 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Helsinki)

// COOKIE INFORMATION POPUP SCRIPT