EN
Technology

New guidelines on data protection in employment relationships

logo
Legal news
calendar 13 December 2018
globus Denmark

The Danish Data Protection Authority has published a new set of guidelines on some of the most common issues arising when processing personal data in employment relationships.

The guidelines include answers to the more general questions on the processing of personal data before, during and after employment - among other things, the guidelines address the following subjects:

  • Processing of personal data during the recruitment process
  • Rights of prospective candidates and employees, e.g. the right to be informed, the right of access and the right to be forgotten
  • Storage of personal data following termination of employment
  • Disclosure of employees’ personal data
  • Publication of employees’ personal data, e.g. photos on the company website
  • Employee monitoring, e.g. CCTV- and GPS-surveillance
  • Trade unions’ and union representatives’ processing of personal data

Several aspects within the new guidelines have also previously been addressed in an exhaustive manner by the Danish Data Protection Authority in the authority's other guidelines, e.g. on consent, the rights of registered data subjects etc. The new guidelines should therefore be read together with these other guidelines.

Processing personal data of prospective candidates

Among other things, you can read about what employers must be aware of in relation to the recruitment process. This includes obtaining of criminal records, gathering of personal data from candidates’ social media profiles, implementation of personality tests and storage of job applications. Additionally, if companies want to obtain references, it is important to be aware that this presumes the consent of prospective candidates.

What personal data can companies register and disclose about its employees?

The guidelines describe to what extent employers can process personal data collected in connection with employee performance and development interviews and workplace assessments, but also when and on which legal basis the employer subsequently can disclose such data lawfully, e.g. to trade unions, pension companies etc.

Surveillance, logging and employee monitoring

Employee monitoring is regulated in the Agreement on Control Measures between the unions and the employers’ organisations on the labour market and applies to companies’ subject to collective bargaining agreements. However, monitoring also includes processing of personal data and companies must therefore ensure compliance with applicable data protection law, especially if CCTV-surveillance or logging of internet use and e-mails is applied. In its guidelines, the Data Protection Authority provides a description of the general legal basis for such processing.

Do union representatives have an independent responsibility as data controllers?

The Data Protection Authority also describes when union representatives and trade unions qualify as data controllers. As a starting point, trade unions are the data controllers of union representatives from that organisation, if provided by the applicable collective bargaining agreement, rules etc. and if the representative is subject to its instructions. If this is not the case, the union representative will typically be considered as an independent data controller.

IUNO’s opinion

Processing of personal data in employment relationships is an extensive subject. The new guidelines provide some clarifications, but also give rise to new issues which the Data Protection Authority has not addressed. For example, the guidelines do not include information on the challenges arising from a data protection perspective, when employees use the company’s systems outside the workplace, e.g. when working from home or travelling abroad.

You can read the guidelines issued by the Danish Data Protection Authority here (in Danish). 

The guidelines include answers to the more general questions on the processing of personal data before, during and after employment - among other things, the guidelines address the following subjects:

  • Processing of personal data during the recruitment process
  • Rights of prospective candidates and employees, e.g. the right to be informed, the right of access and the right to be forgotten
  • Storage of personal data following termination of employment
  • Disclosure of employees’ personal data
  • Publication of employees’ personal data, e.g. photos on the company website
  • Employee monitoring, e.g. CCTV- and GPS-surveillance
  • Trade unions’ and union representatives’ processing of personal data

Several aspects within the new guidelines have also previously been addressed in an exhaustive manner by the Danish Data Protection Authority in the authority's other guidelines, e.g. on consent, the rights of registered data subjects etc. The new guidelines should therefore be read together with these other guidelines.

Processing personal data of prospective candidates

Among other things, you can read about what employers must be aware of in relation to the recruitment process. This includes obtaining of criminal records, gathering of personal data from candidates’ social media profiles, implementation of personality tests and storage of job applications. Additionally, if companies want to obtain references, it is important to be aware that this presumes the consent of prospective candidates.

What personal data can companies register and disclose about its employees?

The guidelines describe to what extent employers can process personal data collected in connection with employee performance and development interviews and workplace assessments, but also when and on which legal basis the employer subsequently can disclose such data lawfully, e.g. to trade unions, pension companies etc.

Surveillance, logging and employee monitoring

Employee monitoring is regulated in the Agreement on Control Measures between the unions and the employers’ organisations on the labour market and applies to companies’ subject to collective bargaining agreements. However, monitoring also includes processing of personal data and companies must therefore ensure compliance with applicable data protection law, especially if CCTV-surveillance or logging of internet use and e-mails is applied. In its guidelines, the Data Protection Authority provides a description of the general legal basis for such processing.

Do union representatives have an independent responsibility as data controllers?

The Data Protection Authority also describes when union representatives and trade unions qualify as data controllers. As a starting point, trade unions are the data controllers of union representatives from that organisation, if provided by the applicable collective bargaining agreement, rules etc. and if the representative is subject to its instructions. If this is not the case, the union representative will typically be considered as an independent data controller.

IUNO’s opinion

Processing of personal data in employment relationships is an extensive subject. The new guidelines provide some clarifications, but also give rise to new issues which the Data Protection Authority has not addressed. For example, the guidelines do not include information on the challenges arising from a data protection perspective, when employees use the company’s systems outside the workplace, e.g. when working from home or travelling abroad.

You can read the guidelines issued by the Danish Data Protection Authority here (in Danish). 

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)

Similar

logo
Technology

15 January 2024

Expensive right of access requests

logo
Technology

28 September 2023

Seven commandments when closing the business e-mail account

logo
Technology

19 September 2023

Unfair design practices resulted in a 345 million euro fine

logo
Technology

14 September 2023

Accessible personnel files resulted in a data breach

logo
Technology

14 September 2023

Deadline to establish whistleblower schemes for medium-sized companies approaching

logo
Technology

31 August 2023

New guidance from the Danish Data Protection Agency on direct marketing

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)