Data protection has been an important topic for all companies since May 25, 2018, since May 25, 2018. At the same time, data protection is not only about the protection of personal data from customers, cooperation partners, or suppliers, but also and especially the protection of the personal data of employees. Employers must therefore observe some data protection requirements for their employees. In this blog post, you will learn which documents you have to prepare for compliance with data protection. Our patterns, such as a declaration of commitment to data secret or declaration of consent, support you in this.
Data protection in the employment contract – employers must observe this
The new General Data Protection Regulation (GDPR) is also colloquially mentioned as a new data protection regulation. Federal Data Protection Act (BDSG) had. The GDPR, on the other hand, is a Europe -wide regulation and thus provides the benchmark for the EU. European law is higher in rank, which led to the BDSG Alt being partially obsolete. For this reason, the BDSG has been revised and therefore now works in addition to the GDPR.
The GDPR contains regulations on the protection of natural persons in the processing of personal data and the free traffic of such data, Art. 1 Para. 1 GDPR. In addition, it observes the fundamental rights and fundamental freedoms of natural persons and in particular their right to informational self -determination and general personal rights according to Art. 2 Para. 1 in conjunction with Art. 1 Para. 1 GG, see Art. 1 Para. 2 GDPR.
The GDPR is not the only new data protection law:
At the same time, the new Federal Data Protection Act (BDSG-Neu) came into force on May 25, 2018. The BDSG-new contains explicit regulations regarding the processing of personal data in the employment relationship. The GDPR, on the other hand, contains more generally applicable requirements for the processing of personal data, which naturally also apply to the employment relationship. Affected persons, i.e. employees and employees in a company, are particularly protected in Art. 15 ff. GDPR. Employers must know that according to Art. 4 No. 7 GDPR, they are responsible for the processing of personal data. This means that the employer has to ensure that all data protection requirements – also in the area of employee data – comply. It is therefore all the more important to take into account data protection requirements when processing employee data from the start.
Why employers should consider the GDPR in the employment contract
Section 26 (1) BDSG represents a legal basis for the processing of personal data in the employment relationship. This is therefore permitted if this is necessary to carry out the application process or to carry out the subsequent employment relationship. In addition, under the additional requirements of Section 26 (1) sentence, 2 of the BDSG, the processing for the detection of company-related crimes is permitted. The requirements of Section 26 (1) BDSG also apply according to Section 26 (7) BDSG if the data is not to be saved or stored in a file system. The data protection principles must also be observed. In particular, the principle of voluntariness according to § 26 Paragraph 2 Sentence 1, 2 BDSG, as well as the formal provision of Section 26 (2) sentence 3 BDSG, must be observed in the consent of voluntary nature.
More in details:
In an employment contract, data such as the name and address of the respective employee are usually processed. Further data is collected and processed according to the signature in the context of a personnel questionnaire. This data is generally required to prepare a personnel file and to create a salary statement. Tax law requirements also require certain information from the employees. It is important in this context that the employer informs his own employees transparently and understandably about all the necessary points in accordance with Art. 13 GDPR.
The information obligations in the GDPR ensure that affected people learn how their personal data is processed in detail and what rights they can assert in this regard. In addition to the information obligations, employers must therefore ensure that there is always a legal basis (see Art. 6, 9 GDPR) for the respective processing of personal data, the principles of data processing are complied with in accordance with Art. 5 and all other general requirements of the GDPR, such as Art. 32 GDPR with regard to technical-organizational measures. In addition, the special regulations of the BDSG new, in particular § 26 BDSG-Neu, must be observed, see Art. 88 GDPR.
What obligations do employers have in the employment contract?
Directly in the employment contract, data protection clauses can only be admitted marginal, since it is usually several pages and the employment contract would therefore include too many pages. We, therefore, recommend outputting specific data protection information in the appendix to the employment contract. The employment contract should regulate confidentiality obligations regarding business and operational secrets. In this context, the new law to protect business secrets should be taken into account in particular.
However, it is important to know as an employer who falls under the category of employees: This includes according to § 26 Paragraph 8 BDSG-NEU:
- Employees, including the temporary workers, in relation to the borrower,
- for their vocational training,
- Participants in benefits for participation in working life as well as clarifications of the professional suitability or work testing (rehabilitates and rehabilitators),
- In recognized workshops for disabled people, employees,
- Volunteers who serve a service according to the youth voluntary service law or the Federal Voluntary Service Act,
- People who are to be regarded as employee-like people because of their economic independence; These also include the people who work in homework and the equivalent
- Civil servants of the federal government, federal judges, soldiers as well as community service providers.
From a data protection perspective, employers must observe the following points when processing employee data:
At the time of collecting the data, the employer must inform his employees in accordance with Art. 13 GDPR. This applies in terms of all requirements called Art. 13 GDPR. Art. 12 GDPR specifies the way in which information must be informed. This information should be issued as an appendix to the employment contract. If the data is collected earlier, the information should also be output earlier, i.e. at the time of the survey. As a rule, the first collection of data from future employees takes place in the application process. For employers, this means that both the receipt of an application by email and the receipt of an application within social networks must be secured.
In addition, employees must be obliged to secure data according to Art. 32 Para. 4 GDPR. In this context, make sure to use a declaration of commitment that contains all information to be specified. The declaration of commitment to data secrets must be countered by the employees. This declaration should also be in the appendix of the employment contract.
When processing the data, employers must observe the principles of data processing according to Art. 5 GDPR:
- Personal data must be lawful, faithful, and transparently processed, Art. 5 Para. 1 lit. a) GDPR.
- The principle of the special purpose commitment according to Art. 5 Para. 1 lit. b) GDPR must be observed.
- In addition, the principle of data minimization or data economy must be observed when processing personal data, Art. 5 Para. 1 lit. c) GDPR.
- Personal data must be processed correctly, i.e. meet the principle of correctness, according to Art. 5 Para. 1 lit. d) GDPR.
- The principle of memory limitation also plays an important role in employee data protection and must be observed, see Art. 5 Para. 1 lit. e) GDPR
- In addition, personal data must be processed in a way that corresponds to the principles of integrity and confidentiality, Art. 5 Para. 1 lit f.) GDPR.
Guidelines, e.g. with regard to the use of IT and the company’s Internet, should be created and countered by the employees
The use of video surveillance within the company also affects the right to your own image and the right to informational self -determination as parts of the general right of personal rights from Art. 2 Para. 1 in conjunction with Art. 1 Para. 1 GG. It, therefore, applies a legal basis within the meaning of Art. 6 Para. 1 GDPR requires the use of video surveillance systems. This can be consent in accordance with Art. 6 Para. 1 Lit. a) GDPR or legitimate interest in the employer side in the sense of Art. 6 Para. 1 Lit. f) GDPR.
When consent, it is particularly important to comply with the requirements for the declaration of consent:
- Uniqueness
- Voluntariness
- Revocability
- Recognizable purpose of processing
- Explicit process of processing.
The requirements must also be observed if employees have to do with data processing.
Furthermore, employers must ensure that the processing of personal data, for which there is no legal basis, is created with informed consent in accordance with the requirements of the GDPR and is handed over and signed to the employees concerned. In addition, there is also a legal basis for the processing of personal employee data. However, it must be carefully checked whether this legal basis is sufficient for the intended processing. Otherwise, a declaration of consent is also required.
However, employees cannot sign the declaration of consent, since one of the central characteristics of consent is always voluntariness, which is particularly important in the employment relationship, see Art. 7, 9, 88 GDPR, Section 26 (2), ABS 3 BDSG-Neu. If consent is not granted, the intended processing must not take place. You will find a sample data protection declaration, which, however, must always be adapted to the individual case and, if necessary, expanded. It is important that the declaration of consent contains all the necessary information according to Art. 7, 8, and 12 ff. GDPR and in particular an indication of the possibility of cancellation.
Collected data in the employment contract
As part of the employment contract, the following (special) personal data is recorded: surname, first name, address, date of birth, place of birth, marital status, religious affiliation, email address, telephone number, and ID card number. In addition, social security data are processed, as well as account details for salary payments. Assessments by the employee, as well as completed training courses, are also added to the employee’s file. In addition, certificates and qualifications, as well as the documents to terminate the employment relationship, are kept.
Inform employees about the use of the data
The rights that the employee has regarding the processing of his data must be communicated sufficiently clearly and understandably. Above all, the use and purpose of processing must be communicated. In addition, the employee must be informed about the following information:
- Data protection officer
- Contact details of the employer
- The basis and purpose of processing in the sense of § 26 Paragraph 1 S.1 BDSG
- Storage duration (also with applications)
- Forwarding the information (also with applications)
- Third-country transfer
- Law of complaint with the supervisory authority
- Right of withdrawal
- Instruction on the rights of the person concerned (Art.15-21 GDPR)
GDPR checklist employee context:
- If service providers are used for the processing of personal data, it must be checked whether order processing in the sense of is available. Art. 28 GDPR. In the event of reluctance, corresponding order processing contracts must be agreed upon with the order processors. The content of these contracts must take into account the requirements of Art. 28 GDPR. Employees must be trained in terms of data protection obligations, see Art. 39 Para. 1 lit. b) Last variant GDPR. A procedure for the legal processing of affected rights according to Art. 15 to Art. 23 GDPR, especially if these are asserted by current or former employees, must also be developed by the employer with the help of the data protection officer and included in the company processes.
- The processing of data subjects must be included in the list of processing activities (VVT) according to the requirements of Art. 30 GDPR.
In addition, all technical-organizational measures prescribed according to Art. 32 GDPR must be established in the area of processing employee data. - Your data protection officer gives you further data protection obligations after a detailed inventory regarding the processing of the personal data of your employees. The obligation to prove is always to be taken into account in Art. 5 Para. 2 GDPR: The employer is responsible for the detection of compliance with data protection.
Violation of the employer against data protection consequences
A violation of the data protection requirements can have serious consequences for the employer: in accordance with 83 para. 4 lit. a) GDPR, if a violation of the specifications mentioned here, financial losses are threatened 2 % of its total annual turnover of the previous financial year is imposed, depending on which of the amounts is higher.
In the event of a violation of the regulations mentioned in Art. 83 Para. 5 lit. a) and b) GDPR, even fines of up to EUR 20 million or in the event of a company of up to 4 % of its total annual turnover of the previous financial year Depending on which of the amounts is higher.
Please note that all patterns provided in this blog post can only serve as a template for the creation of individual documents. So all patterns still have to be adapted or supplemented. In this context, your data protection officer advises you on the creation of data protection documents. Our Keyed experts will be happy to support you in creating the necessary documents for your employees.
Data protection guidelines for employees
Guidelines, e.g. with regard to the use of IT and the company’s internet, should be created and countered by the employees. In this respect, guidelines are an important component, since they contribute to compliance with the General Data Protection Regulation and also offer individual design options for the employer. In the IT directive for employees, for example, the information security of the company can be increased by specifying the use of safe passwords, a ban on using private data carriers, and reporting processes in the event of theft or loss. Furthermore, the following data protection guidelines can structure the everyday process in the company and at the same time increase security for data:
- Use of company email accounts
- Solution of personal data
- Dealing with affected rights
- Use with operational internet and telephone lines
