On May 25, 2018, the new EU General Data Protection Regulation (GDPR) and the new German data protection law are entering into force simultaneously. They are no grandfathering clauses; the new laws immediately apply as of the first day without any limitations.
In order to enforce the new regulations in practice especially the GDPR establishes drastic penalties. Fines to the height of 20 Mio Euros or 4% of the total worldwide turnover of the undertaking in previous business year can be imposed.
As before, special rules apply for employee data. This brief overview explains which organisational steps should now be taken by companies, which have not yet started a review in order to avoid huge financial risks as of spring 2018.
Analysis of status quo in view of new legislative requirements
First of all regulations of the new EU and German data protection laws need to analysed and matched against all data processing taking place within the company. Questions, which must be answered, are (among others):
- Which personal data of employees are processed and saved for how long?
- What is the purpose of the data processing and storage?
- Which policies, procedures and safety rules are currently in place?
- How the documentation of data does processes current work, who supervises data storage and guaranties its security?
- Which data are transferred to foreign countries, especially outside the EU and service providers?
After having answered questions as above it needs to be clarified on which legal basis data processing and storage happens. In accordance with the previous concept of European and German data protection laws the use and processing of personal data is generally forbidden unless a specific legal provision expressly allows such data processing. There are some legal provisions which allow the processing of employee data, since without any data processing the administration of employee relationships would not be possible.
Any further use and processing of data – which is standard practice in most companies – can be based on a voluntary consent of each individual Employee, insofar – however – much stricter rules will apply in future.
Finally shop agreements might be a suitable legal source in companies with an elected works council. As far as existing shop agreements are concerned it is quite clear – however – that most do not comply with the new EU and German data protection laws and therefore must be renegotiated with the works council in time before May 2018.
The foreseeable need for adjustments especially results from new and extensive information obligations, for example employees must be provided with information such as:
- Contact data of the relevant department/ person within the company as far as data processing is concerned
- Purpose and legal bases of data processing
- As far as legally required: information on the justified interest of the data processing entity
- Recipient of data (in case of data transfers)
- Especially: detailed information about transfer of data to non EU countries
- Duration of a data storage
- Rights of employees as far as storage, deletion and transfer of data are concerned
Further information rights relate to the correction of wrong data entries, the withdrawal of a declared consent (which must be possible at any time), and complaints to governmental authorities.
All employees must be actively informed about all of their rights.
Further it needs to be established, whether a workable concept of data deletions exists. It must be encertained, that all employee data are easily transferable to governmental authorities in case of a request for information.
Violations of data protection rights must be easily detectable and any violation must be documented. In certain cases an automated report must be sent to governmental authorities and concerned employees in case of data protection violations.
After having analysed the status quo in view of the new legal requirements the areas need to be identified, in which urgent need for action exists.
Typically the IT department, the Data Protection Officer (DPO), HR and external legal advisors are needed to develop a strategy that ensure compliance and avoids risks.
Implementation of urgent adjustments
The next step is a careful planning both of the budget and the time line of relevant actions to be taken. In view of the complexity and multitude of tasks prioritization will be necassary. This means, that in view of the penalties of the GDPR those areas have to be identified, in which there is urgent need for action and where high penalties are looming.
Among the first steps will often be:
- The deletion of all data not necessarily required for the business (including non-electronic employee data)
- The development of new templates for employee consent taking into account the new extensive information requirements under the GDPR
- An update and adjustment of all IT and data privacy policies, especially those regulated in shop agreements (calculating adequate time needed for a negotiation with employee representatives)
- The review existing procedures for security breaches; essecially regarding information, sorage, correction and deletion of data
- The review of the position of the DPO as far as at least 10 employees with data access are employed a DPO is mandatory under German law
- The development of clear guidelines for the documentation of all data process including portability to relevant authorities
- The development of and impact assessment procedure for critical processes
On top of the above includes a thorough instruction of all employees which have to deal with employee data and its processing is required.
The new legal requirements will enter into force in less than six months from now. They create an urgent need for action in most companies. As far as the review process has not yet been started it must begin immediately. As soon as the result of the analysis are available a planning process must begin, which prioritises the most urgent tasks.
A cooperation between the IT-department and external service providers will be needed to define the necessary technical instruments. Management and HR department will then be responsible for the implementation of the new data protection rules towards employees and works councils.
In view of the necessary coordination and negotiation between all parties involved time is running out, if the process has not yet been started or still is in its early stages. Thus it will be good practice to immediately start the new year with a thorough look at the new legislation as well as existing company rules in order to be compliant with the mandatory laws punctually on May 25, 2018.