Data protection laws protect employees from the misuse of their personal data – employee home addresses and beyond – sensitive data. As an employer, you’ll be trusted to safeguard and protect your employees’ data against a breach, meeting data privacy laws and regulations.
Employers need to develop policies that take a compliant but balanced approach towards their employee data privacy and security. Organisations must implement the appropriate infrastructure, management and workforce to keep data compliant throughout its lifecycle because those accused of violating data privacy rights risk significant hits to the company’s reputation and employees’ trust.
This article covers the most updated laws in personal data in 61 key jurisdictions across the Americas, Asia Pacific, the Middle East, Europe and Africa:
UGANDA: The 2019 Data Protection and Privacy Act, was passed into law to complement the constitutional privacy protections under Article 27 of the Constitution of the Republic of Uganda. The Act itself regulates all personal data collection, processing, use and disclosure. It applies to any person, entity or public body within or outside of Uganda who collects, processes, holds or uses personal data. The Act requires an employer to obtain informed consent before collecting or processing personal data. The Act permits the processing or storage of personal data outside Uganda – if adequate measures are in place.
SOUTH AFRICA: The right to privacy is protected under the 1996 Constitution of the Republic of South Africa. The common law and the Protection of Personal Information Act, 2013 (POPIA), came into effect on 1 July 2020, however is subject to a grace period until 30 June 2021. Case law recognises that the right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so. Personal information may be processed based on one of the justifications for processing personal data under POPIA. These justifications include consent and where it is necessary for pursuing the legitimate interests of the responsible party or employer, or third party to whom it is disclosed.
NIGERIA: The National Information Technology Development Agency has published Data Protection Guidelines, 2019 which safeguard the rights of natural persons to data privacy
MOZAMBIQUE: The Constitution of the Republic of Mozambique, as well as the recently enacted Electronic Transactions Law (The Law No. 3/2017, of 9 January), prohibits access to databases or to computerised archives, files and records for obtaining information on the personal data of third parties, as well as the transfer of personal data from one computerised file to another that belongs to a distinct service or institution, except in cases provided for by law or by judicial decision. The Labor Law establishes that employers may not require an employee to supply information regarding their private life, except when particular requirements inherent to the nature of the professional activity so require. In addition, employees’ personal data obtained by an employer is subject to a duty of confidentiality. Information where the release of which would violate that employee’s privacy rights may not be given to a third party without the employee’s consent unless it is required by law.
KENYA: The Data Protection Act, 2019 gives effect to Article 31(c) and (d) of the Constitution on the right to privacy. The Act establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data and provides for the rights of data subjects and obligations of data controllers and processors, among others. The Act is modelled along the lines of the EU General Data Protection Regulations (GDPR). The Constitution guarantees the right to privacy. The Computer Misuse and Cyber Crimes Act, 2018 creates various offences, including the right to privacy, concerning computer systems.
KUWAIT: There are no clear laws in Kuwait comparable with those in the US or Europe concerning the handling and transmission of employees’ personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Kuwait law, including the protections set out in the Kuwait Penal Code and the Kuwait Constitution.
ANGOLA: The Data Privacy Law No. 22/11, 17 June, governs Angolan data privacy and determines, in general terms, how to collect, use, disclose, store and give access to “personal information.” There is no specific regulation on employee data privacy.
JAPAN: The receipt, maintenance of and access to personal information relating to an individual is regulated by the Act of Protection of Personal Information. Broadly, upon the collection of such information, the collector must notify the person of the purpose of the use of such information and after that must take necessary and proper measures to prevent leakage, loss or damage of that information, and take other reasonable steps to control the security of the personal information. In addition, the party maintaining such information is required to adopt internal regulations designed to ensure the confidential and secure maintenance of such information as long as it is held. Disclosure of personal information to third parties (parent and affiliated companies are considered third parties) is strictly limited.
INDIA: Employee records and employee access to data The Information Technology Act, 2000 covers data protection and violation of personal privacy. This statute safeguards against certain breaches concerning data from computer systems, prevents unauthorised use of computers and creates liability for damage suffered in the event of unauthorised access, downloading, extraction and copying of data from a computer system or network. It stipulates the penalty for breaches of confidentiality and privacy. The storage, management and handling of sensitive personal data or information belonging to persons located in India is regulated by the Sensitive Information Rules enacted under the Information Technology Act, 2000. The government of India has also released the Personal Data Protection Bill, 2019 (Data Protection Bill), which the Indian government is considering replacing the Sensitive Information Rules. Sensitive personal data or information is defined under the Sensitive Information Rules to include passwords, financial information, physical, psychological and mental health conditions, sexual orientation, medical records and history, and biometric information. Any body corporate receiving any of the above types of information due to either using the services of an individual or employing an individual must comply with the Sensitive Information Rules regarding the processing and storing of such information.
MALAYSIA: Governed by the Personal Data Protection Act 2010 (PDPA), employers must obtain employees’ consent (implied or express). Explicit consent is required if “sensitive personal data” is being collected. Businesses must notify their employees of the nature and purpose of the information being collected, to whom it is being disclosed, and that the employees have the right to access such data. Employee consent is also required before employee personal data is shared with third parties (external payroll service providers). As a result of the PDPA, an employee consent/notice document is required. This document has to be bilingual – in English and Bahasa Malaysia – and is usually a separate document and referenced in the employment contract.
SINGAPORE: Employers are required to notify employees the reason behind the usage of their personal data in connection with the management and termination of employment and/or obtain their consent where collecting, using or disclosing their personal data. However, under the PDPA, an employer is permitted to collect, use and disclose the employees’ personal data for purposes of managing or terminating an employment relationship without the need to seek employee’s consent, so long as the employee has been notified of the purposes of such collection, use and disclosure and/or provides their consent before such collection, use and disclosure. Further, employers may collect, use and disclose personal data without obtaining the employees’ consent or notifying them where it is necessary for evaluative purposes, including determining the suitability or eligibility of an individual to whom the data relates for employment continuance in employment or promotion. Note that employers must seek consent for purposes that are not related to or collect personal data that is not relevant to the management or termination of an employment relationship or that are not relevant for evaluative purposes unless any other exception under the PDPA applies.
THAILAND: The Personal Data Protection Act BE 2562 (2019) (PDPA) was enacted on 28 May 2019 and has full effect from 27 May 2020. The PDPA is the first-ever law relating to personal data protection in Thailand. Essentially, consent is required for the collection, use and/or disclosure of personal data. Under the PDPA, the term ‘personal data is defined as any data pertaining to a person that enables identifying that person, whether directly or indirectly, but specifically excluding data of someone deceased.
MYANMAR: There are no specific regulations or laws. However, according tothe Protecting the Privacy and Security of Citizens (enacted on 8 March 2017), a person is not allowed to do the following without permission of the relevant authorities:
- Request or acquire any private call data, electronic communications data and information from operators or supply such information
- Open, search, seize, destroy or damage any envelope, parcel or correspondence communicated that are the personal affairs of other individuals; and
- Criticise or interfere in the personal affairs and family affairs of any citizen or engage in conduct that may be detrimental to the good name, standing or dignity of an individual Other than the above, there are currently no other laws or regulations on data privacy.
VIETNAM: The Civil Code requires any person to seek an individual’s consent before collecting, storing, using or publishing their personal data. The parties to a contract are not permitted to disclose any information about the private life or personal affairs that they became aware of in the course of entering into and performance of the contract. The 2018 Law on Cyber Security covers any domestic or foreign enterprise that provides services on telecommunications networks, the internet or value-added services in Vietnam’s cyberspace. The law governs the collection, exploitation, analysis, and processing of personal data, data about service users’ relationships, and data generated by them in Vietnam. Under this law, any such data must be stored in Vietnam under the terms stipulated by the government. Any such foreign enterprise must have a branch or representative office in Vietnam.
Indonesia: Law No. 11 of 2008 on Electronic Information and Transactions, as amended, restricts the electronic use of private data without the data subject’s consent. Under Law No. 39/1999 on Human Rights, each individual has the right to their privacy and cannot be subjected to an investigation in relation to personal data without their agreement, except on the order of a court or other legitimate authority under prevailing legislation. A new draft of the Data Privacy Law has been prepared, but it is unclear when it will be introduced.
SOUTH KOREA: Under the PIPA, an employee is entitled to request the employer to allow access to, correct, or delete personal information. The PIPA requires an employer to obtain the consent of the individual employee when his or her personal information is obtained or provided to third parties.
UNITED ARAB EMIRATES: Except for the Dubai International Financial Centre Free Zone, there are no clear laws in the UAE concerning handling and transmitting employees’ personal information, nor are there any provisions addressing the cross-border flow of data. However, it is advisable to seek prior written consent to process personal data from the employee to the extent necessary to address the privacy protections set out in UAE law, including the protections set out in the UAE Penal Code, Cyber Crimes laws and the UAE Constitution.
SAUDIA ARABIA: The transfer of employee data outside of the KSA is not regulated under Saudi law. However, general Sharia principles provide for personal data protection rules. These imply that employers should include provisions in employment contracts where the employee’s consent is required for the employer to use or disclose the employee’s data to third parties, to the extent that such disclosures may be required.
TUNISIA: Under Tunisian law, all people have the right to protect personal data related to their private life, which applies to both automated and non-automated treatment of data. Personal data is defined as information that directly or indirectly permits identifying a physical person, except for data linked to public life or defined as such under the law. In general, any organisation planning to use personal data must make a declaration of the data to the National Authority for the Protection of Personal Data. However, there are exceptions for employers using employee data. In addition, express written consent from the data subject is required in most cases.
TURKEY: Employees must be notified of personal data processing. Their prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data. Personal data should be processed: 1) In accordance with the law; 2) In good faith; 3) For definite, clear and legitimate purposes 4) In a relevant and measured manner; 5) Data controllers (i.e., individuals or legal entities that determine the purposes and means of processing personal data – for example, employers) are required to be registered with the Data Controllers Registry.
QATAR: According to law No. 13 of 2016 on Protection of Personal Data Privacy (Data Protection Law), businesses must protect the privacy of personal data or risk fines of up to QAR 5 million. Some of the key features of the new law are: Personal data is defined as data relating to an individual whose identity is determined, or able to be reasonably determined, either through the data or through linking this data with other data The Data Protection Law applies to personal data when it is processed electronically, or when it is accessed or collected or extracted otherwise in preparation for its electronic processing, or when it is processed in a traditional and electronic way together. The processing of personal data will be regulated in a way that bears similarities with existing data protection regulations elsewhere in the world. Particular protection will be provided to certain types of personal data, such as data relevant to children, to physical and mental health and crimes referred to as sensitive personal data.
OMAN: There are no clear laws in Oman comparable to those in the US or Europe concerning the handling and transmitting of employees’ personal information. However, the Electronic Transactions Law, RD 69/2008 (ETL), provides for the protection of personal data and regulates the transfer of personal data outside of Oman. The Cyber Crime Law, Royal Decree no. 12 /2011 (Cybercrime Law), provides an offence to violate the privacy of individuals through technology and prohibits the collection of private data. It is advisable to seek prior written consent from employees to process their personal data to the extent necessary to overcome the various privacy protections set out in the applicable civil and criminal laws.
Bahrain: Personal data privacy is protected under Law No. 30 of 2018 with respect to Personal Data Protection (PDPL). Employees must be notified before employers process personal data. Prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data. Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data. Those countries have yet to be listed by the Personal Data Protection Authority or published in the Official Gazette.
PERU: During employment, organisations can collect employee personal data. However the processing of the data must be done in accordance with the guiding principles provided by the Peruvian Data Protection Law. And according to Peruvian Data Protection Law, personal data may only be processed and/or transferred with prior consent- consent must be free, informed, express and unequivocal. However, a company does not need the employee’s express consent to OBTAIN personal data (if this information is needed for employment. Still, it must comply with the duty of inform about the processing of personal data.
BRAZIL: The upcoming (September 18, 2021) the new General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) is Brazil’s first comprehensive data protection regulation. It applies to any processing operation carried out by a natural person or a legal entity, of public or private law, irrespective of the means used for the processing, the country in which its headquarters are located or the country where the data is located, provided that:
- The processing operation is carried out in Brazil
- The purpose of the processing activity is aimed at the offering or provision of goods or services or the processing of data of individuals located in Brazil, or
- The personal data was collected in Brazil.
- The LGPD does not contain specific employment provisions, but its provisions cover employment data.
- The monitoring of corporate e-mail and internet use is allowed, but employees should be notified that they cannot expect privacy to use these work tools.
MEXICO: To process personal data, data controllers must provide a privacy notice to employees prior to collecting and processing the personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be pre-approved by the data subject (i.e., the employee).
MOROCCO: In accordance with law No 09-08 on data protection, employees must be notified of data processing and their consent is required. Employees should be given the right to have access to and modify/amend their own personal data. Organisations must declare data processing to the National Control Commission for the Protection of Personal Data (Commission Nationale de protection des Données Personnelles).
US: Certain states restrict the use of employees’ social security numbers for any identifying purposes. Medical information must be maintained separately from personnel files and kept confidential. Otherwise, employers are entitled to monitor or search corporate e-mails and internet traffic accessed by employee’s computer systems – on the premise; employees do not have an expectation of privacy in the use of their employer’s computer systems or corporate e-mails (especially with a policy that says so). Jurisdictions vary as to an employer’s ability to search or monitor personal e-mail addresses and websites accessed from an employer’s computer or premises.
VENEZUELA: Although there is no specific regulation regarding data privacy, employers have a general duty to uphold employees’ right to privacy and must observe the data protection principles determined by the Supreme Court (DP Principles). The DP Principles apply to systems, registers or compilations of data that allow the creation of a complete or partial profile of an individual forming part of such system, register or compilation (in this case, an employee, for example). There is no clear outline of what a “complete or partial profile” involves. This means that, in general, employee consent is required to process personal data. Venezuelan case law does not draw a distinction between forms of personal data. Therefore, there are no separate standards for the protection of sensitive data. According to the DP Principles, employers must (i) inform the employee what data has been collected, (ii) inform the employee of the purpose(s) of the collection of their personal data, (iii) inform the employee who will be the final users of the data (i.e., whether any third parties will have access to the data) and (iv) allow the employee to correct any erroneous data or delete any data that may be incomplete, inadequate or excessive in relation to the purpose(s) for which they were gathered (and this must be communicated to any third party who has been given access to the personal data). Venezuelan law also provides for the protection of private communications, and employers have a strict obligation to keep employee health information and records confidential.
COLUMBIA: To process personal data, data controllers must provide a privacy notice to the affected employees before collecting and processing personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be pre-approved by the data subject/employee. Employees have the right to know, update and correct their personal data. This right may be exercised in relation to partial, inaccurate, incomplete, split or deceptive data, and/or data that is prohibited from or not authorised for processing, such as race or ethnic origin, political orientation, religious or philosophical orientation and enrollment to unions or social organisations, among other items considered sensitive information. Employees may revoke the authorisation granted for the processing of their personal data and may request to remove their personal information from the employers or subcontractor’s databases by filing a formal claim, save for information directly related to their employment (e.g., HR core data, recruitment, performance, global compensation learning and training-related data and master data). This possibility is only applicable in the case of wrongful use of the employee’s information.
CHILE: The employer is obliged to maintain the privacy of the information and personal data related to its employees. The right to personal data protection has the status of a constitutional right, and therefore any breach can lead to litigation for impairment of fundamental rights.
ARGENTINA: The Argentine Data Privacy Law No. 25,326 (Ley de Protección de Los Datos Personales or LPDP) protects the personal data stored in files, registers, data banks or other technical storage of data processing, whether public or private, in order to guarantee the right to honour and privacy of the data of individuals, as well as to restrict the access to such information, in accordance with the provisions set out in Article No. 43, the third paragraph of the Argentine National Constitution.
AUSTRALIA: Australia has stringent data privacy obligations. As a general rule, personally identifiable data may only be processed if required for the employment contract’s performance and constitutes an employee record. Certain acts and practices are exempt from applying Australia’s data privacy laws, but strict criteria must be met for an exemption to apply. Employee records are generally exempt, but this exemption will not apply to documents that come into existence prior to the employment relationship (e.g., pre-employment or hire documentation) of any contractors engaged by the business. At the time it collects personal information, the employer is required to provide the individual with a statement setting out the company’s obligations under Australia’s data privacy laws and the individual’s rights. Further restrictions apply to sensitive personal data. Employee records – with the exception of tax file numbers – are not covered by the Australian notifiable data breach regime, which requires notification to the Office of the Australian Information Commissioner (OAIC) and to affected individuals of any data breach that could result in serious harm. However, the OAIC advises that it is good practice for employers to notify employees affected by a data breach so that they may take protective action. The monitoring of individuals and their data is covered by various surveillance legislation in each state or territory. Essentially, surveillance of employees is prohibited in sensitive areas, such as washrooms and change rooms, unless the surveillance device is installed pursuant to a warrant or authorisation. Surveillance is permitted in public areas if it conforms with relevant legislation. Specific laws in some states govern the monitoring of an employee’s use of a work computer (i.e., e-mails and internet browsing).
ISRAEL: Employees generally must be notified of the terms of the employer’s personal data processing policy and must consent to it. Registrations in the Databases Register may be required. Special rules apply to data transfer outside Israel. Significant restrictions on monitoring e-mail and Internet use. Monitoring personal e-mail is restricted.
CANADA: Legislative requirements vary by jurisdiction. Where privacy laws apply, personal information must only be collected with consent and may only be used for its purposes. In most jurisdictions, e-mail and internet use may be monitored where notice has been given through clear employer policies.
PHILIPPINES: When an employer collects and processes personal information of its employees, especially sensitive personal information, the employer must comply with applicable guidelines on the adoption of organisational, physical and technical security measures and the registration thereof with the National Privacy Commission. The data subject must have given their consent prior to the collection or as soon as practicable and reasonable. An employer’s collection of personal information from its own employees does not require the employee’s prior written consent, provided the personal information collected and the processes applied to such information are only to the extent necessary for compliance with legal requirements prescribed for an employer-employee relationship.
RUSSIA: In certain cases, employers are required to obtain the prior written consent of their employees in order to process their personal data (e.g., transferring personal data to third parties, including cross-border transfers).
TAIWAN, REPUBLIC OF CHINA: The Personal Data Protection Act governs collecting, processing, and using employee personal information. The Act has notice and consent requirements that may be applicable to the collection, processing and use of employee information. This applies to the cross-border transmission of the information or any use outside of the norms of a domestic employment relationship. Under amendments to the Employment Service Act that came into force in late 2012, the amount of personal information that an employer may request from an employee or prospective employee has been severely restricted. Prohibited or restricted requests for personal information include physiological information (e.g., medical tests and fingerprints), psychological information (e.g., psychiatric tests and polygraph tests) and personal lifestyle information (e.g., financial records, criminal records, family information/plans and background checks).
CHINA: The Regulations on Employment Services and Employment Management require that an employee’s personal data is kept confidential and not made public without the employee’s consent. The PRC Cyber Security Law imposes new security and data protection obligations on “network operators,” puts restrictions on transfers of data outside China by “key information infrastructure operators”, and introduces new restrictions on critical network and cybersecurity products. The Civil Code strengthens the protection of individuals’ privacy and personal information. It improves the legal definition of personal information and clarifies the connotation, principles, and conditions of handling personal information and strengthens the information security obligations of processors.
HONG KONG, SAR: The PDPO is principally concerned with 6 data protection principles (DPPs). Broadly, these require:
- That personal data is only collected for a lawful purpose, that only personal data that is necessary and not excessive for that purpose is collected and that individuals are informed of certain things before data is collected or used (DPP 1)
- That all reasonably practicable steps are taken to ensure that personal data is accurate and that it is only retained for as long as is necessary to fulfil its purpose (DPP 2)
- That personal data is not, without the prescribed consent of the job applicant or employee, used for a purpose other than the purpose for which it was collected (DPP 3)
- That all reasonably practicable steps are taken to ensure that the personal data is secure and protected against unauthorised or accidental access, processing, erasure or other use (DPP 4)
- That all reasonably practicable steps are taken to ensure that an individual may access information about the data user’s policies and practices in relation to personal data, the kind of personal data about them that is being held and the purposes for which it will be used (DPP 5) and
- With some exceptions, an individual is entitled to request access to all personal data held by a data user and correct that data if it is inaccurate (DPP 6).
There are provisions in the PDPO that restrict the transfer of personal data outside of Hong Kong, but these are not currently in force.
The European Union’s (EU) General Data Protection Regulation (GDPR) came into force in 2018. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As both hackers exposed this data and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 per cent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
SLOVAK REPUBLIC: Covered by the national data protection laws and GDPR. Processing of personal data is generally unlawful except as listed in relevant legislation or based on the consent of the individual. Special rules apply to data transfers outside the EEA. In general, an employer may collect personal information on an employee related to their qualifications and professional experience and other information relevant to the work carried out by the employee. From May 2018, Slovakia is subject to the GDPR, which introduced significant new obligations and onerous sanctions for employers. In specific cases, Act No. 18/2018 Coll. on Personal Data Protection, as amended, applies.
CZECH REPUBLIC: Generally, employees must be notified of personal data processing (e.g., camera recordings) and, in certain limited cases, give their consent (e.g., for the use of the employee’s personal data for marketing purposes)—significant restrictions on monitoring employees, including e-mail and internet use. The Czech Republic is subject to the General Data Protection Regulation (GDPR). The local law implementing the GDPR was issued in 2019.
BELGIUM: Employees generally must be notified of personal data processing and, in certain cases, give consent. Registrations with the Privacy Commission are required in certain cases. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring e-mail and internet use and use of cameras at the workplace. Since May 2018, Belgium has been subject to the General Data Protection Regulation (GDPR), which has introduced significant new obligations and onerous sanctions for employers.
FINLAND: Employees must usually be notified about personal data processing and give consent to this when necessary. Only necessary data may be processed. Special rules apply to data transfers outside of the EEA. There are significant restrictions on monitoring e-mail and internet use. From May 2018, Finland has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.
ITALY: Employees generally must be notified of personal data processing and give consent in certain cases. Special rules apply to data transfer outside the European Economic Area (EEA). It is impossible to control or monitor employees remotely with devices unless upon agreement with the works council or authorisation of the Labor Office, except the instruments used by the employee to carry out their work or to detect access or attendance. Since May 2018, Italy has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.
NORWAY: Notification to the employee is required. An obligation to notify the Data Inspectorate may apply. Significant restrictions on monitoring and control of employees. Special provisions apply for the transmission of data outside the EEA.
SPAIN: Spain is subject to the General Data Protection Regulation of the European Union (GDPR). The Spanish legislation that implements the GDPR is the Organic Law 3/2018 on data protection and guarantee of digital rights (Ley Orgánica 3/2018 de protección de datos y garantía de los derechos digitales). Employees must generally be notified of personal data processing (and, in certain cases, must give consent). Registration of databases with the Spanish Data Protection Commissioner (AEPD) is no longer required. Special rules apply to data transfers, even between companies belonging to the same group. Prior stringent restrictions on international data transfers, monitoring e-mail and internet use in the workplace, and video surveillance at work have been eased and aligned with the GDPR, although significant compliance requirements remain.
Sweden: The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), applicable since 25 May 2018, applies to the processing of employees’ personal data. The employer must ensure that the fundamental requirements for the processing of the employees’ personal data are fulfilled (e.g., personal data must be correct, adequate and relevant in relation to the purposes of the processing and may not be retained for a longer period than is necessary in light of the purposes of the processing); there must be a legal basis for the processing, such as performance of the employment agreement or consent; and the employee must receive adequate information regarding the processing. Special rules apply to data transfers outside the EEA. Sweden has also issued national laws and regulations in addition to the GDPR, including the Swedish Data Protection Act (2018:218) and the Data Protection Ordinance (2018:19) (the DPA). The DPA regulates general aspects of data protection where the GDPR allows (e.g., processing social security numbers and processing data pertaining to criminal offences. The DPA entered into force on 25 May 2018.
SWITZERLAND: In general, employees should be notified of any processing of their personal data – and, in certain cases, give consent. Registrations with the Federal Data Protection Commissioner are required in certain circumstances. Special rules apply to data transfers outside of Switzerland. There are significant restrictions on monitoring e-mail and internet use.
France: The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It applies to any processing of personal data within the EU. The GDPR implements new rights for data subjects, such as the right to access, data erasure, data portability and consent. Data processors/controllers process operations that require regular and systematic monitoring of data subjects on a large scale or special categories of data. A Data Protection Officer (DPO) must be appointed. Data transfers outside of the EU are subject to additional requirements. Significant restriction on monitoring internet and e-mail use even when on company’s IT device.
Germany: Covered by the EU-wide General Data Protection Regulation (Datenschutzgrundverordnung, or GDPR) entered into force in May 2018 and the complementing Federal Data Protection Act. Processing of personal data is generally unlawful except as listed by the Act and the General Data Protection Regulation, a works council agreement or free and individual consent. The appointment of data protection officers is required if more than nine individuals deal with electronically saved personal data. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring e-mail and internet use exist.
HUNGARY: Employers must balance their need to obtain, use, store and disclose information for effective management and business purposes with their employees’ right to privacy. The law distinguishes between “personal data” and “sensitive personal data.” Special rules apply for the transfer of personal data within and outside of the EEA. The National Authority for Data Protection and Freedom of Information is responsible for ensuring compliance and enforcing data protection. Since May 2018, Hungary has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.
Ireland: Since May 2018, Ireland has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. GDPR requires employers to identify a legal basis for their processing of personal data, and it is unlikely that a catch-all consent will enable the processing of employee data by an employer. Employers must ensure that they have GDPR-compliant documentation and that they are able to deal with the new rules on subject access requests. There continue to be significant restrictions on monitoring employees, including e-mail and internet use.
Romania: Employees must be informed of personal data processing (and, in certain limited cases, must give consent). Since May 2018, Romania has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. Under the GDPR, specific rules apply to any personal data transferred outside the European Economic Area to ensure that appropriate safeguards are provided for the transferred personal data and that enforceable data subject rights and effective legal remedies for data subjects are available. Monitoring of employees, including e-mail and internet use, may be performed under very specific circumstances, provided that the legal provisions which impose restrictions on interference with the protection of private life, data privacy and electronic communications are complied with.
Portugal: Since May 2018, Portugal is subject to the General Data Protection Regulation (GDPR). Under the GDPR (Law no. 58/2019), the local privacy law entered into force on 9 August 2019. Limitations to the use of consent within a working relationship and video surveillance were introduced by this law.
Ukraine: In most cases, the processing of personal data requires the consent of the respective data subject. However, employers are allowed to process an employee’s basic personal data without consent to the extent required to perform the employer’s statutory obligations (e.g., pay salary, perform statutory reporting, etc.). Processing of sensitive data (e.g., health status data, data related to religious beliefs, political views, etc.) is prohibited unless the individual provides explicit consent or there is a statutory ground for processing these categories of data. The processing of sensitive data requires notification to the Ukrainian Parliament Commissioner for Human Rights. Cross-border personal data transfers require documents such as an intercompany agreement on the transfer of data, etc., in addition to the data subject’s consent.
UK: As of the end of the transition period following the UK’s exit from the EU, the UK is subject to the UK GDPR and the Data Protection Act 2018, which impose significant obligations and onerous sanctions for employers. Under this regime, it is extremely difficult for employers to rely on consent to process employee data, and other legitimate grounds generally must be identified.
DENMARK: Employers must comply with the GDPR as of 25 May 2018 and the Danish Data Protection Act. Employees have the right to detailed information about the processing of their data. All information provided must be concise, transparent, easily accessible and in plain language. Employers must provide information on the legal basis for processing and, if the data is sensitive, which of the conditions for processing special categories of personal data on which the employer relies. The notice must also advise the employees of their rights under the GDPR.
Austria: Employees must be generally notified of personal data processing – and, in certain cases, must give consent. Strict rules apply to data transfer outside the EEA. Monitoring employees usually requires an agreement with the work counsel, if any, or an individual agreement with each employee. Since May 2018, Austria has been subject to the GDPR, which has introduced significant new obligations and onerous sanctions for employers.
NETHERLANDS: Employees generally must be notified of personal data processing and give consent in certain cases. Registrations with the Information Commissioner are required. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring e-mail and internet use. From May 2018, the country is subject to the GDPR, which introduces significant new obligations and onerous sanctions for employers. In general, the GDPR aims to empower individuals (including temporary employees, job applicants, contractors, trainees and other workers) with regard to controlling the use of their personal data and harmonising the data protection legislation across the EU.
New Zealand: The Privacy Act 2020 controls New Zealand data privacy and determines how employers collect, use, disclose, store and give access to “personal information.”
LUXEMBOURG: The GDPR is in force since 25 May 2018. It has been complemented by a law dated 1 August 2018. Since then, the processing of personal data is no longer subject to prior notification to/authorisation from the National Data Protection Commission (Commission Nationale pour la Protection des Données or CNPD). However, the processing of personal data for the purpose of supervising employees in the context of employment relationships may only be carried out by the employer under certain conditions. The employee’s consent does not legitimise the processing of data. Employees and the Staff Delegation/the Labor and Mines Inspectorate (Inspection du Travail et des Mines or ITM) must be notified of any personal data processing. Data subjects have the right to lodge a complaint with the CNPD.
Cybersecurity: how to maintain GDPR compliance?
Even with extremely high fines and stringent requirements, GDPR violations and data breaches have been skyrocketing across the world. In 2020, the overall increase of fraudulent activities has been detected, based on ACFE’s “Fraud in the Wake of COVID-19: Benchmarking Report“: 77% of survey participants have seen an increase in the overall level of fraud as of August, compared to 68% who had observed an increase in May. Earlier, we wrote how the COVID-19 crisis triggered fraudulent activities and what can businesses do to support anti-fraud movements in their organisations and to strengthen their immunity to fraud. However, cyber-attacks are on the rise – the survey by the gov.uk continues to show that cybersecurity breaches are a serious threat to all types of businesses and charities. 39% of businesses and 26% of charities reported having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%). Find out how to protect your business from cyber breaches and how to maintain GDPR compliance here!