4 Major Guidelines of Data Protection Employee Rights
Organizations may receive personal data from job applicants who provide it voluntarily through a job application, either in response to a recruitment
advertisement or otherwise. Data protection employee rights helps you to understand your employment rights.
When an individual voluntarily provides his personal data to an organization in the form of a job application, he may be deemed to consent to the organization collecting, using and disclosing the personal data for the purpose of assessing his job application. If the individual is subsequently employed, it would be reasonable for the organization to continue to use the personal data provided by the individual in the job application form for the purpose of managing the employment relationship with the individual, if required.
How long can an organization keep the personal data of job applicants who are not hired?
After an organization has decided which job applicant to hire, the personal data that the organization had collected from the other job applicants should only be kept for as long as it is necessary for business or legal purposes. Organizations should note that job applicants have the right to obtain access and request corrections to their personal data held by the organization.
Can job applicants ask the organization to reveal how much information the organization has on them or find out why they were not selected?
Under the PDPA, individuals have the right to obtain access and request corrections to their personal data held by organizations. Upon request, the organization must also inform the individual of the ways in which the personal data had been used for the past year. Thus, organizations must reveal to the job applicant who requests so, the personal data the organization has on them. There are however exceptions to this obligation to provide access to personal data, including several mandatory exceptions.
How long can organisations continue to hold personal data of former employees?
Section 25 of the PDPA requires an organization to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as the purpose for which that personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes.
Employee rights under GDPR have increased, and now employers based out of or doing some business in the EU must follow these guidelines in addition to existing privacy regulations in order to keep employees’ data secure at all times:
- Ask for expanded consent. In the past, employees were often required to sign companies’ non-disclosure agreements and employment contracts. Under GDPR, employee rights stipulate that giving companies consent to process employee data is only binding if it is “freely given, informed, specific and unambiguous,” and retrieved by clear affirmative action, according to HR Technologist. Additionally, it must use clear and simple language, needs to be “distinguishable from other matters” and must allow employees to withdraw their consent to the processing at any time.
- Demonstrate a need to access employee data. Companies need to give workers a valid reason for viewing their data. For example, employers need to look at employees’ sensitive information to issue their tax forms. In this circumstance, employers can justify their access to sensitive data since it’s required for tax purposes. Similarly, employers need to use employee data to record their sick days in order to ensure their payroll is correct.
- Process data if it’s in the employers’ immediate interest. Employers can process data when they have a valid reason, as long as it does not interfere with employees’ privacy. For example, they may track employees entering and exiting the building for safety purposes.
- Process personal data in special categories and criminal records only with consent or to fulfill legalities. Employers will only be allowed to access employee data from special categories, which include religious and political beliefs, ethnic origin, and trade union affiliations, under very specific conditions. An employer can only process such data if the employee gives consent, if it’s necessary to be compliant with employment rights and obligations and if it’s for legal cases.
The exception relating to “managing or terminating an employment relationship” only apply when there is an employment relationship. Where an organization is collecting the personal data of individuals that are not its employees for a specific purpose, this specific exception would not apply. However, other exceptions may apply, for example where the organization is required under written law to collect personal data of such individuals in order to assess whether the qualifications of such individuals comply with regulatory requirements.